M-Files’ Customer, Marketing and Partner Privacy Notice

Last updated: 26.10.2021

Your privacy is important to us. This privacy notice explains the personal data M-Files processes, how M-Files processes it, and for what purposes.

References to M-Files products in this notice include M-Files services, websites, apps, software, and servers.

1. Controller

M-Files Oy (primary responsible party)

Hermia 12, Hermiankatu 1 B

33720 Tampere, Finland

and our group companies

(hereafter ”we” or “M-Files”)

2. Contact information for privacy matters

Data Protection Officer:

privacy@m-files.com or

M-Files Oy,

Hermia 12,

Hermiankatu 1 B,

33720 Tampere, Finland

3. What is the purpose and the legal basis of processing personal data?

The purposes of processing personal data are:

  • the delivery and development of our products and services,
  • fulfilling our contractual and other promises and obligations,
  • taking care of the customer relationship,
  • analyzing and profiling the behavior of a customer or other data subject,
  • protecting the security and safety of our products and our customers, detecting and preventing fraud, confirming the validity of software licenses
  • electronic direct marketing and
  • targeting advertising in our and others’ online services.

We use profiling to identify personal profiles, behavior and customer habits. We use this information e.g. to target marketing and to develop our services.

The basis of processing personal data is (i) our legitimate interest (e.g. marketing and customer relationship management); (ii) to perform a contract; (iii) to fulfil our legal obligation and/or (iv) consent.

4. What data do we process?

We process the following personal data in connection with the customer relationship:

  • contact information of the data subject such as email address, phone number, address;
  • information of company and company’s contact persons such as name of the company, business ID, names, titles and contact details of the contact persons;
  • possible prohibitions of direct marketing;
  • information of the participants of events and possible information regarding the event, such as special diets;
  • Demographic data. We collect data about you such as country, salutation, time zone and preferred language. We also collect other personal data you have provided to us.
  • information regarding the customer relationship and the contract such as billing and payment information, product and order information, order cancellation information, information about past and current contracts and orders, user profile formed based on the customer relationship such as user names, passwords and similar security information used for authentication and account access, correspondence with the customer/data subject, including making records of calls or meetings with customer’s/data subject’s consent, and other contacts, cookies and data related to using them;
  • other possible information gathered with data subject’s consent.
  • Device and Usage data. We collect data about your use of M-Files and how you interact with M-Files and our services. For example, we collect:
    • When you register to our services, we collect the registration date
    • Log Information. When you visit the M-Files site, our servers automatically record information that your browser sends whenever you visit a website. This information may include information such as your IP address, browser type or the domain from which you are visiting, the web pages you visit, the search terms you use, and any advertisements on which you click.
    • Device Data. We collect information about the device you use to access the services, including for example the hardware model, operating system and version, unique device identifiers, MAC address and IP address.
    • Location Information. We may collect, use and share location information, including the real-time geographic location of your device, in connection with your use of the services, for example using the IP address of your device. The location information may be used as part of certain features of the services, as well as for the purposes of analyzing the use of the Services.
    • Error reports and performance data. We collect data about the performance of the services and any problems you experience with them. This data helps us to diagnose problems in the services you use, and to improve our services and provide solutions.
    • Troubleshooting and Help Data. When you engage M-Files for troubleshooting and help, we collect data about you and your hardware, software, and other details related to the incident. Such data includes contact or authentication data, the content of your chats and other communications with M-Files, data about the condition of the machine and the application when the fault occurred and during diagnostics, and system and registry data about software installations and hardware configurations
    • M-Files product usage data. We collect data on your use of M-Files product. Identifiers included in usage data are Vault GUID, pseudonymized User ID and pseudonymized user Login Account, which are used to personalize user experience, analyze errors and produce pseudonymized statistics on the use of M-Files product.

5. How we process personal data on our website and social media channels?

We utilize cookies on our websites (e.g. http://www.m-files.com/). Find out more about the cookies used and manage your preferences from our Cookie Notice..

We track service usage and behavior on our web pages (use cookies) for service development and to offer you better service and customer experience. We also utilize the data for marketing and internal development.


Like many websites, we use “cookie” technology to collect additional website usage data and to improve the web site and our services. We also utilize the data for marketing purposes. A cookie is a small data file that we transfer to your device’s hard disk. M-Files may use both session cookies and persistent cookies to better understand how you interact with the web site, to monitor aggregate usage by our users and web traffic on the site, and to improve the site and related services. A session cookie enables certain features of the site and is deleted from your device when you disconnect from or leave the site. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the site. Persistent cookies can be removed by following your web browser help file directions. Most Internet browsers automatically accept cookies. You can instruct your browser, by editing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit.

Google Analytics and Other Third Party Analytics Providers

We use Google Analytics for web usage tracking. Google Analytics collects and stores data on your use of the services, including but not limited to; time of visit, site pages visited or opened and for how long are they used, the Internet Protocol (IP) address and information on the device used to access the site.

We also use the following Google Analytics Advertising Features:

  • Remarketing with Google Analytics
  • Google Display Network Impression Reporting
  • Google Analytics Demographics and Interest Reporting

The user can block the use of Google Analytics for usage tracking by installing a browser add-on that blocks its use (see instructions here). This browser add-on prevents JavaScript used by Google Analytics (ga.js, analytics.js and dc.js) from sending the visitor’s information from the website

We use Marketo, Bizible, 6sense and Uberflip for web usage tracking. These analytics tools collect and store data on your use of the services, including but not limited to; time of visit, site pages visited or opened and for how long are they used, the Internet Protocol (IP) address and information on the device used to access the site.  The user can block the use of analytics tools for usage tracking by installing a browser add-on that blocks its use. This browser add-on prevents JavaScript used by analytics tools (ga.js, analytics.js and dc.js) from sending the visitor’s information from the website.

We may also use other third party data analytics service providers. These service providers may use cookies, web beacons and other technologies to collect information about your use of the services. Analytics service providers enable us to collect, monitor and analyze data regarding the use of the services, in order to understand how users use the services and to increase the functionality and user-friendliness of the services, as well as to better tailor the services to users’ needs. Accordingly, some automatically collected data is shared with third party service providers, who have their own privacy notices/policies applicable to their operations.

Social media channels and targeted advertisement

Using these cookies allows us to make the content of the website as individually customized as possible, and thereby show e.g. targeted advertisement and content based on the user’s prior behavior. M-Files uses advertisement cookies managed by third parties in order to present its products both on its own website and on the sites of third parties. You can disable some of the third party advertisement cookies from their site settings.

The M-Files website may include links and connections to third party websites, products and services as well as so-called community plug-ins of third parties (such as Facebook, Instagram, LinkedIn, YouTube, Twitter and TrustRadius). Third party plug-ins integrated into the M-Files website are loaded from third party servers and thus the third party may install their own cookies on the user’s device. The third party services and applications offered on the M-Files website are subject to the privacy policies or notices of such third parties. We recommend that you familiarize yourself with those third party privacy policies or notices.

6. M-Files product usage and performance data

We use different technologies to gather usage and performance data from your M-Files products and services. We use technologies for storing and honoring your preferences and settings, enabling you to sign in, analyzing how our products perform, and fulfilling other legitimate purposes.

In analyzing how our products perform, data relating to your use of M-Files product may be collected to assess the use of M-Files product at the level of your organization. While such data may allow M-Files to identify you on the basis of other available information, the data is pseudonymized and highly secured, and not used for actively identifying individuals, profiling individuals or for any other purpose inconsistent with what is set out above.

If your organization (employer) provides you with access to M-Files products, your use of the M-Files products is subject to your organization’s policies, if any. The usage data may be shared by M-Files in aggregated form with your organization (employer), who will process such data as a separate data controller. You should direct your privacy inquiries concerning such or any other processing of your personal data by your organization, including any requests to exercise your data protection rights, to your organization’s administrator. When you use features in M-Files products, other users in your network may see some of your activity. To learn more about the features and other functionality, please review documentation or help content specific to the M-Files product. M-Files is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this privacy statement.

7. Service specific information on processing of personal data in M-Files add-ons

Personal data is processed for the following purposes and using the following services:

M-Files for Google Workspace

M-Files for Google Workspace is an add-on that is separately sold and installed to customers. It integrates M-Files service and Google Workspace seamlessly together and allows users to save copies of e-mail and attachments from Gmail and files from Google Drive to M-Files for long-term preservation. The add-on is configured and used by the M-Files’ customers. Only the person(s) defined by the customer/user have access to the e-mails and documents that users save to M-Files.

This integration requires read and write access to Gmail and read rights to Google Drive. When a user saves an e-mail to M-Files service, the add-on uses write access to add a label to the e-mail in Gmail. Otherwise, the add-on uses only read access to save e-mails and documents from Gmail and Google Drive to M-Files service.

Regarding all the data content in the Google Workspace and M-Files service, M-Files’ customer is data controller and M-Files is data processor. Information about personal data processing are shown in the privacy policies or notices of each M-Files’ customer. If the M-Files’ customer decides to integrate Google Workspace to M-Files service, M-Files needs to process Customer’s contact persons’ (e.g. main user) contact information (such as e-mail address and name) as a data controller. This personal data is processed only for the purpose to operate M-Files to Google Workspace service.

8. From where do we receive data?

We receive information primarily from the following sources: yourself, population register, authorities, credit information companies, channel partners, contact information service providers and other similar reliable sources.

For the purposes described in this Privacy Notice, personal data may also be collected and updated from publicly available sources and based on information received from the authorities or other third parties within the limits of the applicable laws and regulations. Such updating of data is performed manually or by automated means.

9. To whom do we disclose data, and do we transfer data outside the EU or the EEA?

We don’t disclose your personal data to external parties except we may disclose it to our subsidiaries and affiliates, or a subsequent owner, co-owner or operator of the Services and their advisors in connection with a corporate merger, consolidation, restructuring, the sale of substantially all of our stock and/or assets, or in connection with bankruptcy proceedings, or other corporate reorganization. M-Files may sell, transfer or otherwise share some or all of its assets, including your personal data, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.

We use subcontractors that process personal data on our behalf. We share your personal data as necessary to complete any transaction or provide any service you have requested. We share data within M-Files group to our subsidiaries and affiliates; with trusted third parties to process personal data and provide services on behalf of M-Files, including hosting and maintenance, customer relationship, customer support, database storage and management, and sales and marketing of M-Files products and services. Usage data concerning the M-Files product may be shared with your organization (M-Files’ customer) in an aggregated form.

We transfer personal data outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the recipient (sub-contractor or subsidiary) of the data has committed to use the EU Commission’s standard contractual clauses or provide other appropriate safeguards as described in Article 46 of the GDPR.

10. How do we protect the data and how long do we store them?

Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use the system containing personal data. Each user has a personal username and password to the system. The data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and their backup copies are in locked premises and can be accessed only by certain pre-designated persons.

The personal data we collect are retained for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law, or we need it to protect our legal rights. Thereafter, the personal data will be deleted within a reasonable timeframe or rendered anonymous.

We estimate the need for data storage regularly, taking into account the applicable legislation. In addition, we take care of such reasonable actions that ensure no incompatible, outdated or inaccurate personal data is stored taking into account the purpose of the processing. We correct or erase such data without delay.

11. What are your rights as a data subject?

You have the right to inspect the personal data stored concerning yourself and the right to demand rectification or erasure of the inaccurate, outdated, unnecessary and unlawful data. If you have access to your data, you may edit the data yourself. Insofar as the processing is based on consent, you also have the right to withdraw or change your consent. Withdrawing your consent does not affect the lawfulness of processing before the withdrawal of the consent.

You have the right to object or to demand restriction of the processing of your data and to lodge a complaint with the supervisory authority.

On grounds relating to your particular situation you also have the right to object other processing activities when the legal basis of processing is legitimate interest. In connection with your request, you shall identify the specific situation, based on which you object to the processing. We can refuse the request of objection only on legal grounds.

12. Privacy Notice for California residents

This Section 12 supplements the information contained in this Privacy Notice and applies solely to natural persons residing in the State of California, USA. This Section 12 was adopted to comply with the California Consumer Privacy Act of 2018 (hereinafter the “CCPA”) with any terms defined in the CCPA having the same meaning when used in this Section 12.

The “personal information” that we collect is information that identifies, describes, relates to or could reasonably be linked with you.

The information we collect from you is listed in Section 4 of this Privacy Notice. The categories of personal information collected from you are listed below and describe the information collected by us from our customers in the past 12 months:

  • contact information of the data subject;
  • information of company and company’s contact persons;
  • possible prohibitions of direct marketing;
  • information of the participants of events and possible information regarding the event;
  • demographic data;
  • information regarding the customer relationship and the contract;
  • other possible information gathered with data subject’s consent;
  • device and Usage data.

Please refer to Section 4 for detailed explanations regarding these categories of information.

We collect personal information in order to be able to provide services to our customers and in order to continuously enhance and better our products and offerings. Personal information is collected for the following purposes:

  • the delivery and development of our products and services,
  • fulfilling our contractual and other promises and obligations,
  • maintaining our relationships with customers,
  • analyzing and profiling the behavior of a customer or other data subject,
  • protecting the security and safety of our products and our customers, detecting and preventing fraud, confirming the validity of software licenses
  • electronic direct marketing and
  • targeting advertising in our and others’ online services.

Description as to how we process this personal information can be found in Sections 4, 5 and 6. We do not sell your personal information to any third party or entity.

Under the CCPA you have certain rights in relation to your personal information and how it is processed by us.

You have the right to not receive discriminatory treatment in the exercise of your privacy rights under the CCPA.

You have the right to know what personal information related to you was collected and is maintained by us, how it is collected and how it is disclosed. You can request the disclosure of the information collected by us and of our processing of that information by submitting a request (request to know) at privacy@m-files.com. This request may be in free form. In order to comply with your request, the CCPA requires us to verify your identity. In order to do that, the following information shall be collected from you:

  • your contact details;
  • a copy of your identification document issued by the relevant authority…

The copy of your identification document shall be submitted through a secure document sharing service, through a link that will be communicated to you by M-Files upon the receipt of your request. Upon the verification of your identity, the copy of your identification document shall be destroyed without undue delay.

If your request is communicated through an e-mail address provided to you by your employer and if that e-mail address follows the convention Name@CompanyName.TopLevelDomain (for example jane.doe@company.com), and access to that email is facilitated through entering the associated security credentials (ie. username and password), your identity shall be considered verifiable and you will not be asked to provide a copy of your identification document.

You also have the right to request deletion of your personal information that we have collected. Requests to delete information can be communicated to us at privacy@m-files.com or through physical mail at the following address:

M-Files Inc.,
6400 International Parkway, Suite 2500,
Plano, TX 75093,

Similarly to our compliance with requests to know what information is processed by us, we must verify your identity. Your identity when submitting requests for deletion will be verified as described above. Additionally, requests to delete may be communicated to us in free form.

You have the right to submit requests to know and requests to delete through an authorized agent. In order to ascertain that the agent is entitled to represent you in the submission of requests, we shall request such agent to produce a power of attorney or other such written document detailing the scope of the agent’s representation of you in such matters.

13. Children’s privacy

Our services are not directed to children and we do not intend to collect personal data from children. We ask you not to use the services and not to provide any information about yourself to us if you are below the age, defined in your jurisdiction, requiring parental consent or authorization for processing of personal data.

14. Who can you be in contact with?

All contacts and requests concerning this Privacy Notice should be submitted in writing to the address mentioned in section two (2) “Contact information for privacy matters”.