Effective February 1, 2024
We care about your privacy
We will give you additional privacy information that is specific to a product or service in the Supplements to this Policy and other notices you may see while using our products or services. If there is a difference between such Supplements or notices and this Policy, the Supplements and notices should be considered first.
Please take a moment to familiarise yourself with our Policy and let us know if you have any questions.
What information do we collect?
Information you provide us. When you make a purchase, use or register our products and services, create an account, take part in campaigns or programmes and otherwise interact with us, we collect information such as your name, email address, phone number, street address, age, language, user names and passwords, feedback, information relating to your devices and payments. This includes, for example, data concerning the activation of your device, positioning and location data, data collected in connection with user experience and developer programmes, data needed for account creation, information relating to your communications and interactions, purchase and other transaction data, credit data as well as online identifiers from our websites and online services. We also maintain records of your consents, preferences and settings relating to, for example, location data, marketing and sharing of personal data.
We process various technical details and identifiers such as IMEIs, MACs, S/Ns and UUIDs etc. which are not considered personal data unless a person can be identified by HMD based on the data by means reasonably likely to be used.
Information we receive from third-party sources. We receive certain information from third-party social network services, for example, when you log in to your account by using your social network account login details. See our My Account Supplement for more information.
Why do we process personal data?
We process your personal data for the following purposes. One or more purposes may apply simultaneously.
What are the bases for this processing?
We process your personal data only when it is lawful to do so. The processing is based on the following legal grounds:
Contract. Processing of your personal data is necessary for the performance of a contract between you and HMD. We use your personal data to provide you with our products and services and to ensure their functionality and security. If you do not provide us with the necessary information, it may mean that we are not able to provide the product or service to you. Contract is the basis for the processing, for example, when
Legitimate interest. We process personal data when it is necessary for the purposes of legitimate interests pursued by HMD. Legitimate interest refers to an interest which is lawful and important for HMD. In processing activities based on legitimate interest, your rights are taken into account and balanced with the interests of HMD. You may obtain more information on the balancing tests by contacting us. You have the right to object to processing based on legitimate interest. Read more about your rights and how to contact us in the section, 'What are your rights?'. Legitimate interest is the basis for the processing, for example, when
Consent. Processing of your personal data can be based on your consent. In these situations, we ask for your consent before your personal data is processed. Giving consent is always voluntary and you have the possibility to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal. We maintain records of your consents, preferences and settings relating to, for example, marketing, location data and sharing of personal data. Consent is the basis for the processing in the following situations.
Legal obligation. HMD may need to process your personal data to comply with legal requirements to which HMD is subject. HMD may have, for example, a legal obligation to disclose your personal data to the authorities when requested, and to screen sanctions.
Do we share personal data?
We do not sell, lease or rent your personal data to third parties. We share your information internally within our company, but only to those who need it to provide you with the products and services or to respond to your requests. Further, we share your personal data with service providers and third parties in the following situations, and only to the extent necessary for the purposes described in this Policy.
HMD service providers and authorised third parties. We share your personal data with our service providers which we have carefully selected to supply services for us or on our behalf, such as companies that help us with repairs, customer service and support, electronic commerce, data storing, managing and analysing customer data, and conducting research, advertising or billing through your network service provider or otherwise. These service providers are not permitted to use your personal data for any other purposes. We require them to act consistently with this Policy and to use appropriate security measures to protect your personal data.
We can also disclose your personal data with our business partners with whom we work to provide you with the products and services that you have purchased or requested. The partners we have partnered up with include payment service providers to allow electronic payment methods, online financial service providers to offer financing for your purchases, service providers to help us with credit check and fraud detection, logistics service providers to provide smooth delivery and return of your purchases and social network services for account login. These business partners process your personal data for their own purposes and according to their own terms and privacy policies, which we recommend you to check carefully. For example, in order to offer you Klarna’s payment methods, we pass your contact and order details to Klarna at checkout, in order for Klarna to assess whether you qualify for their payment methods, and to tailor those payment methods for you. In such case, your personal data is transferred and processed in line with Klarna’s own privacy notice.
Marketing. We may share your personal data with our marketing partners, for example to manage marketing campaigns. We may conduct joint marketing and other communications with our partners. Our marketing partners are not permitted to use your personal data for any other purposes. We require them to act consistently with this Policy and to use appropriate security measures to protect your personal data.
International transfers of personal data. The main location of the data is in the EU/EEA and the data is hosted on cloud platforms. Due to service performance and localisation requirements, providing our products and services requires also using resources and servers located in various countries and regions around the world, including the European Union, United States of America, Singapore and China. Therefore, your personal data may be transferred across international borders outside the country where you use our products and services, including to countries outside the European Economic Area (EEA) that do not have laws providing specific protection for personal data or that have different legal rules on data protection. In such cases, we ensure that there is a legal basis for such a transfer and that adequate protection for your personal data is provided as required by applicable law, especially by using the European Commission’s Standard Contractual Clauses of 2021, and by requiring the use of other appropriate technical and organisational information security measures. You may obtain more information on the transfer safeguards by checking the relevant Supplement or by contacting us.
Mandatory disclosures. We may be obligated by mandatory law to disclose your personal data to certain authorities or other third parties, for example, to law enforcement agencies in the countries where we or third parties acting on our behalf operate. We may also disclose and otherwise process your personal data in accordance with applicable law to defend HMD’s legitimate interests, for example, in civil or criminal legal proceedings.
Mergers and Acquisitions. If we decide to sell, buy, merge or otherwise reorganise our businesses in certain countries, this may involve us disclosing personal data to prospective or actual purchasers and their advisers, or receiving personal data from sellers and their advisers.
How do we address the privacy of children?
HMD products and services are typically intended for general audiences. We acknowledge that our customers may include children. We hope that guardians will discuss the processing of personal data with their children. In case you have any questions concerning the way children’s personal data is processed within HMD’s services or products, we are happy to provide additional information and answer any questions.
What steps are taken to safeguard personal data?
Privacy and security are key considerations in the creation and delivery of our products and services. We have assigned specific responsibilities to address privacy and security-related matters. We enforce our internal policies and guidelines through an appropriate selection of activities, including proactive and reactive risk management, security and privacy engineering, training and assessments. We take appropriate steps to address online security, physical security, risk of data loss and other such risks taking into consideration the risk represented by the processing and the nature of the data being protected. Also, we limit access to our databases containing personal data to authorised persons having a justified need to access such information.
How long is the data retained?
We take reasonable steps to keep the personal data we possess accurate and to delete or de-identify unnecessary personal data.
Retention periods vary depending on the type of data and the service or product in question. The retention time of your personal data is determined in accordance with the following criteria:
|What personal data is being retained?
|How long is the data retained?
|Device activation data
|6 months after the device has been activated.
|User Experience Programme data
|12 months after the data is collected.
|As long as the account is active and 30 days after the account has been deleted or service unsubscribed. Inactive accounts which have not been used are deleted after 48 months unless the account is reactivated.
|Communication and interaction data
|Customer support: 5 years after the last correspondence between the customer and the customer support. Customer support: 5 years after the last correspondence between the customer and the customer support. Subscription-related communication: 12 months after the end of a subscription agreement.
|Purchase and transaction data
|Purchase and transaction data are retained for 6 years after the purchase or subscription start date or 1 year after the end of the subscription, whichever is the latest.
|Your credit score is retained for 6 years after the subscription.
|Email addresses: 30 days after the user has unsubscribed from the mailing list.
Personal data may be retained for longer than indicated above in a singular case when it is actively processed for a compelling purpose, such as legal claims. In such cases, the personal data is disposed as soon as it is no longer needed for the specific purpose.
What are your rights?
You have a right to know what personal data we hold about you as specified below. You have a right to have incomplete, incorrect or outdated personal data completed or updated. In certain cases, you have a right to erasure, restriction or data portability, or to object to processing of your personal data. You also have a right to withdraw your consent at any time. You may exercise your rights by managing your account and choices through available profile management tools on your device and our services, or by contacting us. In some cases, especially if you wish us to delete or stop processing your personal data, this may also mean that we may not be able to continue to provide the services to you.
If you cannot use your rights directly through the HMD products and services you use, you can contact us via
Who is the controller of your personal data?
HMD Global Oy is the controller of your personal data when the personal data is processed in connection with our products and services. Our Data Protection Officer is Jari Koljonen.
In matters pertaining to HMD’s privacy practices, you may also contact us at:
HMD Global Oy, c/o Privacy, Bertel Jungin aukio 9, 02600 Espoo, Finland
Our products or services may contain links to other companies’ websites and services that have privacy policies of their own. All links to such websites and services are provided for your convenience only. Before submitting your personal data to third parties, HMD recommends taking a moment to familiarise yourself with these third-party privacy policies.
HMD may from time to time update this Policy to reflect changes in our personal data processing practices with respect to our products and services, or applicable law. We will also indicate when this Policy was last updated at the top of this Policy. We seek to inform you personally of all significant changes to this policy by email or by other notification mechanisms.
You can find previous versions of this document here: