Privacy Policy (2025)

1. Introduction and Scope

This Privacy Policy describes how Koll Group Oy (“Koll,” “we,” “us,” or “the Provider”) processes personal data when you use Koll —including the Koll app, related portals, websites, and communication channels.

This statement applies to both consumers (B2C) and business customers and their employees (B2B).

The processing of personal data is carried out in accordance with the EU General Data Protection Regulation (EU 2016/679, GDPR) and, where applicable, the Federal Data Protection Act (BDSG).

In addition, we comply with applicable Finnish data protection and cybersecurity laws (Act No. 124/2025).

Koll Group is committed to processing personal data in a lawful, transparent, and secure manner—regardless of whether the user is located in Finland, another EU member state, or Germany.

2. Data Controller and Contact Information

Koll Group Oy
Business ID: 3410913-5
Joensuunkatu 7, 24100 Salo, Finland
Email: email@kollapp.com
Website: www.kollapp.com

Koll Group Oy is the data controller under the GDPR and is responsible for all data processing within the Koll services.

Koll may operate in several markets—either directly or through subsidiaries.

If necessary, Koll may appoint a local data protection officer in accordance with Article 27 of the GDPR.

In addition, subsidiaries or local representatives of the Koll Group may operate on behalf of the company in certain countries.

All of these companies are committed to complying with this Privacy Policy and applicable national data protection laws.

For data protection inquiries, please contact email@kollapp.com.


3. Personal data processed

Koll processes only the personal data necessary for providing its services and managing customer relationships.

Data may be collected directly from the user, through the use of the service, or automatically via technical logs.

Profile data: Name, Title, Username, Email address, Phone number, City.

Usage data: Call history (time, participants, duration, subject, information entered by the user), number of calls and messages, support requests, and communication history.

Technical Data: IP address, device type, operating system, browser data, cookies, and similar identifiers.

Organizational data (B2B): Company name, contact person, position, contact information.

Koll does not process any special categories of personal data (Art. 9 of the GDPR) and does not store the content of calls or messages.

Log data is used exclusively for technical and security-related purposes and not for monitoring content.


4. Purposes and Legal Basis of Processing

Koll processes personal data only for clearly defined and lawful purposes.
The processing is always based on at least one of the legal grounds set forth in Article 6 of the GDPR.

  • Provision and management of the service: Art. 6 (1)(b) – Performance of the contract.

  • Customer Service and Communication: Art. 6 (1)(b), (f) – Contract / Legitimate Interest.

  • Security and Prevention of Abuse: Art. 6 (1)(f).

  • Billing and Contract Management (B2B): Art. 6(1)(c) – legal obligation.

  • Development and analysis of the service: Art. 6(1)(f).

  • Marketing and Newsletters: Article 6(1)(a) – Consent.

  • Legal obligations: Art. 6(1)(c).

5. Retention Period and Deletion

Koll retains personal data only for as long as is necessary for the purposes mentioned above or as required by law.

Profile data is deleted when the account is closed; support requests and communications are stored for a maximum of 24 months; B2B billing data is retained for six years in accordance with the Accounting Act.

Call logs are stored as technical security data.

Once the retention periods have expired, the data will be securely deleted or anonymized.


6. Data Transmission and Data Security

Koll carefully protects all personal data and processes it exclusively in secure environments.

All data is stored within the EU/EEA.

Transfers outside the EU/EEA are made only under legally recognized safeguards (SCC, DPF).

Data security is based on the principle of "security by design and default": strong access controls, encryption, logging, monitoring, incident management, and regular backups.

Security incidents are addressed immediately and, if necessary, reported to the supervisory authority within 72 hours.


7. Rights of Data Subjects

Data subjects have the following rights under the GDPR:

  • Right of access (Art. 15)

  • Right to Rectification (Art. 16)

  • Right to erasure – “Right to be forgotten” (Art. 17)

  • Right to restriction of processing (Art. 18)

  • Right to data portability (Art. 20)

  • Right to object (Art. 21)

  • Right to Withdraw Consent (Art. 7)

Please direct inquiries to email@kollapp.com.

If you believe that your data has been processed unlawfully, you can contact a supervisory authority:

Germany:
The Federal Commissioner for Data Protection and Freedom of Information (BfDI),
Graurheindorfer Str. 153, 53117 Bonn, Tel. +49 (0)228 997799-0, poststelle@bfdi.bund.de, www.bfdi.bund.de

Finland:
Data Protection Authority (Office of the Data Protection Ombudsman), P.O. Box 800, 00521 Helsinki, Tel. +358 29 566 6700, tietosuoja@om.fi, www.tietosuoja.fi

Sweden:
Swedish Data Protection Authority (IMY), Box 8114, 104 20 Stockholm, Tel. +46 (0)8 657 61 00, imy@imy.se, www.imy.se


8. Information Security

Koll ensures information security in a systematic and proactive manner in accordance with Article 32 of the GDPR and the Finnish Cybersecurity Act (124/2025).

Risks are assessed on a regular basis; data transfers are encrypted (TLS/SSL); servers are located in secure data centers within the EU/EEA.

Access rights are granted only as needed and are protected by multi-factor authentication.

All employees who process personal or confidential data as part of their duties have signed a confidentiality agreement.

Security incidents are investigated immediately and, if necessary, reported within 72 hours.

Regular data backups are performed, and partners are screened for security compliance before entering into a partnership.


9. Cookies and Analytics

Koll uses cookies and similar technologies to improve functionality, security, and analytics.

Cookies are categorized into essential, functional, analytical, and marketing cookies.

Essential cookies are based on contractual necessity; all others require the user’s consent (Art. 6 (1)(a)).

Users can manage cookies through their browser settings or using Koll's cookie tool.

Third-party tools (e.g., Google Analytics, Matomo, Meta Pixel) are used only with consent, in anonymized form, and on the basis of data processing agreements (DPAs).


10. Disclosure of Data to Third Parties

Koll does not sell or rent out personal data.

Data will only be disclosed in controlled and legally permissible cases.

Data processors and service providers: Trusted partners who provide cloud, communications, billing, analytics, and security services based on data processing agreements (DPAs).

Authorities: Data may be disclosed to authorities if required by law.

Within the Group: Data may be shared among subsidiaries within the Koll Group; all entities adhere to the same privacy policy.

Cross-border data transfers outside the EU/EEA:
Koll primarily stores data within the EU/EEA.
Transfers outside the EU/EEAare only carried out under recognized safeguards:

  • European Commission's adequacy decision,

  • Standard Contractual Clauses (SCC) or

  • EU–US Data Privacy Framework (DPF).

When data is transferred to providers whose parent company is based in the United States, Koll assesses the risks associated with U.S. laws (such as the CLOUD Act and FISA Section 702), which may allow U.S. authorities to access data in certain cases, even if it is stored in the EU.

Koll ensures that such transfers are made only to DPF-certified or SCC-compliant partners and that additional safeguards, such as encryption and pseudonymization, are implemented.

Koll does not transfer personal data to countries without an adequate level of data protection without the user’s express and informed consent.


11. Minors

The Koll Services are primarily intended for adult and business users. If a user is under 16 years of age, the consent of a parent or legal guardian is required.

Koll does not knowingly collect data from minors without valid consent.

If such data becomes known, it will be deleted immediately and the account closed.

Parents or legal guardians can request access to or deletion of their child’s data via email@kollapp.com.


12. Changes to this Privacy Policy

Koll may update this Privacy Policy if there are changes to its business operations, services, or legal requirements.

Significant changes will be communicated via the service, by email, or by posting on www.kollapp.com/privacy .

Unless otherwise specified, the new version takes effect upon publication.

Last updated: October 9, 2025


13. Contact for Data Protection Inquiries

For any questions or inquiries regarding data protection, please contact:

Koll Group Oy
Joensuunkatu 7, 24100 Salo, Finland
E-mail: email@kollapp.com
Website: www.kollapp.com

Requests regarding access, rectification, erasure, data portability, or other rights under the GDPR will be processed without undue delay and within the statutory time limits.

If Koll appoints a Data Protection Officer (DPO), the DPO’s contact information will be published on this page and communicated to the data subjects.


Date of revision: December 4, 2025