PRIVACY POLICY – General Privacy Statement

Table of content

General information

At Avira, a Gen company, we are committed to providing you with transparency as we process your personal data in accordance with applicable legislation. Our mission is to create technology solutions for people to take full advantage of the digital world, safely, privately, and confidently – so together, we can build a better tomorrow.

In this Statement, “personal data” means any information relating to an identified or identifiable individual. This data may be directly or indirectly of a personal nature, i.e. it may involve other data sources.

We collect much of this data in a pseudonymized or anonymized form. Pseudonymized means that it is no longer possible to attribute the data to a specific data subject without additional information. Anonymized means that the data subject can no longer be identified from the anonymized data. Within the scope of this processing, we also use service providers as contract processors in accordance with applicable privacy regulations.

Below you will find a non-exhaustive overview of our general processing activities. Please note that we have described some activities in separate privacy policies, such as for websites or products. Additional information on our personal data practices may be provided in product descriptions, contractual terms, supplemental privacy statements, or notices provided prior to or at the time we collect your personal data.

This Privacy Statement (“Statement”) applies to the Avira websites, services and products (our “Services”) that link to or reference this Statement. In this Statement, we describe how we collect, process, use and disclose personal data, and your rights and choices regarding our processing of your personal data.

If you are in the European Economic Area, and unless stipulated otherwise contractually, the Controller of your personal data is: 

Avira Holding GmbH

Kaplaneiweg 1

88069 Tettnang

Germany

Purpose limitation

Irrespective of whether your data can be traced back directly or indirectly to a natural person, we process your data only for the specified, clear, and legitimate purposes. Further detailed information can be found in the corresponding subject areas.

Consent

Your consent is required for the processing of certain data. In these cases, we will inform you expressly about the situation and provide you with the opportunity to allow us to process this data.

You always have the option to withdraw this consent to processing with effect for the future. Further information can be found under Withdrawal of consent.

Contract initiation and performance

We primarily store personal data needed to fulfill our contractual obligations to you. Please keep in mind that it is our duty by means of our software to protect your IT systems and data against malware and attacks. Therefore, we require a range of different information. Depending on the product used, our contractual obligations include the monitoring of various internal and external data streams, programs, and files as and where necessary. The "legitimate interest" is the protection of your systems and thus in protecting you against online and offline threats. Your need for protection outweighs the third-party's need for protection whose information may have been made accessible to you and subsequently to us.

Legitimate interest

It is also possible to process data on the basis of our legitimate interest. Thereby, we are required to disclose our interest and take both your and our interests into consideration.

You have the right to object to the processing insofar as there are reasons for this arising from your particular situation or if it constitutes direct advertising.

In the case of direct advertising, you have a general right to object at any time without having to provide information on the particular situation. Please inform us of your objection in writing (e.g. email).

Storage and deletion periods

We store personal data only to the extent required to fulfill the respective purpose. The storage period depends on legal requirements and the duration of the contractual relationship.

If we no longer need your personal data to fulfill the respective purpose, we will make it anonymous and/or delete it within the scope of the legal regulations. In most cases we remove your personal data three years after you are no longer using our products.

Legitimate forwarding of personal data

Your personal data will not be transmitted to third parties for reasons other than those described in this document.

We will only disclose your personal data to third parties if:

• you have expressly given us your consent for this;
• it is legally permissible and necessary for the execution of our contractual relationships with you;
• data transmission is based on a legal obligation; or
• data disclosure is justified by a legitimate interest and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data at this time.

We share personal data with the following categories of recipients for the aforementioned reasons:

• Employees (internal and external)
• Group companies
• IT infrastructure service providers
• Payment processors
• Service providers and vendors for support processing, software, marketing and sales, and communications
• Suppliers of analysis tools
• External auditors
• Public authorities.

Here are a few examples:

• Mixpanel (Mixpanel Inc.) – we use this tool to analyze and improve the functionality of our software and to optimize your user experience. To do so, only anonymized data is transferred.
• Akamai (Akamai Technologies GmbH) – is used to distribute and update our software. To provide you with a reliable service, information on matters such as transfer paths is saved.
• Ivanti (Ivanti Inc.) — Ivanti tools are used to distribute and update our software. To provide you with a reliable service, we collect information on matters such as transfer paths.
• SurveyMonkey (Survey Monkey Europe UC) – we use this platform to conduct surveys on issues such as your product satisfaction. For safety, personal data is processed in a pseudonymized form.

Joint controllers

We collaborate with partners for selected products and services as joint controllers. We jointly define the purpose and means of processing with these companies. For this, personal data may also be forwarded. In accordance with the GDPR, both companies are then responsible for this processing and/or the legally compliant handling of your data.

The following list contains the partnerships for which we consider ourselves obliged to provide joint controller information.

Overview of contracts

Cross-Border Transfers of Personal Data Among Avira and Gen Digital Entities and to Third-Party Vendors

We are a global company and process personal data in many countries. As part of our business, your personal data may be transferred to Avira and Gen Digital and/or its subsidiaries and affiliates in the United States, Germany, and to subsidiaries and third-party vendors of Avira / Gen Digital located worldwide. All transfers will occur in compliance with the applicable data transfer requirements laws and regulations. Transfers of your personal data within Avira / Gen Digital and/or its subsidiaries and affiliates are done pursuant to NortonLifeLock’s Binding Corporate Rules.

If your personal data originates from the European Economic Area and is transferred to Avira / Gen Digital subsidiaries, affiliates, or third-party vendors engaged by Avira / Gen Digital to process such personal data on our behalf who are located in countries that are not recognized by the European Commission as offering an adequate level of personal data protection, such transfers are covered by alternate appropriate safeguards, specifically Standard Contractual Clauses adopted by the European Commission.

If we are involved in a reorganization, merger, acquisition, or sale of our assets, your personal data may be transferred as part of that transaction.

Categories of Personal Data We Process

Personal Data You Provide to Us

When you interact directly with us, such as creating an account, making a purchase or requesting information, we may collect personal data that you provide to us, including:

• Account Data. If you create an account with us, we collect your name, mailing address, email address, phone number, user credentials (login name and password), and depending on the product purchased may also collect additional information used as part of the product.
• Payment Data. If you complete a purchase for one of our products and services, we collect information about your payments the items you have purchased.
• Identity Data. If you purchase an identity monitoring product, we collect personal information to providing the monitoring service, such as address, email, bank account information, credit/debit card information, insurance information, gamer tag, and other personal details about you.

Personal Data We Collect Automatically

When you visit and use our websites and Services, we may automatically collect data about your interaction with our websites and Services, including:

• Product Data. If you install our products, we collect information about you, including product license information, usage data, and/or preference information, browser activity, and URLs accessed. This data may include diagnostic data such as crash dumps, system logs, error reports, product and internet usage time, network connection activity, interactions with our websites and extensions, or blocked websites. This data also helps us better understand and better serve your interests, expectations, needs and requirements.
• Device Data. We collect information to facilitate installation and use of our products, including your device and system information such as operating system, device name, browser, network, and applications running on the device. This data can also include identifiers such as MAC address, internal device identifiers, account generated unique ID, mobile device IDs (UDID, IMEI, and IDFA), Wi-Fi MAC Address, and install identifiers.
• Security Data. This data may include alert data, and data that is collected for cyber threat intelligence, as needed to provide cyber safety and identity threat protection services. This data can include URLs and websites visited, executable and other files identified as malware, and application names and versions.
• Location Data. When you use our Services, if you consent via the device interface to sharing the precise geolocation data of your device, we will receive your precise location information. We also infer your more general location information (for example, your IP address or time zone may indicate your more general geographic region).

Technical and organizational data protection

We have implemented safeguards to protect your personal data that are both state-of-the-art within the software industry and meet the requirements of data protection legislation. These measures are continuously checked and, if necessary, adapted. The objective is to protect your data against accidental or intentional manipulation, partial or total loss, destruction or unauthorized obtaining, or access by third parties.

We protect our systems and processing with a series of technical and organizational measures. These include data encryption, pseudonymization and anonymization, logical and physical access restriction and control, firewalls and recovery systems, and integrity testing.

Our employees are regularly trained in the sensitive handling of personal data and are required to maintain confidentiality in accordance with legal requirements.

Processing of minors' data

Our products and services may not be ordered or installed by minors.

Public information

Remember that the data you send to forums such as https://support.avira.com will be classified and treated as information that is "manifestly made public". If you are active in our forums, there is a risk that others may find and use the information you provide. Be careful and handle your personal information in a responsible manner when online in a public forum.

Careers

The Avira brand is part of Gen Digital — a global company inspired by the people we help protect. When you visit our Careers web page, you have the option of applying for a specific, advertised position at our company.

As part of the application process, we process your personal data, such as your CV, credentials, and work samples. We may also invite you for an interview, either in person or using video systems.

California Consumer Privacy Act (CCPA) Disclosures

Without your consent, Avira will never pass on any data that can be attributed to you personally to third parties for their own marketing purposes. As a resident of California, you can exercise your rights regarding your personal data.

Under the terms of the California Consumer Privacy Act, Avira does not sell any of your personal data.

If you would like to opt-out of sharing personal information for purposes of cross contextual advertising, please use the cookie banner to do so.

Changes to this Privacy Policy

This Privacy Policy is revised on an ad-hoc basis to adapt it to current developments in relation to our company, our products and services, legal requirements, and the social sphere.

Version: 01.01.2022