In this policy, A1 Sicherheit refers to the security solutions provided by A1 Telekom Austria with support of F-Secure Corporation through the A1 Sicherheit app to protect computers, tablets, and smartphones. Depending on your subscription, this service can include endpoint protection, Virtual Private Network (VPN), password management , as well as a management portal to help you better manage your licenses across your devices and those of your family members.

The applicable sections of this policy therefore depend on the components To summarize privacy in this service:
 

• we ask for your name, email address, and/or phone number;
• we analyze and secure, but do not read, share, or sell any of your traffic;
• the focus of data collection is not on you, but on your device and our service; and
• the portal provides limited visibility among those who share the same subscription.

In full:

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.
 

What do we collect and what is it used for?

Customer relationship data

The service collects a varying set of data depending on where you download or purchase the service.

Application stores: number of purchased licenses; purchase history for A1 Sicherheit products; price and time of purchase; order number; technical environment (e.g. operating system) of your device; unique identifiers (e.g. Android marketing identifier); service statistics per device; other similar non-sensitive device and service data.

Operator partner: If you have subscribed to the service via your operator, the data set we collect varies per operator partner, but is limited to the above data. We also exchange some such data as explained below under “Transfers and disclosures”.

Support: In cases where we provide you with personal support services, we may need to ask you for additional information.

Location data: You can use the service portal to locate your misplaced devices. In such cases, the location data is processed for your use only for a limited amount of time, after which we will either delete it or make it anonymous. The location data of past queries is only stored for those queries that are visible in the service. A user can only locate their own device or the devices of their children when using Family Rules, not other registered users’ devices.

When you query your device location using a third-party map service, the provider of the location data utilizes such data based on its own terms, privacy statements, and laws applicable to it. On the publication date of this policy, we are using Google Maps to show the location of your queried device and Google privacy policies apply to such use. The data is not accessible to other third parties and it is not used for any other value-added services.

Customer relationship data is used to:
 

• deliver the services to you (including identifying authorized users and managing licenses);
• enable the use of parental controls, such as viewing and restricting installed applications;
• provide help and support to you;
• maintain, develop, and enhance the services and your customer experience and do troubleshooting and performance measurement;
• improve the functionality of the services and related websites;
• track the services that you have bought and used so that we can manage your customer relationship and communicate with you;

Technical user data

The service automatically collects the following data about you, your device, and the service:
 

• language;
• device model, name, operating system, and version, as well as unique identifiers, including your mobile device’s IMEI and MSISDN code;
• device location for location-based services, if the user needs to locate their device;
• service statistics per device, e.g. how many times the user has locked or unlocked the device or what kind of setting profiles the user has enabled or created;
• installed application names (if app control is supported by the device and is enabled);
• other substantially similar device and service data.

This data is used to:
 

• deliver the services to you (including identifying authorized users and managing licenses);
• enable the use of parental controls, such as viewing and restricting installed applications;
• provide help and support to you;
• maintain, develop, and enhance the services and your customer experience and do troubleshooting and performance measurement;
• improve the functionality of the services and related websites;
• track the services that you have bought and used so that we can manage your customer relationship and communicate with you;

VPN feature

In addition, the VPN feature collects online communications information. Our guiding principle is that we do not seek to spy on the exact content of
your private communications. We only analyze your communications traffic to provide you the service and to keep your data transfers clean. To be more exact, this means that:

• we need to process some metadata (such as volume, country, IP address) of your traffic when providing the service to you;
• as an information security company, we analyze the traffic for suspicious or malicious files and destinations (i.e. URLs);
• we filter traffic based on Family Rules, which you can take into use in the application;
• we automatically screen the traffic to inhibit usage that is against our acceptable use policy; and
• the service collects statistics to give you a view of your browsing history via the service. F-Secure is not able to identify you based on this data

Service provisioning logging: When the service is taken into use or a license is modified at later stages of the lifecycle, the provisioning log data is collected. This is done in order to enable and diagnose successful provisioning to authorized devices, detect abuse of the service, and as a precaution for disaster recovery in case it is needed. This log contains the IP address of the client, a random device ID generated by the service, the time of access, the country code obtained via a GeoIP lookup of the client IP address, and other similar technical device data.

We do not keep any logs about connections established through the VPN service to external addresses. We cannot link the IP address of your browsing destination to you.

To protect the service against fraudulent use, we maintain temporary logs that contain the duration of the VPN sessions, the amount of data transferred, the device ID, public IP address, and host name from where the VPN client connects to our service. Traffic anomalies that look like a potential abuse of our service (such as port scanning, spamming, or DDoS attacks) are detected by our service and will be logged as well. The logs are stored for 90 days, and can be used to deal with any misuse of our service or attacks against F-Secure.
 

Password vault

In addition to the above, the password vault collect service statistics per device; for example, how many times the user has used the service, as well as the license creation time, the number of purchased licenses, and the types of services that each user has subscribed to, the devices connected to the service, as well as the unique device identifiers.

Password vault consist of a password manager and — depending on your subscription features.

• F-Secure provides you with an encrypted password vault;

Personal identifiers: When the identity of the service user is managed by A1 Sicherheit, we ask for the following information about you and other users: name, username, email address and phone number.

Stored passwords and other personal data in the password vault. Your passwords and other information, such as credit and debit card details and personal notes, are stored on servers hosted by our partner F-Secure and locally on your client devices in an encrypted format. The encryption key is the end-user master password, and this master password is never exposed outside the service on your device. It is also not possible to acquire a hosted password file without an authenticated client belonging to the user. In summary, in their stored format, the files hosted by F-Secure are not decryptable or identifiable in terms of who they belong to.

A1 Sicherheit account information is not linked to any of the password data managed by the service.
 

Security data

The service sends queries on potential malicious activities or protected devices and networks to F-Secure Security Cloud. F-Secure Security Cloud is a cloud-based system for cyber threat analysis that is operated by F-Secure. With the Security Cloud, A1 Sicherheit can maintain an up-to-date overview of the global threat landscape and protect our customers against new threats the moment they are first found. While we limit the processing of any information that could be considered sensitive by our users, we collect the minimum amount of user and organization information for the purpose of providing high quality protection to our users. The collected data may contain:
 

• Files that are blocked by A1 Sicherheit for a security reason, and related metadata. The metadata includes for example file hash, file name and file path. We need to analyze files and emails for malicious content and behaviors for your protection. Files are processed in a safe environment to catch harmful behaviors. Collection of this data helps A1 Sicherheit to keep a global threat situation map that allows reacting quickly to new threats.
• Web addresses that you have tried to visit but have been blocked by A1 Sicherheit for a security reason or which exhibit potentially malicious behavior, and related metadata. The metadata includes for example response headers. A site may get blocked based on selected protection preferences and parental control reasons. The collected information also allows protection against phishing and ransomware attacks.

Legal grounds

A1 Sicherheit processes your data so that we can provide you with our services that you have made a contract for or are in the process of doing so.

In the case of data that is not strictly necessary to provide you with the services — but would help A1 Sicherheit in providing you with better services in the long run — we collect such data only with your consent.

The service user interface may also provide you with other settings to adjust your preferences.
 

Learn more

This section gives you a more comprehensive explanation of the legal grounds based on which we process personal data. This complements the exact service-specific legal grounds on which our personal data processing relies for the respective activity.
 

Client relationship data

By using our services, you are our client. To interact with you and to provide our services to our clients, we must process some data on you. Such processing typically occurs when you communicate with us or our business partners relating to our services, install and use our services, fill out a form or survey, register to use our services, register your email address with us, or send us email.

Since we need the data to pursue the above legitimate activities, we have a right to process relevant personal data. This right typically takes place in the form of “contract performance”, “legitimate interest”, or “consent”.
 

Service data and security data

We need to automatically collect and process relevant data for our services to work, to enhance them, and to provide them to you. The data is processed to:

1. provide A1 Sicherheit services to secure our customers’ networks and devices as well as the confidentiality and availability of the data therein;

2. enable A1 Sicherheit to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;

3. enable A1 Sicherheit to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing by the services is mandatory for the efficient protection of the device/network and a prerequisite for A1 Sicherheit capability to provide its contracted services. As such processing is inseparable from the services that we provide to you, this gives us a valid need to process your data and a justification to do so.

For consumer products, this right takes place in the form of “contract performance”. In some cases, processing may take place in the form of “legitimate interest” and we may also have a “legal obligation” to process data for specified purposes.
 

Analytics data

We also reuse the above service data and security data for data analytics purposes, based on the legal grounds established above. Data analytics are an integral part of our service delivery, as nearly all A1 Sicherheit services are dependent on our infrastructure to properly operate. Our data analytics enables us to direct that infrastructure to support your use of the services.

Where our services collect data that is only needed for the purpose of gaining more insight on how people use the services or how to serve you better, but is not necessary for providing our services, we do so only with your separate consent. You also have the right to withdraw your consent later, should you wish to do so. The legal grounds for data that is solely collected for analytics purposes is thus “consent”.
 

Secondary uses

In addition to above primary legal grounds for data collection, we may also need to use and/or continue to store data i) to meet a “legal obligation” to process data for specified purposes, or ii) under the grounds of “legitimate interest”. For an example list of situations where we may resort to such justifications, see the “Other disclosures” section.
 

General

We consider you a client of A1 Sicherheit, not a client of the individual service. Hence, data collected by different services and interactions (e.g. contacting support) are combined to your A1 Sicherheit account. However, we do not aggregate data against our specific privacy promises (for example, we maintain a hands-off approach to your traffic inside our VPN service).
 

Transfers and disclosures

Commercial transfers and disclosures: A1 Sicherheit is a product of A1 Telekom Austria and F-Secure Corporation. On the basis of this partnership, A1 Telekom Austria takes over some of the activities listed above. We also exchange with the partner such above listed data (e.g. status of your subscription, installation success, service in active use, data collected for resolving a technical support case) as is necessary and proportional. We do the above exchanges to provide you with a smooth customer experience and support services, and to communicate with you in a consistent manner. We do not sell or disclose your VPN data to any third parties unless we are required under law.

Criminal investigations: A1 Sicherheit respects lawful warrants and court orders of the jurisdictions applicable to us. We provide information to the authorities when it is required of us under law, but not otherwise. Such occurrences include investigations and prosecutions of serious crimes and other qualified illegal activities. After all, our goal is to secure your privacy when browsing the web, not securing your anonymity when committing crimes. We carefully review the lawfulness of each request and ensure that our users’ constitutional rights to privacy are protected.
 

Learn more:

Sales and delivery

F-Secure exchange (both disclose and receive) some of your personal data with A1 Telekom Austria, who market, distribute, administer, and support A1 Sicherheit. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

A1 Security is sold as a product by A1 Telekom Austria. Our partner F-Secure and A1 Telekom Austria process personal data in compliance with data protection guidelines and laws. . Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.
 

Subcontracting

We may transfer or disclose some of your personal data to our partners F-Secure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.
 

International transfers

Our partner F-Secure operates globally. Consequently, some affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with F-Secure, your personal information may be stored in or accessed from multiple countries. The locations of F-Secure affiliates can be viewed from F-Secure’s public web pages.

When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and F-Secure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.
 

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F-Secure, where the information is provided to the new controlling entity in the regular course of business. F-Secure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.
 

Retention

 

VPN feature

Learn more

 

• grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
• applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
• to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
• to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
• to prevent fraudulent activity (e.g. to enforce a ban on our community);
• your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
• other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us.

If A1 Sicherheit is terminated, the account will be deleted by A1 Telekom Austria and our partner. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.
 

Analytics

For us to learn when and how you use our service, to enhance it, and to learn how customers find out about the service, the service collects data on installation success, installation and activation paths, performance, operation environment, connections, used features, etc. We do this so that we can create services that are of value to you and our other customers.

To respect our own core privacy promise, your actual communications traffic is not used as a basis for analytics.
 

Learn more

This section outlines our general practices for the collection and processing of data for analytics purposes.

When speaking about A1 Sicherheit data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.

We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.

What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.

On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.

Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards A1 Sicherheit, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.

If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.

If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings.

Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a “legitimate interest”. The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.

Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as “Android marketing identifier” and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.

Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.

We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the
above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.

When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results — not the full data — of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.

We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics to our partner Security Cloud or in the traffic inside our VPN service.
 

Data protection compliancy notice

We always apply strict security measures to protect the confidentiality and integrity of your personal data.

Device administrator rights are required for the application to perform, and A1 Sicherheit is using the respective permissions in full accordance with Google Play or Apple app store policies and with the active consent of the user. Device administrator permissions are used for the parental control features, in particular:
 

• To prevent children from removing the application without parental guidance
• Browsing protection

Security

Information on the security practices that we employ to keep your data secure.
 

Learn more

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by F-Secure or our partners with access limited to authorized personnel only.