Lookout Life by F‑Secure privacy notice

May 2024

1. Introduction

This document is our Lookout Life by F‑Secure privacy notice, which describes what information we collect from you when you use the Lookout Life by F‑Secure application (the “App”) and how we use that information. It is important that you read the notice along with the F‑Secure terms of service because both apply to your use of the App. Any information that is collected from you by F‑Secure other than through the use of the App will be subject to a different privacy notice.

This notice may be revised to keep pace with changes in our products and services and laws applicable to F‑Secure and you. If we make material changes to this notice, then we will notify you. If you do not wish your information to be subject to the revised notice, you will need to close your account.

This notice can be accessed from the App login screen, from the settings in the App, and from our company’s website.

2. Information we collect

F‑Secure offers multiple tiers within the App. Each tier offers increased access to F‑Secure security features. Information required to provide these services may vary and are listed in this document to help you understand what information we collect directly from you, from your device and how we use this information. Details regarding product features for the App for iOS and Android devices can be found here and here.

a. Categories of information

F‑Secure, or F‑Secure’s partners, may collect the following categories of information from you in the course of using the App:

  • Registration data, including an email address and password.

  • Device data, such as equipment identifier (e.g., mobile phone number, device type and manufacturer, operating system type and version, wireless carrier/operator, network type, country of origin, Wi‑Fi network SSID, Internet Protocol (“IP”) address, and the dates and times of your requests.

  • Application data, including metadata of all applications installed on your mobile device (including, but not limited to, the names of the apps and the versions of the apps), and in certain circumstances, we may also collect a copy of part or entire copies of application files on your device if we encounter an application that we have not previously analyzed. This data is pseudonymized and is maintained in aggregate to ensure an individual cannot be identified from other customers. We may also collect information about how applications behave on your device (e.g., whether an application is sending premium-rate text messages that may charge money to your phone bill) and the network services with which your applications communicate.

  • Location data. Some features we offer work better if we can locate your mobile device. With your consent, which is provided during initial registration, F-Secure may collect location information in two ways. We may receive it directly from your mobile device, or, in some situations, we may infer location data from cell tower or Wi‑Fi hotspot information. We may use third-party service providers to translate that information into usable location information. To prevent location data from being shared go to your mobile device settings and turn off location services, but doing so may affect the features that F-Secure can provide. 

  • Theft Alerts data, including location data and a picture that is taken when the Theft Alerts feature is activated.

  • Payment data, including your credit card number, expiration date, security code and other applicable billing information, including your zip code, may be collected directly by F‑Secure’s partners if you have purchased the Premium and Premium Plus versions of the application.

  • Web content data, including URLs and domains for malicious content and content that needs additional analysis to determine if those URLs are unsafe (e.g., if the URLs contain phishing attacks or malware). F‑Secure does not collect browsing history.

  • Identity Theft Protection data, which you have the option to provide if you purchased F‑Secure Premium Plus, including private information (such as a driver's license number, social security number, passport number, or other identification number), financial information (such as a bank account, debit and credit card numbers), medical insurance number, and other data about you, including name and title (or other people you enroll in the service), may be collected directly by F‑Secure’s partner, CSIdentity (now part of Experian).

  • Analytics data, including third party tools such as Mixpanel, Braze, and mParticle to help us analyze and aggregate data regarding your use of the App. We encourage you to read the Mixpanel privacy policy, Braze privacy policy, and mParticle privacy policy.

Given that product features will vary by tier, F‑Secure may collect different types of information based on the tier you are using as described further below.

b. Information F‑Secure collects for the F‑Secure basic app

  • Registration data. To create an account, you must provide an email address and a password.

  • Device data. When you use the App, our servers record certain information about your mobile device as described in section 2a above.

  • Application data. When you use the App, we collect application files and download a copy of part or entire copies of application files on your device if we encounter an application that we have not previously analyzed as described in section 2a above. For clarity, F‑Secure does not collect user data you enter into those applications. Because F‑Secure does not collect any user data you enter into the applications on your mobile device, F‑Secure does not collect, read, review, or scan your emails, or text messages. F‑Secure does not collect your photos, or videos, but may scan such files locally on the device to protect you from certain threats that hide inside photo or video files.

  • Location data. If activated, F‑Secure’s Missing Device feature, including the ability to Locate and Scream your device remotely, uses location data to help you locate your phone near its last known location if you lose it and its battery dies. Additionally, if you have Signal Flare enabled, this feature collects location data and sends it back to F‑Secure when your battery is running low.

c. Information F‑Secure collects for the F‑Secure Premium app 

F‑Secure collects the same information stated in the F‑Secure basic app, but in addition to this information, F‑Secure’s partner will also collect payment data directly from you to allow you to access premium features, web content data to use the Safe Browsing feature, and Theft Alerts data to provide the Theft Alerts feature as described below.  

  • Payment data. If you purchase a Premium or Premium Plus App subscription directly from us, we use a third-party payment processor to collect payment data. Our third-party vendor will use this information to bill you for services. F‑Secure will have information regarding your Premium and/or Premium Plus account. This information will include the amount you paid, and the method of payment. We will not have your credit card, bank information or zip code; this information remains with the third-party payment processor. If you purchase the App from an app store or through your carrier plan your payment information will be managed by that app store or carrier. Payment does not go to F‑Secure. Your payment could be processed in various ways. In order to provide our services to you, the app store will send F‑Secure confirmation of your purchase. Carriers may share your phone number, subscriber ID, SKU and other non-financial information. The app store and your carrier will not share credit card or billing data. For additional information, please refer to your app store or carrier’s payment processing policies and procedures.

  • Web content data. To provide the Safe Browsing service, F‑Secure uses web content data. If you do not want us to record the unsafe URLs you visit, you may turn Safe Browsing off; all other F‑Secure features will continue to function.

  • Theft Alerts data. When Theft Alerts is activated a photo is taken. The picture and location data (GPS location) are stored briefly on our servers so we can send you an email with the picture and a map of your device’s location. The picture is then deleted from our server. We send the email to the address associated with your account so remember to keep your email address up to date in your account settings.

d. Information F‑Secure collects for the F‑Secure Premium Plus app

F‑Secure collects the same information stated in the Premium app, but in addition to this information, F‑Secure’s partner will also collect Identity Theft Protection data from you.  

  • Identity Theft Protection data. When you use the Identity Theft Protection feature you may input the Identity Theft Protection data described above for the purposes of enrolling in certain identity protection monitoring services provided by our third-party partner, CSIdentity (now part of Experian). The information that CSIdentity collects and stores about you will depend on the information you have inputted within the App. CSIdentity may need to communicate your Identity Theft Protection Data to third party service providers (such as identification verification companies, consumer reporting agencies, credit bureaus, payment validation companies, law enforcement agencies, and others) in order to provide those services to you.

e. Information F‑Secure collects from third-party sources

F-Secure receives analytics data from third parties as described above.

3. How we use your information

When we collect your information, we store it and associate it with your account unless otherwise noted. Please note that we need certain types of information so that we can provide the services to you.  If you do not provide us with such information, or ask us to delete it, you may no longer be able to access the services. We take your privacy very seriously and will only use and disclose this information for the business and commercial purposes described in this Notice. How we use your information will vary depending on the type of data as described below:

a. Application data

We use this data to provide our services by conducting scans of application files to determine if any applications are behaving maliciously. We also pseudonymize data and aggregate the information to produce popularity of applications by region, and to perform our mobile threat analysis. This mobile threat analysis data will remain pseudonymized to ensure data privacy. Combining customer data in a secure and confidential way helps F‑Secure to better understand current security threats, and to improve the App.

b. Device data

Automatic scans of your device may occur periodically to collect details about the applications, devices and operating system files on your device.  F‑Secure will gather the results of scans performed by our services and the most current security disposition of the device. In addition, regular updates of threat definitions will be performed. These activities help to protect your mobile end point by allowing the App to detect and address threats on your mobile device. Where available, F‑Secure may use client device information to let you know you need to update your operating system. In addition to using the information you provide to us and the information we collect from your mobile endpoint device to deliver the App, we also use the information collected from your device to perform data analytics. These analytics provide important information which helps to improve the features and usability of our products. We analyze information such as how often you use the App on your mobile endpoint device, the events that occur within the App on your mobile endpoint device and where the App was downloaded onto your mobile endpoint device. We also use this information in aggregate to perform analysis on known and new mobile threats. 

c. Identity Theft Protection data

CSIdentity will use this information to verify your identity and provide you with the requested Identity Protection services. If you upgrade to a Premium Plus subscription that includes identity theft insurance, our partners will use your information to provide you with assistance and applicable insurance coverage if your identity is compromised.

d. Location data

If activated, F‑Secure’s Missing Device feature, including the ability to Locate and Scream your device remotely, uses location data to help you locate your phone near its last known location if you lose it and its battery dies. Additionally, if you have Signal Flare enabled, this feature collects location data and sends it back to F‑Secure when your battery is running low.

e. Registration data

We may use your email address to send you information about product announcements and special promotions from F‑Secure or our business partners. If you email F‑Secure for support, we may retain that information in order to provide you with support and to improve our services. We may use your email address to communicate with your device about the services, including sending privacy or security related notices and notifying you of major F‑Secure services changes.

f. Theft Alerts data

We use this information to perform the Theft Alert services.

g. Web content data

Safe Browsing is a feature designed to identify and warn you of unsafe URLs so that you can choose to avoid loading them. URLs visited are pseudonymized and sent to F‑Secure to perform security scans. We use the record of unsafe URLs you visit to provide you with notice that the URL you attempted to reach is unsafe.

4. How we disclose your information

This section describes how F‑Secure may share and disclose your information.

a. Third-party service providers and partners

We may share your information with third-party service providers of products and services integrated with our software that need to know your information to fulfill your product or service requests, support our products and services, analyze data for product performance, and product improvement purposes. For example:

  • When using the Identity Theft Protection service, your information is collected by our partner, CSIdentity (now part of Experian) to provide the service to you. CSIdentity may in turn provide your data to third parties such as identification verification companies, consumer reporting agencies, credit bureaus, payment validation companies, law enforcement agencies, and others for purposes of providing you with the services requested. CSIdentity may also provide you with monitoring and alerts and obtain information and reports about you (or about others that you have enrolled) in order to provide the Identity Protection services, including address history, name, alias and other reports. We require that CSIdentity and its service providers use data collected from you only for purposes of providing services through the F‑Secure Premium Plus product.

  • We may share your information with our resellers or other mobile operators to ensure proper delivery of your purchase and related support services and perform business-related functions.

  • We may use your information to conduct market research and engage in joint promotional activities with companies that have products that can add value to F‑Secure products or services (for example, with mobile operators).

b. Third-party payment partners

We may allow services providers to collect information directly from you to perform accounting, auditing, billing reconciliation, and collection activities.

c. To comply with law

We may disclose your information consistent with the law to, for example: (i) comply with a law, regulation, or legal process (including to meet national security or law enforcement requirements); (ii) protect the safety or security of any person, entity or facility; (iii) address potential violations of our notice; (iv) investigate fraud, security, or technical issues; or (v) protect F‑Secure’s or a third party's rights or property, our employees, users and the public. We strongly believe that you have a right to know if we are required by law to disclose your information. As such, before we disclose your information in response to a law enforcement request (for example, a subpoena or court order), we will notify you at the email listed in your account, unless (a) we are prohibited from doing so or (b) in emergency cases where notice could create a risk of injury or death, or the case involves potential harm to minors. Furthermore, nothing in this notice is meant to limit any legal defenses or objections that you may have to a third party, including the government’s, request to disclose your information.

d. During a change to F‑Secure’s business

We may also disclose your information to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger, or acquisition of any part of our business, provided that we inform the buyer it must use your information only for the purposes disclosed in this notice.

e. Pseudonymized and aggregated data

For data analysis we pseudonymize, aggregate and summarize data that may include some of your data. We may share reports resulting from this data analysis publicly, in order to help others understand mobile threats and gain insights into particular mobile application behavior.

f. With consent

We may also disclose your information to third parties when we have your consent to do so.

5. Your choices

a. You can access and update your settings

You may update the settings of your Lookout Life by F-Secure account via the “Settings” page on our mobile application, or by logging in via our website at personal.lookout.com, to modify certain settings that affect what data is shared with us. To protect your privacy and security, we require your username and password in order to verify your identity before granting you access or making changes to your account.

b. Email opt-outs

You may opt out of receiving promotional communications from F‑Secure by using the unsubscribe link within each email. Although opt-out requests are usually processed immediately, please allow ten (10) business days for a removal request to be processed. Even after you opt out from receiving promotional messages from us, you will continue to receive transactional and product-related messages from us regarding F‑Secure services. You can opt out of some of these notification messages in your account settings.

6. Data retention

F‑Secure will retain your information, including your personal data (as that term is defined by the GDPR), only as long as reasonably necessary to provide our products and services to you or as otherwise required for legal compliance purposes.

7. Security

a. F‑Secure’s responsibilities

F‑Secure is a security company, and securing your data is important to us. F‑Secure uses commercially reasonable physical, managerial, and technical safeguards to ensure appropriate technical and organizational measures appropriate to the risk of processing your information. For example, we use a combination of firewalls, authentication, physical security, and other safeguards to protect your account and your data. When you enter sensitive information (such as location data) within the App we encrypt that information while in transit and at rest using secure socket layer technology (SSL). We also perform third-party penetration tests to harden our systems from attack. F‑Secure takes every reasonable effort to implement controls to protect against complex technological threats and other criminal threats, as well as to guard against negligent employees.  

Because no method of transmission over the Internet or method of electronic storage is 100% secure, we cannot ensure or warrant the security of any information, data or content that F‑Secure receives on your behalf to operate the F‑Secure services, or that you transmit to F‑Secure. All such receipt or transmission of your information is provided under your own free will and at your own risk. We cannot guarantee that such information will not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

If F‑Secure learns of a security breach that may affect you, we will attempt to notify you electronically so that you can take appropriate protective steps. F‑Secure will also post a notice on the App if a security breach occurs. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. 

b. Your responsibilities

You are responsible for maintaining the secrecy of your password at all times. We recommend a strong password that you do not use with other services. If you believe your password has been compromised, please change your password immediately via the F‑Secure website, or contact us at support@lookout.com for assistance. You are responsible for ensuring that the email address associated with your account is accurate. We use that email to contact you about service updates, changes to our policies, and account activities such as requests for your information or locate attempts on your device. F‑Secure is not responsible for information transmitted to a third party as a result of a user’s providing an incorrect email address.

8. Users under 16

F-Secure does not knowingly collect or store any personal data about children under the age of 16 unless they are part of a multiple-device plan purchased by a parent who consents to such collection and storage as described in the Lookout Life by F‑Secure terms of service. If you believe a child is using this service without parental consent, please contact us at privacy@f-secure.com.

9. International data transfers

F‑Secure, Inc. is a US-based company with servers housed in the United States. Personal data collected from users outside the United States is transferred to the United States. If you are using the App from outside the United States your information may be transferred to, stored, and processed in the United States where our servers are located and our databases are operated. 

10. Additional terms for California residents

a. Personal information

In accordance with the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act (collectively, “Applicable State Laws”), below is a list of the categories of Personal Information (as that term is defined by the CCPA) that we collect through the App, the categories of sources we collect them from, the commercial purpose for which the information was collected, and the categories of third parties with which we share the Personal Information. The information listed in the chart below is accurate of the preceding 12 months.

Categories of personal information

Categories of sources

Commercial purpose

Categories of entities that we sell, share, or disclose personal information to for a business purpose

Identifiers, including email address, IP address, Wi‑Fi SSID and other device identifiers

Consumer

Provide service, improve service, customer service, analytics

Data analytics providers, service providers, and contractors

Identity Theft Protection identifiers, including SSN, driver’s license number, credit card, bank account numbers, zip code*

Consumer

Provide service

Service providers, and contractors

Geolocation data

Consumer

Provide service

Service providers, and contractors

Information regarding a consumer’s interaction with websites or applications

Consumer

Provide service

Service providers, and contractors

*All Identity Theft Protection identifiers are inputted directly by the consumer, are stored by F‑Secure’s third party service provider, CSID (now part of Experian), and used solely for the purposes of providing the services.

b. Your rights

In accordance with applicable state laws, and subject to exceptions, residents of certain states have the following rights:

  • Access. You have the right to request that F‑Secure disclose and deliver the categories of personal information F‑Secure has collected about you, or the specific pieces of personal information the business has collected about you;

  • Deletion. You have the right to request the deletion of your personal information in certain situations, subject to certain exceptions outlined in the law;

  • Correction. You have the right to correct or amend the personal information we have on file about you;

  • Non-discrimination. You have the right to not be discriminated against, including but not limited to the right not to be charged a different price for the services or denying you access to the services, on the basis of your decision to exercise any of your rights in this section. We will not discriminate against you for exercising any of your rights under applicable state laws.

  • Opt-out. F‑Secure does not sell or share any personal information of its users of the App, so this right is not applicable to you.

  • Limit use of sensitive personal information. F‑Secure does not process your sensitive personal information (as that term is defined under the CCPA) for any purposes beyond those permitted in Section 7027(m) of the CCPA regulations, so this right is not applicable to you.

You may exercise your rights to access your information or to delete your information by contacting us at support@lookout.com or via FSecure customer support. As stated above in Section 5a, to protect your privacy and security, we require you to verify your identity by logging into your account with your username and password before granting your request to access or delete your personal Information. If we cannot verify your identity, then we shall not disclose any specific pieces of personal Information in response to an access request, and we shall deny your request to delete personal Information in response to a deletion request. For requests to delete your information, F‑Secure shall use a two-step process where you must first, clearly submit the request to delete and then second, separately confirm that you want your personal Information deleted. As a resident of California, Colorado or Connecticut, you may have an authorized agent make an access or deletion request on your behalf, provided that the authorized agent has your written permission, and you are able to verify your own identity directly with F‑Secure. If you have a disability that prevents or limits your ability to access this privacy notice, please email us at privacy@f-secure.com. We will work with you to provide it in an alternative format.

11. Additional terms for European Economic Area (“EEA”) residents

a. Legal basis for processing

If you are a visitor from the EEA, F‑Secure is the data controller of your personal data (as that term is defined in the General Data Protection Regulation (“GDPR”)). The legal basis for collecting and using your personal data as set out in this notice will depend on the personal data concerned and the specific context in which we collect it. However, we will normally collect personal data from you only where:  (a) use of your personal data is necessary to perform our obligations under any contract with you (for example, to comply with the terms of service which you accept by downloading and using the App); or (b) use of your personal data is necessary for our legitimate interests or the legitimate interests of others (for example, to ensure the security of the App, operate and market the App, ensure safe environments for our personnel and others, and prevent fraud); or (c) we have your consent to do so (such as for some of our marketing activities). Some processing is done to comply with applicable law. 

b. Data transfers

To provide this service, F‑Secure stores and processes personal data in the U.S. When we transfer personal data which originates in the European Economic Area, Switzerland, and/or the United Kingdom to a country that has not been found to provide an adequate level of protection under applicable data protection laws, we rely on the Data Privacy Framework (see additional information on the Data Privacy Framework below), the UK International Data Transfer Agreement/Addendum or EU Standard Contractual Clauses to safeguard the transfer.

F‑Secure complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. F‑Secure has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data Privacy Framework website.

In compliance with the EU-U.S. DPF, F‑Secure commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgement of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit jamsadr.com/submit for more information or to file a complaint. The services of JAMS are provided at no cost to you. If you have a complaint that we have violated the DPF Principles that has not been resolved by other means, you may have the ability to invoke binding arbitration following the procedure explained on the DPF website. Please note that F‑Secure is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

In some cases, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 

If we transfer your personal data onward to a third party, we remain liable under the DPF Principles if the data is processed in a manner inconsistent with the DPF Principles.

For more information about the safeguards we use for international transfers of your personal information, please contact us as set forth below.

12. Data subject rights

If you are a resident of the United Kingdom, EEA, or another jurisdiction with an applicable data protection law (such as Virginia, Colorado, Connecticut, and Utah), you may have certain rights in relation to your Personal Data. These rights may be subject to certain exemptions. These rights may include:

Access. You may have the right to request a copy of the personal data that we are processing about you. If you require additional copies, we may need to charge a reasonable fee;

Rectification. You may have the right to require the correction of any mistake in the personal data, whether incomplete or inaccurate, that we hold about you;

Deletion. You may have the right to require the erasure of personal data concerning you in certain situations, such as where we no longer need it or if you withdraw your consent (where applicable);

Portability. You have the right to receive the personal data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit that data to a third party in certain situations;

Objection. You may have the right to (i) object at any time to the processing of your personal data for direct marketing purposes and (ii) object to our processing of your personal data where the legal ground of such processing is necessary for legitimate interests pursued by us or by a third party.

Opt-out. You may have the right to opt out of the sale or sharing of your personal data, as well as the right to opt out of the use of your personal information for targeted advertising purposes.

Restriction. You have the right to request that we restrict our processing of your personal data in certain circumstances, such as when you contest the accuracy of that personal information;

Automated decision-making and profiling. You may have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

Withdrawal of consent. If we rely on your consent for processing your personal data, you have the right to withdraw that consent at any time.

Lodge a complaint to a data supervisory authority. Depending on your jurisdiction, you may have the right to lodge a complaint with your local data supervisory authority if you believe we are in violation of applicable data protection law.

If you wish to exercise any of these rights, you can do so by contacting FSecure customer support. We will respond to your request in the time period required under applicable law. Please note that we may need to verify your identity prior to complying with your request. We will verify your identity and you may also designate an authorized agent to submit a request on your behalf (though we may still need to verify your identity).

13. Contact us if you have any questions or concerns

Please contact us at privacy@f-secure.com, or by postal mail at F-Secure, Inc., Attn: Majda Muhic, 100 Church Street 8th Floor, New York, NY 10007, with any questions or comments about this Notice. Residents of the EEA may also contact by sending inquiries to the attention of Miina Hiilloskivi-Knox, Legal Counsel, Tammasaarenkatu 7, 00180 Helsinki, Finland.