M-Files’ Customer, Marketing and Partner Privacy Notice

Last updated: 14.9.2021

Your privacy is important to us. This privacy notice explains the personal data M-Files processes, how M-Files processes it, and for what purposes.

References to M-Files products in this notice include M-Files services, websites, apps, software, and servers.

1. Controller

M-Files Oy (primary responsible party)
Hermia 12, Hermiankatu 1 B
33720 Tampere, Finland

and our group companies

(hereafter ”we” or “M-Files”)

2. Contact information for privacy matters

[email protected] or

M-Files Oy,
Hermia 12,
Hermiankatu 1 B,
33720 Tampere, Finland

3. What is the purpose and the legal basis of processing personal data?

The purposes of processing personal data are:

We use profiling to identify personal profiles, behavior and customer habits. We use this information e.g. to target marketing and to develop our services.

The basis of processing personal data is (i) our legitimate interest (e.g. marketing and customer relationship management); (ii) to perform a contract; (iii) to fulfil our legal obligation and/or (iv) consent.

4. What data do we process?

We process the following personal data in connection with the customer relationship:

5. How we process personal data on our website and social media channels?

We utilize cookies on our websites (e.g. http://www.m-files.com/). Find out more about the cookies used and manage your preferences from our Cookie Notice.

We track service usage and behavior on our web pages (use cookies) for service development and to offer you better service and customer experience. We also utilize the data for marketing and internal development.


Like many websites, we use “cookie” technology to collect additional website usage data and to improve the web site and our services. We also utilize the data for marketing purposes. A cookie is a small data file that we transfer to your device’s hard disk. M-Files may use both session cookies and persistent cookies to better understand how you interact with the web site, to monitor aggregate usage by our users and web traffic on the site, and to improve the site and related services. A session cookie enables certain features of the site and is deleted from your device when you disconnect from or leave the site. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the site. Persistent cookies can be removed by following your web browser help file directions. Most Internet browsers automatically accept cookies. You can instruct your browser, by editing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit.

Google Analytics and Other Third Party Analytics Providers

We use Google Analytics for web usage tracking. Google Analytics collects and stores data on your use of the services, including but not limited to; time of visit, site pages visited or opened and for how long are they used, the Internet Protocol (IP) address and information on the device used to access the site.

We also use the following Google Analytics Advertising Features:

The user can block the use of Google Analytics for usage tracking by installing a browser add-on that blocks its use (see instructions here). This browser add-on prevents JavaScript used by Google Analytics (ga.js, analytics.js and dc.js) from sending the visitor’s information from the website

We use Marketo, Bizible, 6sense and Uberflip for web usage tracking. These analytics tools collect and store data on your use of the services, including but not limited to; time of visit, site pages visited or opened and for how long are they used, the Internet Protocol (IP) address and information on the device used to access the site.  The user can block the use of analytics tools for usage tracking by installing a browser add-on that blocks its use. This browser add-on prevents JavaScript used by analytics tools (ga.js, analytics.js and dc.js) from sending the visitor’s information from the website.

We may also use other third party data analytics service providers. These service providers may use cookies, web beacons and other technologies to collect information about your use of the services. Analytics service providers enable us to collect, monitor and analyze data regarding the use of the services, in order to understand how users use the services and to increase the functionality and user-friendliness of the services, as well as to better tailor the services to users’ needs. Accordingly, some automatically collected data is shared with third party service providers, who have their own privacy notices/policies applicable to their operations.

Social media channels and targeted advertisement

Using these cookies allows us to make the content of the website as individually customized as possible, and thereby show e.g. targeted advertisement and content based on the user’s prior behavior. M-Files uses advertisement cookies managed by third parties in order to present its products both on its own website and on the sites of third parties. You can disable some of the third party advertisement cookies from their site settings.

The M-Files website may include links and connections to third party websites, products and services as well as so-called community plug-ins of third parties (such as Facebook, Instagram, LinkedIn, YouTube, Twitter and TrustRadius). Third party plug-ins integrated into the M-Files website are loaded from third party servers and thus the third party may install their own cookies on the user’s device. The third party services and applications offered on the M-Files website are subject to the privacy policies or notices of such third parties. We recommend that you familiarize yourself with those third party privacy policies or notices.

6. M-Files product usage and performance data

We use different technologies to gather usage and performance data from your M-Files products and services. We use technologies for storing and honoring your preferences and settings, enabling you to sign in, analyzing how our products perform, and fulfilling other legitimate purposes.

In analyzing how our products perform, data relating to your use of M-Files product may be collected to assess the use of M-Files product at the level of your organization. While such data may allow M-Files to identify you on the basis of other available information, the data is pseudonymized and highly secured, and not used for actively identifying individuals, profiling individuals or for any other purpose inconsistent with what is set out above.

If your organization (employer) provides you with access to M-Files products, your use of the M-Files products is subject to your organization’s policies, if any. The usage data may be shared by M-Files in aggregated form with your organization (employer), who will process such data as a separate data controller. You should direct your privacy inquiries concerning such or any other processing of your personal data by your organization, including any requests to exercise your data protection rights, to your organization’s administrator. When you use features in M-Files products, other users in your network may see some of your activity. To learn more about the features and other functionality, please review documentation or help content specific to the M-Files product. M-Files is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this privacy statement.

7. Service specific information on processing of personal data in M-Files add-ons

Personal data is processed for the following purposes and using the following services:

M-Files for Google Workspace

M-Files for Google Workspace is an add-on that is separately sold and installed to customers. It integrates M-Files service and Google Workspace seamlessly together and allows users to save copies of e-mail and attachments from Gmail and files from Google Drive to M-Files for long-term preservation. The add-on is configured and used by the M-Files’ customers. Only the person(s) defined by the customer/user have access to the e-mails and documents that users save to M-Files.
This integration requires read and write access to Gmail and read rights to Google Drive. When a user saves an e-mail to M-Files service, the add-on uses write access to add a label to the e-mail in Gmail. Otherwise, the add-on uses only read access to save e-mails and documents from Gmail and Google Drive to M-Files service.

Regarding all the data content in the Google Workspace and M-Files service, M-Files’ customer is data controller and M-Files is data processor. Information about personal data processing are shown in the privacy policies or notices of each M-Files’ customer. If the M-Files’ customer decides to integrate Google Workspace to M-Files service, M-Files needs to process Customer’s contact persons’ (e.g. main user) contact information (such as e-mail address and name) as a data controller. This personal data is processed only for the purpose to operate M-Files to Google Workspace service.

8. From where do we receive data?

We receive information primarily from the following sources: yourself, population register, authorities, credit information companies, channel partners, contact information service providers and other similar reliable sources.

For the purposes described in this Privacy Notice, personal data may also be collected and updated from publicly available sources and based on information received from the authorities or other third parties within the limits of the applicable laws and regulations. Such updating of data is performed manually or by automated means.

9. To whom do we disclose data, and do we transfer data outside the EU or the EEA?

We don’t disclose your personal data to external parties except we may disclose it to our subsidiaries and affiliates, or a subsequent owner, co-owner or operator of the Services and their advisors in connection with a corporate merger, consolidation, restructuring, the sale of substantially all of our stock and/or assets, or in connection with bankruptcy proceedings, or other corporate reorganization. M-Files may sell, transfer or otherwise share some or all of its assets, including your personal data, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy.

We use subcontractors that process personal data on our behalf. We share your personal data as necessary to complete any transaction or provide any service you have requested. We share data within M-Files group to our subsidiaries and affiliates; with trusted third parties to process personal data and provide services on behalf of M-Files, including hosting and maintenance, customer relationship, customer support, database storage and management, and sales and marketing of M-Files products and services. Usage data concerning the M-Files product may be shared with your organization (M-Files’ customer) in an aggregated form.

We transfer personal data outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the recipient (sub-contractor or subsidiary) of the data has committed to use the EU Commission’s standard contractual clauses or provide other appropriate safeguards as described in Article 46 of the GDPR.

10. How do we protect the data and how long do we store them?

Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use the system containing personal data. Each user has a personal username and password to the system. The data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and their backup copies are in locked premises and can be accessed only by certain pre-designated persons.

The personal data we collect are retained for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law, or we need it to protect our legal rights. Thereafter, the personal data will be deleted within a reasonable timeframe or rendered anonymous.

We estimate the need for data storage regularly, taking into account the applicable legislation. In addition, we take care of such reasonable actions that ensure no incompatible, outdated or inaccurate personal data is stored taking into account the purpose of the processing. We correct or erase such data without delay.

11. What are your rights as a data subject?

You have the right to inspect the personal data stored concerning yourself and the right to demand rectification or erasure of the inaccurate, outdated, unnecessary and unlawful data. If you have access to your data, you may edit the data yourself. Insofar as the processing is based on consent, you also have the right to withdraw or change your consent. Withdrawing your consent does not affect the lawfulness of processing before the withdrawal of the consent.

You have the right to object or to demand restriction of the processing of your data and to lodge a complaint with the supervisory authority.

On grounds relating to your particular situation you also have the right to object other processing activities when the legal basis of processing is legitimate interest. In connection with your request, you shall identify the specific situation, based on which you object to the processing. We can refuse the request of objection only on legal grounds.

12. Children’s privacy

Our services are not directed to children and we do not intend to collect personal data from children. We ask you not to use the services and not to provide any information about yourself to us if you are below the age, defined in your jurisdiction, requiring parental consent or authorization for processing of personal data.

13. Who can you be in contact with?

All contacts and requests concerning this Privacy Notice should be submitted in writing to the address mentioned in section two (2) “Contact information for privacy matters”.