Koll Service Terms of Use and Privacy Policy
1. Introduction and Scope
This Privacy Policy describes how Koll Group Oy (“Koll,” “we,” “us,” or “the Service Provider”) processes personal data when you use the Koll service, including the Koll app, related portals, websites, and communication channels.
This policy applies to both consumers (B2C) and business customers and their employees (B2B).
The processing of personal data is carried out in accordance with the General Data Protection Regulation of the European Union (EU 2016/679, GDPR) and, where applicable, the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
We also comply with Finnish data protection and cybersecurity legislation (Act 124/2025).
Koll Group is committed to processing personal data in a lawful, transparent, and secure manner in all its operations—regardless of whether the user is located in Finland or in another EU member state.
2. Data Controller and Contact Information
Koll Group Oy
Business ID: 3410913-5
Joensuunkatu 7, 24100 Salo, Finland
Email: email@kollapp.com
Website: www.kollapp.com
Koll Group Oy acts as the data controller and is responsible for ensuring compliance with the GDPR in all Koll services and solutions.
Koll may operate in multiple markets either directly or through its subsidiaries. If necessary, Koll may appoint a local data protection representative in accordance with Article 27 of the GDPR.
In addition, Koll’s subsidiaries or local representatives may act on behalf of the Group in certain markets.
All such entities agree to comply with this Privacy Policy and applicable national laws.
For any questions regarding data protection, please contact our data protection team at email@kollapp.com.
3. Categories of personal data
Koll processes only the personal data necessary to provide the service and manage the customer relationship.
Information may be collected directly from the user, in connection with the use of the service, or automatically through technical logs.
User profile information:
Name, title, username, email address, phone number, city.
Usage data:
Call history (time, parties involved, duration, subject, and notes), number of calls and messages, support requests, and communication history.
Technical data:
IP address, device type, operating system, browser information, cookies, and other similar identifiers.
Organizational information (B2B):
Company name, contact person, job title, and contact information.Koll does not process special categories of personal data (GDPR Article 9) nor does it store the content of calls or messages. Log data functions similarly to telecommunications operators’ metadata—it is used to ensure the functionality and security of the service, not to monitor the content of messages.
4. Purposes of processing and legal bases
Koll processes personal data only for specified and lawful purposes. Processing is always based on at least one of the legal grounds set forth in Article 6 of the GDPR.
Service provision and user management:
Art. 6 (1)(b) – performance of a contract
Customer Service and Communications:
Art. 6 (1)(b), (f) – Contract and Legitimate Interest
Security and fraud prevention:
Art. 6 (1)(f)
Billing and Contract Management (B2B):
Art. 6 (1)(c) – Legal Obligation
Service development and analytics:
Art. 6 (1)(f)
Compliance with legislation:
Art. 6 (1)(c)
5. Data Retention and Deletion
Koll retains personal data only for as long as necessary to fulfill the purposes described in this privacy policy or as required by law.
User profile data is deleted when the user account is closed. Support requests and communication history are retained for up to 24 months after the last contact. B2B billing data is retained for six years in accordance with accounting legislation.
Call logs are stored as technical records to ensure the security of the service. Once the retention periods expire, the data is securely deleted or anonymized.
6. Data Transfers and Data Security
Koll carefully protects all personal data and processes it only in secure environments. All data is primarily stored within the EU or the EEA.
Any transfers outside the EU or the EEA will be made only on the basis of legally approved safeguards (SCC, DPF).
Our information security model is based on the principle of “Security by Design & Default, ” which includes robust access control, encryption, logging, continuous monitoring, incident management, and backups.
All data security incidents are addressed immediately and, if necessary, reported to the supervisory authority within 72 hours.
7. Rights of the Data Subject
Data subjects have the following rights under the GDPR:
Access to data (Art. 15)
Rectification of data (Art. 16)
Deletion of data (“right to be forgotten”) (Art. 17)
Restriction of processing (Art. 18)
Data portability (Art. 20)
Right to object (Art. 21)
Withdrawal of consent (Art. 7)
Requests can be sent to email@kollapp.com.
If you believe that your personal data has been processed unlawfully, you may file a complaint with the supervisory authority.
Finland
Office of the Data Protection Ombudsman
P.O. Box 800, 00521 Helsinki
Tel. +358 29 566 6700
tietosuoja@om.fi
www.tietosuoja.fi
Germany
The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153, 53117 Bonn, Germany
Tel. +49 (0)228 997799-0
poststelle@bfdi.bund.de
www.bfdi.bund.de
(Users can also contact their state’s data protection authority.)
Sweden
The Swedish Data Protection Authority (IMY)
Box 8114, 104 20 Stockholm, Sweden
Tel. +46 (0)8 657 61 00
imy@imy.se
www.imy.se
8. Information Security Management
Koll manages information security in a systematic and proactive manner in accordance with Article 32 of the GDPR and the Finnish Cybersecurity Act (124/2025).
Risks are assessed on a regular basis. Communication is encrypted (TLS/SSL), and the servers are located in secure EU/EEA data centers.
Access rights are granted only as needed and are protected by multi-factor authentication.
All employees who handle personal data or other confidential information have signed a confidentiality agreement.
Data security incidents are investigated immediately and, if necessary, reported to the authorities within 72 hours.
Regular backups are maintained, and all partners are evaluated in accordance with Koll’s information security criteria before the start of the partnership.
9. Cookies and Analytics
Koll uses cookies and similar technologies to improve the functionality, security, and analytics of the service.
Cookies are divided into the following categories: essential, functional, analytical, and marketing cookies.
Essential cookies are necessary for the performance of the contract. Other cookies require the user’s consent (Art. 6 (1)(a)).
Users can manage cookies through their browser settings or the service's cookie management tool.
Third-party analytics tools (e.g., Google Analytics, Matomo, Meta Pixel) are used only with the user’s consent, in an anonymized form, and on the basis of appropriate data processing agreements.
10. Disclosure of Information to Third Parties
Koll does not sell or rent personal data. Data may only be disclosed under strictly controlled circumstances:
Processors and service providers:
Trusted partners that provide cloud services, communication tools, billing systems, analytics, and information security services in accordance with Data Processing Agreements (DPAs).
Authorities and disclosures required by law:
Information may be disclosed to authorities when required by law (e.g., taxation, law enforcement, regulation).
Intra-group data transfers:
Within the Koll Group, data may be transferred between subsidiaries for the purpose of providing services or for administrative purposes—all units adhere to the same privacy policy.
Cross-border transfers outside the EU/EEA
Koll primarily stores data within the EU/EEA.
Transfers outside the EU/EEA take place only on the basis of approved safeguards:
European Commission Adequacy Decisions, Standard Contractual Clauses (SCCs), EU–US Data Privacy Framework (DPF)
If data is transferred to service providers whose parent company is located in the United States, Koll assesses the risks associated with U.S. legislation (such as the CLOUD Act and FISA Section 702), which in certain circumstances may allow government authorities to access data stored in the EU.
Koll ensures that such transfers are made only with DPF-certified or SCC-compliant entities and that additional safeguards, such as encryption and pseudonymization, are in place to prevent the identification of personal data without a separate key.
Koll will not transfer personal data to countries where the level of data protection is insufficient unless the user has given their explicit and informed consent.
11. Minors
Kollin's services are primarily intended for adults and business users. If a user is under 16 years of age, parental consent is required to use the service.
Koll does not knowingly collect information from minors without proper consent.
If such information is detected, it will be immediately removed and the user account will be closed. Parents or guardians may request to review or delete their child’s information by contacting email@kollapp.com.
12. Changes to this Privacy Policy
Koll may update this Privacy Policy as its operations, services, or applicable laws change.
All updates are documented and comply with applicable laws and regulations.
Significant changes will be announced in the app, via email, or by posting an update at
www.kollapp.com/privacy.
The new version will take effect upon publication, unless otherwise noted.
Last updated: October 9, 2025
13. Contact Us Regarding Data Protection Matters
For any questions regarding the processing of personal data or data protection, please contact:
Koll Group Oy
Joensuunkatu 7, 24100 Salo, Finland
Email: email@kollapp.com
Website: www.kollapp.com
Requests regarding the access, correction, deletion, portability, or other GDPR rights may be sent to the address above.
Koll responds to requests without undue delay and within the time limits required by law.
If Koll appoints a Data Protection Officer (DPO), their contact information will be published on this page and users will be notified separately.