Last updated: 1.3.2023
Your privacy is important to us. This privacy notice explains the personal data M-Files processes, how M-Files processes it, and for what purposes.
References to M-Files products in this notice include M-Files services, websites, apps, software, and servers.
M-Files Oy (primary responsible party)
Hermia 12, Hermiankatu 1 B
33720 Tampere, Finland
and our group companies
(hereafter ”we” or “M-Files”)
Data Protection Officer:
Hermiankatu 1 B,
33720 Tampere, Finland
The purposes of processing personal data are:
We use profiling to identify personal profiles, behavior and customer habits. We use this information e.g. to target marketing and to develop our services.
The basis of processing personal data is (i) our legitimate interest (e.g. marketing and customer relationship management); (ii) to perform a contract; (iii) to fulfil our legal obligation and/or (iv) consent.
We process the following personal data in connection with the customer relationship:
Like many websites, we use “cookie” technology to collect additional website usage data and to improve the web site and our services. We also utilize the data for marketing purposes. A cookie is a small data file that we transfer to your device’s hard disk. M-Files may use both session cookies and persistent cookies to better understand how you interact with the web site, to monitor aggregate usage by our users and web traffic on the site, and to improve the site and related services. A session cookie enables certain features of the site and is deleted from your device when you disconnect from or leave the site. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the site.
Persistent cookies can be removed by following your web browser help file directions. Most Internet browsers automatically accept cookies.
You can instruct your browser, by editing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit.
Google Analytics and Other Third Party Analytics Providers
We use Google Analytics for web usage tracking. Google Analytics collects and stores data on your use of the services, including but not limited to; time of visit, site pages visited or opened and for how long are they used, the Internet Protocol (IP) address and information on the device used to access the site.
We also use the following Google Analytics Advertising Features:
The user can block the use of Google Analytics for usage tracking by installing a browser add-on that blocks its use (see instructions here).
We use Marketo, Bizible, 6sense and Uberflip for web usage tracking. These analytics tools collect and store data on your use of the services, including but not limited to; time of visit, site pages visited or opened and for how long are they used, the Internet Protocol (IP) address and information on the device used to access the site. The user can block the use of analytics tools for usage tracking by installing a
Accordingly, some automatically collected data is shared with third party service providers, who have their own privacy notices/policies applicable to their operations.
Social media channels and targeted advertisement
Using these cookies allows us to make the content of the website as individually customized as possible, and thereby show e.g. targeted advertisement and content based on the user’s prior behavior. M-Files uses advertisement cookies managed by third parties in order to present its products both on its own website and on the sites of third parties. You can disable some of the third party advertisement cookies from their site settings.
The M-Files website may include links and connections to third party websites, products and services as well as so-called community plug-ins of third parties (such as Facebook, Instagram, LinkedIn, YouTube, Twitter and TrustRadius). Third party plug-ins integrated into the M-Files website are loaded from third party servers and thus the third party may install their own cookies on the user’s device. The third party services and applications offered on the M-Files website are subject to the privacy policies or notices of such third parties. We recommend that you familiarize yourself with those third party privacy policies or notices.
We use different technologies to gather usage and performance data from your M-Files products and services. We use technologies for storing and honoring your preferences and settings, enabling you to sign in, analyzing how our products perform, and fulfilling other legitimate purposes.
In analyzing how our products perform, data relating to your use of M-Files product may be collected to assess the use of M-Files product at the level of your organization. While such data may allow M-Files to identify you on the basis of other available information, the data is pseudonymized and highly secured, and not used for actively identifying individuals, profiling individuals or for any other purpose
inconsistent with what is set out above.
If your organization (employer) provides you with access to M-Files products, your use of the M-Files products is subject to your organization’s policies, if any. The usage data may be shared by M-Files in aggregated form with your organization (employer), who will process such data as a separate data controller. You should direct your privacy inquiries concerning such or any other processing of your
personal data by your organization, including any requests to exercise your data protection rights, to your organization’s administrator.
When you use features in M-Files products, other users in your network may see some of your activity. To learn more about the features and other functionality, please review documentation or help content specific to the M-Files product. M-Files is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this
Personal data is processed for the following purposes and using the following
M-Files for Google Workspace
M-Files for Google Workspace is an add-on that is separately sold and installed to customers. It integrates M-Files service and Google Workspace seamlessly together and allows users to save copies of e-mail and attachments from Gmail and files from Google Drive to M-Files for long-term preservation. The add-on is configured and used by the M-Files’ customers. Only the person(s) defined by the customer/user have access to the e-mails and documents that users save to M-Files.
This integration requires read and write access to Gmail and read rights to Google Drive. When a user saves an e-mail to M-Files service, the add-on uses write access to add a label to the e-mail in Gmail. Otherwise, the add-on uses only read access to save e-mails and documents from Gmail and Google Drive to M-Files service. Regarding all the data content in the Google Workspace and M-Files service, M-Files’ customer is data controller and M-Files is data processor. Information about personal data processing are shown in the privacy policies or notices of each M-Files’ customer. If the M-Files’ customer decides to integrate Google Workspace to M-Files
service, M-Files needs to process Customer’s contact persons’ (e.g. main user) contact information (such as e-mail address and name) as a data controller. This personal data is processed only for the purpose to operate M-Files to Google Workspace service.
M-Files Add-In for Microsoft Teams
M-Files Add-In for Microsoft Teams is an add-in that is separately offered and installed to customers. It integrates M-Files service and Microsoft Teams seamlessly together and allows users to work together with their colleagues, partners and clients on M-Files content directly in Microsoft Teams. The add-in is configured and used by the M-Files’ customers. Only the person(s) defined by the customer/user have access to the content that users save to M-Files.
This integration requires read access to Microsoft Graph API. When a user enables collaborative settings, the add-in uses read access Microsoft Graph API to get Microsoft Teams channel level member information to enable user access and permission handling to shared content in M-Files. Additionally, when a user saves a document from Teams channel to M-Files the integration uses read access to get the
file from Microsoft SharePoint.
Regarding all the data content in the Microsoft Teams and M-Files service, M-Files’ customer is data controller and M-Files is data processor. Information about personal data processing are shown in the privacy policies or notices of each M-Files’
customer. If the M-Files’ customer decides to integrate Microsoft Teams to M-Files service, M-Files needs to process Customer’s contact persons’ (e.g. main user) contact information (such as e-mail address and name) as a data controller. This personal data is processed only for the purpose of operating M-Files Add-In for Microsoft Teams.
Ment is a SaaS tool that is separately offered to customers to automate creation of document and agreement templates on a no-code principle. The Ment product is accessed through a standalone Ment web application. In order to provide Ment, M-Files processes certain personal information both in the role of data controller and data processor under the GDPR. M-Files’ processing of personal data as a data
processor is set out in the applicable agreement between M-Files and a customer organization. M-Files processes the following personal information as a data controller:
We receive information primarily from the following sources: yourself, population register, authorities, credit information companies, channel partners, contact information service providers and other similar reliable sources.
For the purposes described in this Privacy Notice, personal data may also be collected and updated from publicly available sources and based on information received from the authorities or other third parties within the limits of the applicable laws and regulations. Such updating of data is performed manually or by automated means.
We don’t disclose your personal data to external parties except we may disclose it to our subsidiaries and affiliates, or a subsequent owner, co-owner or operator of the Services and their advisors in connection with a corporate merger, consolidation, restructuring, the sale of substantially all of our stock and/or assets, or in connection with bankruptcy proceedings, or other corporate reorganization. M-Files may sell, transfer or otherwise share some or all of its assets, including your personal data, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.
We use subcontractors that process personal data on our behalf. We share your personal data as necessary to complete any transaction or provide any service you have requested. We share data within M-Files group to our subsidiaries and affiliates; with trusted third parties to process personal data and provide services on behalf of M-Files, including hosting and maintenance, customer relationship, customer
support, database storage and management, and sales and marketing of M-Files products and services. Usage data concerning the M-Files product may be shared with your organization (M-Files’ customer) in an aggregated form.
We transfer personal data outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the recipient (sub-contractor or subsidiary) of the data has committed to use the EU Commission’s standard contractual clauses or provide other appropriate safeguards as described in Article 46 of the GDPR.
Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use the system containing personal data. Each user has a personal username and password to the system. The data is collected into databases that are protected by firewalls, passwords and other technical measures.
The databases and their backup copies are in locked premises and can be accessed only by certain pre-designated persons.
The personal data we collect are retained for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law, or we need it to protect our legal rights. Thereafter, the personal data will be deleted within a reasonable timeframe or rendered anonymous.
We estimate the need for data storage regularly, taking into account the applicable
legislation. In addition, we take care of such reasonable actions that ensure no
incompatible, outdated or inaccurate personal data is stored taking into account the
purpose of the processing. We correct or erase such data without delay.
You have the right to inspect the personal data stored concerning yourself and the right to demand rectification or erasure of the inaccurate, outdated, unnecessary and unlawful data. If you have access to your data, you may edit the data yourself. Insofar as the processing is based on consent, you also have the right to withdraw or change your consent. Withdrawing your consent does not affect the lawfulness of processing before the withdrawal of the consent.
You have the right to object or to demand restriction of the processing of your data and to lodge a complaint with the supervisory authority.
On grounds relating to your particular situation you also have the right to object other processing activities when the legal basis of processing is legitimate interest. In connection with your request, you shall identify the specific situation, based on which you object to the processing. We can refuse the request of objection only on legal grounds.
This Section 12 supplements the information contained in this Privacy Notice and applies solely to natural persons residing in the State of California, USA. This Section 12 was adopted to comply with the California Consumer Privacy Act of 2018 (hereinafter the “CCPA”) with any terms defined in the CCPA having the same meaning when used in this Section 12.
The “personal information” that we collect is information that identifies, describes, relates to or could reasonably be linked with you.
The information we collect from you is listed in Section 4 of this Privacy Notice. The categories of personal information collected from you are listed below and describe the information collected by us from our customers in the past 12 months:
Please refer to Section 4 for detailed explanations regarding these categories of information. We collect personal information in order to be able to provide services to our customers and in order to continuously enhance and better our products and offerings. Personal information is collected for the following purposes:
Description as to how we process this personal information can be found in Sections 4, 5 and 6. We do not sell your personal information to any third party or entity.
Under the CCPA you have certain rights in relation to your personal information and how it is processed by us. You have the right to not receive discriminatory treatment in the exercise of your privacy rights under the CCPA.
You have the right to know what personal information related to you was collected and is maintained by us, how it is collected and how it is disclosed. You can request the disclosure of the information collected by us and of our processing of that information by submitting a request (request to know) at firstname.lastname@example.org. This request may be in free form. In order to comply with your request, the CCPA requires us to verify your identity. In order to do that, the following information shall be collected from you:
The copy of your identification document shall be submitted through a secure document sharing service, through a link that will be communicated to you by M-Files upon the receipt of your request. Upon the verification of your identity, the copy of your identification document shall be destroyed without undue delay.
If your request is communicated through an e-mail address provided to you by your employer and if that e-mail address follows the convention Name@CompanyName.TopLevelDomain (for example email@example.com), and access to that email is facilitated through entering the associated security credentials (ie. username and password), your identity shall be considered verifiable and you will
not be asked to provide a copy of your identification document.
You also have the right to request deletion of your personal information that we have collected. Requests to delete information can be communicated to us at firstname.lastname@example.org or through physical mail at the following address:
6400 International Parkway, Suite 2500,
Plano, TX 75093,
Similarly to our compliance with requests to know what information is processed by us, we must verify your identity. Your identity when submitting requests for deletion will be verified as described above. Additionally, requests to delete may be communicated to us in free form.
You have the right to submit requests to know and requests to delete through an authorized agent. In order to ascertain that the agent is entitled to represent you in the submission of requests, we shall request such agent to produce a power of attorney or other such written document detailing the scope of the agent’s representation of you in such matters.
Our services are not directed to children and we do not intend to collect personal data from children. We ask you not to use the services and not to provide any information about yourself to us if you are below the age, defined in your jurisdiction, requiring parental consent or authorization for processing of personal data.
All contacts and requests concerning this Privacy Notice should be submitted in writing to the address mentioned in section two (2) “Contact information for privacy matters”.