Introduction

This Data Protection Policy is intended to provide information on the processing of personal data in our companies. We hereby fulfill our statutory obligations under the Telemedia Act (TMG) and the EU General Data Protection Regulation (EU-GDPR, EU 2016/679), in particular Articles 13 and 14 as well as Article 26(2).

Please read this Data Protection Policy carefully and make sure that you understand it. If you have any further questions or there is something you do not understand, please contact us.

For Avira the protection of your privacy always has the highest priority. We are a leading expert in the IT security field. We protect you against malware, viruses, and other digital threats. The protection of your personal data is very important to us.

This Data Protection Policy describes how we handle data which may be directly or indirectly related to natural persons (personal data) and which hardware and software is used.

In this document we also explain how we use cookies and analysis tools throughout our websites and in our products and services.

Please note that further information may be added to our Data Protection Policy depending on the product or service concerned.

We comply with relevant privacy laws and this Data Protection Policy at all times. We only share data with others as described in these provisions.

How can you contact us?

Which Avira company is responsible for you? If you live outside the USA or Canada, the following Avira companies may be responsible – depending on the respective contract:

  • Avira Holding GmbH & Co. KG, or
  • Avira Sales GmbH & Co. KG, or
  • Avira Operations GmbH & Co.KG

all companies can be reached at the following address

  • Kaplaneiweg 1, 88069 Tettnang, Germany.

If you live in the USA or Canada, "Avira" stands for Avira, Inc., c/o WeWork 75 E, Santa Clara St. Suite 600, 6th Floor, San Jose, CA 95113, USA.

You can contact our Data Protection Officer for the entire Avira Group at:

What do we mean by certain terms?

Anonymization

By modifying the data, identification of a natural person is no longer possible.

Activity data

Data stored about the user's activities.

Analytical tools

Programs allowing analyses of user behavior.

Cloud

Use of IT infrastructures and services that are not kept locally but are hired as a service and can be accessed via a network (e.g. the internet).

Cookies

Cookies are small text files that are stored on your computer or in your browser.

GDPR

General Data Protection Regulation, revision of data protection regulations for the European Union.

Devices

A (portable) object, such as a smartphone, tablet, notebook, or PC, used to access apps or programs and information services.

IP address

An address within the computer network based on the Internet Protocol (IP). This address is assigned to the device and thus allows the device to be addressed and so accessed.

MAC address

Address of each individual network adapter.

my.avira.com

Administration area within the Avira software for registered users

Personal data

This information relates to a specific or identifiable natural, living person.

Pseudonymization

Modification of data in such a way that it is no longer possible to allocate it to a certain data subject without additional supplementary information.

Malicious software

Programs developed to cause damage to a device.

Smart

Synonymous for "intelligent, clever" devices (e. g. smartphone, smart TV, smart watch)

SSID

Freely selectable network name.

Web console

Internet based software solution for managing your account or your settings.

What personal data is processed by us?

We process different data when you install or use our products or visit our websites. This may be personal, either directly or indirectly, i.e. by involving other data sources.

Most of the data is collected in a pseudonymized or anonymized form.

This includes the following information:

Information when you visit our websites:

When you visit one of our websites, we may process information on the region you are visiting us from, information on your device, its operating system and browser, your user behavior on our site during the current session, and whether you have visited us before. For this, we use cookies (click here for further information).

Registration information:

To activate or use some of our products or services, you need to create an account („my.avira.com“). During the process of setting up your Account, we will ask you for certain personal information such as your name, email, and IP addresses, possibly supplemented by your telephone number and address details.

For mobile products, further information is added, e.g. about the device used, your provider, and the operating system.

Support inquiries:

If you contact us for support inquiries, we will store your data in connection with this particular inquiry, such as contact details, information on your hardware and software, and log data. In some cases we may ask you to provide us with additional files generated by analytical tools to handle your support inquiry.

Usage information:

When using our products and services, we collect and process personal data at various points. The respective collection and processing of personal data depends on the product used and the associated services and product features. In some cases, you may deliberately submit or provide us with files for verification. If these contain personal data, processing is carried out in accordance with the guidelines set out in this Data Protection Policy.

Here are a few examples:

Avira Connect

With Avira Connect, we provide a web console which you can use to manage your account and our software that you use. Further, we provide the option to register your smartphone, enabling you to locate it in the event of loss. To provide you with this service, we collect data on the location of your smartphone. Through Avira Connect we also manage our software that you use. For this, we store license information, the license expiration date, and the service packages you have booked.

Avira Phantom VPN

With Avira Phantom VPN we provide you with a global service for an even safer internet connection. Encrypted connections to our server locations distributed around the world let you surf anonymously and access your favorite content from anywhere. If you use Avira Phantom VPN we do not collect any data about the web pages you visit or the services you use on the internet. The information we require for our billing system only tells us when someone was online and what data volume was utilized.

Avira SafeSearch

We operate our own search engine. If you use this product we collect information on the browser type and operating system you use to perform the search, your IP address, and the type of search conducted. We store information about how you perform your search (for example, how many web searches were performed on a particular day or in a particular region). The search requests and personal data are hosted and stored on Avira servers. We work with third parties to provide you with better search results.

Avira URL Cloud

The URL Cloud feature helps identify internet addresses that are harmful to your system when you are browsing the web. URL Cloud analyzes the internet addresses you visit, to determine which internet addresses could contain malware, spam, or phishing, and warn you before opening those internet addresses. However, we remove any personally identifiable information prior to investigation. We store certain internet address data in an anonymized form and use it for debugging, statistical purposes, and to improve detection rates.

Avira Protection Cloud

For better protection against threats, our products contain features allowing us to analyze new or unknown malicious software or files from potentially hazardous sources in real time. When these features are enabled, our products use certain pre-determined rules to see whether an event on your system is caused by a virus or malware attack. If necessary, we will send a "digital fingerprint" of the unknown or suspicious data from your system to Avira for investigation in real time. In most cases, our analysis can immediately label the file as either safe or malware. Under certain circumstances the executable file may need to be sent to Avira for further analysis. In this event, files are exchanged between your computer/device and the Protection Cloud in an encrypted form. Personal files (e.g. in pdf, doc, or xls formats) or personal documents such as photos and videos are not transmitted.

Avira Home Guard

Home Guard offers you the option to detect "smart" components (such as video cameras, baby monitors, smart TVs, Wi-Fi routers, printers, media servers) within your home network and to analyze vulnerabilities. Furthermore, Home Guard will store the results to search automatically for new devices. To offer you this function, we store information on your network and the devices connected such as the MAC address, IP address, and settings of the network.

Avira Safe Things

To improve your home's safety and adapt it to deal with current threats, Safe Things by Avira is a solution which can be installed directly on your router by the network operator. This solution protects your network devices automatically against IoT threats. For this, we process information on your local network, your router, and its settings.

Avira Safe Shopping

If you use Avira Safe Shopping, it is part of our contractual obligation to present you with suitable products from other providers or other providers' conditions for the same product. Data processing is done exclusively in accordance with the performance of the contract.

Avira Software Updater

Avira Software Updater checks if your locally installed programs are up-to-date. If outdated programs are detected, Avira Software Updater notifies you about the potential safety risks or installs the respective updates automatically. Version status verification is only performed locally. No data on installed programs is sent to Avira.

Avira Password Manager

Avira Password Manager lets you safely store your passwords and synchronize them across multiple devices. Passwords are encrypted immediately after entering them. Because of the master password, Avira is unable to access your data. We use end-to-end encryption to transmit data from your devices to our servers.

Avira Identity Scanner

Avira Identity Scanner provides continuous monitoring of personal data on the web. This software protects your identity by identifying potential cyber risks which may be used for identity theft or online fraud. Furthermore, Identity Scanner will notify you about every security breach of your data. Additionally, you have the option to transfer the data to be checked to us.

Location information:

For certain features, we access the location data of your device.

Processing purposes:

We process your data, whether it can be traced back directly or indirectly to a natural person or not, for the following purposes:

  • To fulfill our contractual obligations to you.
  • For correct operation of our products and services.
  • For convenient and straightforward use of our products and services.
  • To improve and optimize the features, security, and stability of our products and services.
  • For administrative purposes.
  • To offer you optimized advertising and product information.

Contract initiation and performance:

In general, we only store personal data needed to fulfill our contractual obligations to you (Ar. Please keep in mind that it is our duty by means of our software to protect your IT systems and data against malware and attacks. Therefore we require a range of different information. Depending on the product used, our contractual obligations include the monitoring of various internal and external data streams, programs, and files as and where necessary. If personal data supplied by third parties is processed, the processing is carried out on the contractual basis and additionally according to Article 6(1)f. GDPR. The "legitimate interest" is the protection of your systems and thus in protecting you against online and offline threats. Your need for protection outweighs the third-party's need for protection whose information may have been made accessible to you and subsequently to us.

Consent:

Your consent is required for the processing of certain data. In these events we will inform you expressly about the situation and provide you with the opportunity to allow us to process this data.

In these cases we will inform you about the purpose of the data processing and about your right of revocation.

Legitimate interest:

It is also possible to process data on the basis of our legitimate interest. Thereby, we are obliged to disclose our interest and take both your and our interests into consideration.

This is the case for the following processes:

  • For our security products range we scan and verify files and data streams continuously. In these cases we may process personal data of third parties. This processing is carried out on the basis of legitimate interest according to Article 6(1)f. GDPR. Our legitimate interest outweighs the protection of the third party as we protect your systems against possible malicious software (see also recital 49 of the General Data Protection Regulation).
  • If you use Avira Identity Scanner, we verify the personal data you entered through a high-security process in cooperation with our partner Affinion (Affinion International Ltd., UK). Should Affinion detect that data misuse is likely, we will submit this information to you on behalf of our partner. The processing of personal data behind this procedure is based on Affinion's legitimate interest to protect information security.

Storage and deletion periods:

We store personal data only to the extent required to fulfill the purpose. The storage period depends on legal requirements and the duration of the contractual relationship.

Should the data no longer be used, it will be anonymized and/or deleted in accordance with legal regulations.

Should you wish to have your data deleted, please note that we are able to block your data immediately but for legal reasons or due to technical restrictions it may take up to 180 days to permanently delete your data from the live systems.

Further, please note that after the confirmation of your deletion request it is not possible to restore your data.

How do we use cookies, analysis and tracking tools, and social media registrations?

When you use a product or service, cookies are uploaded to your browser. Cookies may be used to identify your browser so that our website is displayed correctly. We also use cookies at various points on our website to analyze the use of our website and thereby optimize it, such as the shopping cart function for orders in the Avira online store.

In addition to our own systems, we also use the following third-party tools for marketing purposes and to make your visit to our websites or the use of our products/services more user-friendly.

Analytical tools:

Google Analytics 360

We use Google Analytics 360, a web analysis service from Google (Google Inc.). Google Analytics uses cookies that enable us to analyze your use of our websites. The data generated by cookies about your use of our website is generally processed on European servers in accordance with GDPR guidelines. Google may transfer the data to a server in the USA and store it there. Prior to this, however, Google will shorten your IP address if it originates in a member state of the European Union or in other signatory states to the Agreement on the European Economic Area and thus make it anonymous (Google's anonymizeIp process). The entire IP address is transferred to a Google server in the USA and saved there only in exceptional cases. This anonymization ensures that your IP address cannot be traced back to you. Google uses this data to evaluate your use of the website, to generate reports on website activities for Avira, and to provide other services associated with website and internet use. Google can transfer this information to third parties, where appropriate, if legally mandated or if Google contracts with third parties to process such data. Google will not associate your IP address with other Google data.

You still have the option to prevent Google from collecting data generated by cookies and relating to your use of the website (including your IP address) as well as from processing this data by downloading and installing a browser plug-in provided by Google.

Further information on Google Analytics can be found here.

Adobe Analytics (Omniture)

We use Adobe Analytics by Adobe (Adobe Systems, Inc.). The program uses cookies and tracking pixels, which are either retrieved from your device or stored there and enable an analysis of your use of our website. This process collects and saves data based on pseudonyms. These profiles are used to analyze visitor behavior on our website and to adapt our offerings and design based on user needs. Without your express consent, the pseudonymized usage profiles will not be merged with other personal information that we may have received from you. Adobe does not process your IP address and only saves it in a shortened form. The data collected will be transferred by Adobe within the EU and stored on the company's EU servers. You may also opt-out of the collection and storage of your information by Adobe at any time by following the instructions in the following link:

Opt-out here

For more information about Adobe Systems' Privacy Policy, click here.

Crazy Egg

We use Crazy Egg, a web analytics service provided by Crazy Egg (Crazy Egg, Inc.). Crazy Egg uses cookies that enable us to analyze your use of our website. This process collects and saves data that we use to create usage profiles based on pseudonyms. These profiles are used to analyze visitor behavior and adapt our offerings and design based on user needs. Without your express consent, the pseudonymized usage profiles will not be merged with other personal information that we may have received from you. The data generated by cookies about your use of our website (including your IP address) is transferred to a Crazy Egg server in the USA and stored there. Crazy Egg uses this data to evaluate your use of the website, to generate reports on website activities for Avira, and to provide other services associated with website and internet use.

You may opt-out of the collection and storage of your information by Crazy Egg at any time by following the instructions under the following link:

Opt-out here

For more information about the software used and Crazy Egg's Privacy Policy, just go here.

Social media registrations:

For some web-based services or features of our products and services (e.g. login via https://my.avira.com), we offer registration via Facebook Connect or Google+ Sign-In. Facebook Connect is a service of Facebook, Inc. ("Facebook") and Google+ Sign-In is a service of Google, Inc. ("Google"). If you use Facebook Connect or Google+ Sign-In, the data transmitted to Avira by Facebook or Google will be processed and stored by us exclusively for the purpose of registration. The use of Facebook Connect or Google+ Sign-In is subject to the respective Facebook and/or Google Privacy Policies and Terms of Service. When using Facebook Connect, your Facebook profile and your public profile data are transferred from Facebook to Avira. When using Google+ Sign-In, your Google+ login information (which may contain personally identifiable information such as your name, email address, phone number, and other information you have entered as part of your Google+ profile) will be transferred from Google to Avira. For more information about Facebook Connect, click here or read the Facebook Connect login pop-up. To obtain more information about Google+ Sign-In and how to manage your Google+ access rights, please click here.

If you object to the transfer of such data, please use your Avira account as a login instead of Facebook Connect and/or Google+ Sign-In.

Why and who do we share personal data with?

Your personal data will not be transmitted to third parties for reasons other than those listed below.

We will only disclose your personal data to third parties, if:

  • You have expressly given us your consent for this,
  • it is legally permissible and necessary for the execution of our contractual relationships with you,
  • data transmission is based on a legal obligation, as well as
  • data disclosure is justified by a particular interest and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data at this time.

We share personal data with the following recipients or categories of recipients for the aforementioned reasons:

  • Employees (internal and external)
  • IT infrastructure service providers
  • Payment processors
  • Support service providers
  • Software service providers
  • Providers of analysis tools
  • Public authorities

Here are a few examples:

  • Mixpanel (Mixpanel, Inc.) – we use this tool to analyze and improve the functionality of our software and to optimize your user experience. For this, only anonymized data is transferred.
  • Akamai (Akamai Technologies GmbH) – is used to distribute and update our software. To provide you with a reliable service, information such as transfer paths are saved.
  • Ivanti (Ivanti, Inc.) – Ivanti tools are used to distribute and update our software. To provide you with reliable service, we collect information such as transfer paths.
  • SurveyMonkey (SurveyMonkey Europe UC) – we use this platform to conduct surveys such as on your product satisfaction. For your protection, personal data is processed in a pseudonymized form.

How do we collaborate with partners on your behalf?

We collaborate with partners for selected products and services by sharing the responsibilities according to. We jointly define the purpose and means of processing with these companies. For this, personal data may also be forwarded. In accordance with the GDPR, both companies are then responsible for this processing and/or the legally compliant handling of your data.

What do we use international partners for?

We use a global IT infrastructure including computers, cloud-based servers, networks, and software solutions of international companies to provide our services.

These partners are based in different countries, partly also outside the European Union. In these countries, the same level of data protection is not always governed by and established in law as in the European Union. For this reason, we have taken a number of measures in accordance with the GDPR to ensure the highest possible protection of your personal data. These are:

  • Cooperation with organizations in countries recognized by the EU Adequacy Decision
  • Cooperation with organizations according to the EU-US Privacy Shield
  • Cooperation with organizations based on the EU Standard Contractual Clauses
  • Cooperation with organizations based on agreed guarantees

Compliance with statutory obligations and requirements is guaranteed by our partners.

Further, in certain specific cases your personal data may be forwarded to third countries based on your express consent.

What data protection settings are available?

Our products offer you a number of options and settings. These are usually explained to you when you first use or register for them. It is quite possible that by changing the settings, certain services may no longer function properly.

If you have given us your consent to process certain data, e.g. to receive a newsletter or third-party offers, you have the right to revoke this consent – also in part – at any time. You can usually do so at my.avira.com or by contacting us directly.

If data processing is based on a weighing of interests pursuant to Article 6(1)f. GDPR, you have the right to object to the processing insofar as there are reasons for this arising from your particular situation or if it constitutes direct advertising.

In the case of direct advertising, you have a general right to object without having to provide information on the particular situation. Please inform us of your objection in writing (e.g. email) or by telephone.

What are your rights?

You have the following rights in connection with your personal data, subject to possible legal restrictions:

The right to be informed, rectification, erasure, restriction of processing, portability, and object.

At this point we expressly point out that we reserve the right to perform an identity check of the individual submitting the inquiry, in accordance with legal requirements, and to also take further measures to clearly verify the inquirer's identity.

Anonymous users of our products and services:

If you use our products and services anonymously, i.e. without having registered by providing your email address, we will not be able to perform the necessary and legally required identity check within the scope of your legal request. In accordance with Article 11(2) GDPR we therefore reject the exercise of any claims of the data subject according to Articles 12 to 22 GDPR, unless the data subject provides information allowing their identification in order to exercise their rights laid down in the aforementioned articles.

Right to information:

If you would like to know what personal data we hold on you, we offer this function in my.avira.com. Here you will find an overview of the records stored by us, such as your name, email address, and postal details. For safety reasons and due to regulations we may pseudonymize certain data, such as credit card details.

You will receive this activity data on request via email. The provision of this information may take some time, depending on the scope of the activity data.

Right to rectification:

You will find an overview of the records stored by us, such as your name, email address, and postal details, in the administration section of our software. If you find that this information is incorrect, you can change it yourself. For all other rectifications, please contact us in writing (e.g. email).

Right to erasure:

Should you wish to delete your data, you have the option to do so in the administration section of our software. We will then erase your data in accordance with legal requirements.

However, we would like to point out that we are legally obliged to store certain data for longer periods of time (e.g. the retention periods for accounting documents are currently 10 years (The Fiscal Code of Germany)).

Additionally, we would like to point out that we are able to block your data immediately but due to technical restrictions it may take up to 180 days to permanently delete your data, provided there are no legal obligations and statutory rights preventing deletion.

Further, please note that after the confirmation of your deletion request it is not possible to restore your data.

You may continue using parts of our software as an anonymous user.

Right to restriction of processing:

You have the right to restrict the processing of your personal data. To this end, please inform us of the categories of data affected by your request and the reasons for your request. We will examine the facts immediately and inform you of the result.

Right to data portability:

Please let us know in text form (e.g. email) which data you would like to transfer to whom. We will examine your request immediately and inform you of the result.

Right to lodge a complaint:

If you are dissatisfied with our efforts in connection with data protection, you have the right to lodge a complaint with the data protection supervisory authority responsible in your country. For example, in Europe

  • The State Data Protection and Freedom of Information Officer in Baden-Wuerttemberg
  • PO Box 10 29 32, 70025 Stuttgart
  • Königstrasse 10a, 70173 Stuttgart

is responsible for Avira.

How do we protect personal data?

We have put in place safeguards that are state-of-the-art in the software industry and meet the requirements of data protection legislation to protect your personal data. These are continuously checked and, if necessary, adapted. The objective is to protect your data against accidental or intentional manipulation, partial or total loss, destruction, or unauthorized knowledge or access by third-parties.

To transfer data between our websites, our applications and backends, communication is encrypted using the SSL (Secure Socket Layer) procedure.

We protect the systems and processing by a series of technical and organizational measures. These include data encryption, pseudonymization and anonymization, logical and physical access restriction and control, firewalls and recovery systems, and integrity testing.

Our employees are regularly trained in the sensitive handling of personal data and are obliged to observe data secrecy in accordance with legal requirements.

What possibilities are there for minors to use our services?

Our products and services may not be ordered or installed by minors.

What other information is important?

Public information:

Remember that the data you send to forums such as http://forum.avira.com/wbb/ will be classified and treated as information that is "manifestly made public". If you are active in our forums, there is a risk that others may find and use the information you provide. Be careful and handle your personal information in a responsible manner when online in a public forum.

Changes to this Data Protection Policy:

This Data Protection Policy is revised on an ad-hoc basis to adapt it to current developments in relation to our company, our products and services, legal requirements, and social developments.

Effective: May 18, 2018