Koll Service Terms and Data Protection Guidelines

 

1. Introduction and Scope

This Privacy Policy explains how Koll Group Oy (“Koll”, “we”, “us”, or “the provider”) processes personal data when you use Koll, including the Koll App, related portals, websites, and communication channels.

The Policy applies to both consumer users (B2C) and business customers and their employees (B2B).

Data processing is carried out in accordance with the EU General Data Protection Regulation (EU 2016/679, GDPR) and, where applicable, the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

We also comply with Finnish data-protection and cybersecurity legislation (Act 124/2025).

Koll Group is committed to processing personal data lawfully, transparently, and securely across all its operations — regardless of whether the user is located in Finland or another EU Member State. 

2. Data Controller and Contact Details

Koll Group Oy
Business ID: 3410913-5
Joensuunkatu 7, 24100 Salo, Finland
Email: email@kollapp.com
Website: www.kollapp.com

Koll Group Oy is the data controller responsible for compliance with the GDPR in all Koll services and solutions.

Koll may operate in multiple markets directly or through subsidiaries. When required, Koll may appoint a local data-protection representative in accordance with Article 27 GDPR.

Additionally, Koll’s subsidiaries or local representatives may act on behalf of the Group in specific markets.

All such entities commit to following this same Privacy Policy and applicable national laws.

For any privacy-related inquiries, please contact our data-protection team at email@kollapp.com.

 

3. Categories of Personal Data

Koll processes only personal data necessary for service provision and customer relations.

Data may be collected directly from the user, through service usage, or automatically via technical logs.

User profile data: name, title, username, email, phone number, city.

Usage data: call history (time, participants, duration, topic, and notes), number of calls and messages, support requests and correspondence history.

Technical data: IP address, device type, operating system, browser data, cookies, and similar identifiers.

Organisational data (B2B): company name, contact person, position, and contact details.

Koll does not process special categories of personal data (Article 9 GDPR) and does not store call or message contents.

Log data functions similarly to telecom metadata — used for functionality and security, not for content monitoring.


4. Purposes and Legal Bases for Processing

Koll processes personal data only for defined, lawful purposes. Processing is always based on at least one of the legal bases under Article 6 GDPR.

  • Service delivery and user management: Art. 6 (1)(b) – performance of a contract.

  • Customer service and communication: Art. 6 (1)(b),(f) – contract and legitimate interest.

  • Security and fraud prevention: Art. 6 (1)(f).

  • Billing and contract administration (B2B): Art. 6 (1)(c) – legal obligation.

  • Service development and analytics: Art. 6 (1)(f).

  • Legal compliance: Art. 6 (1)(c).

5. Data Retention and Deletion

Koll retains personal data only as long as necessary for the purposes described or as required by law.

User-profile data is deleted when the account is closed; support requests and communication history are kept for up to 24 months after the last contact; B2B billing data is retained for six years under accounting law.

Call logs are retained as technical records for service security.

When retention periods expire, data is securely deleted or anonymised.


6. Data Transfers and Security

Koll protects all personal data carefully and processes it only in secure environments.

All data is primarily stored within the EU/EEA.

Any transfers outside the EU/EEA are made only under legally recognised safeguards (SCC, DPF).

Our security model follows the “Security by Design & Default” principle, including strong access control, encryption, logging, continuous monitoring, incident management, and backups.

All security incidents are handled immediately and, when required, reported to the supervisory authority within 72 hours.


7. Data-Subject Rights

Data subjects have the following GDPR rights:

  • Access (Art. 15)

  • Rectification (Art. 16)

  • Erasure (“right to be forgotten”) (Art. 17)

  • Restriction of processing (Art. 18)

  • Data portability (Art. 20)

  • Objection (Art. 21)

  • Withdrawal of consent (Art. 7)

Requests can be sent to email@kollapp.com.
If you believe your data has been processed unlawfully, you may file a complaint with a supervisory authority:


Finland:
Office of the Data Protection Ombudsman
PL 800, 00521 Helsinki, Finland
Tel. +358 29 566 6700, tietosuoja@om.fi, www.tietosuoja.fi

Germany:
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Str. 153, 53117 Bonn, Germany
Tel. +49 (0)228 997799-0, poststelle@bfdi.bund.de, www.bfdi.bund.de
(Users may also contact their state-level data-protection authority.)

Sweden:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm, Sweden
Tel. +46 (0)8 657 61 00, imy@imy.se, www.imy.se


8. Information Security Management

Koll manages information security systematically and proactively, following Article 32 GDPR and the Finnish Cybersecurity Act 124/2025.

Risks are regularly assessed; communications are encrypted (TLS/SSL); servers are located in secure EU/EEA data centres.

Access rights are granted only on a need-to-know basis and protected by multi-factor authentication.

All employees who handle personal or other confidential data have signed a non-disclosure agreement.

Security incidents are investigated immediately and, if necessary, reported to authorities within 72 hours.

Regular backups are maintained, and all partners are evaluated against Koll’s security criteria before cooperation begins.


9. Cookies and Analytics

Koll uses cookies and similar technologies to enhance functionality, security, and analytics.

Cookies are grouped into necessary, functional, analytical, and marketing categories.

Necessary cookies rely on contractual necessity; others require user consent (Art. 6 (1)(a)).

Users can manage cookies via browser settings or the service’s cookie tool.

Third-party analytics tools (e.g. Google Analytics, Matomo, Meta Pixel) are used only with consent, in anonymised form, and under appropriate data-processing agreements.


10. Sharing of Data with Third Parties

Koll does not sell or rent personal data.
Information may be shared only under strict controls in the following cases:

Processors and service providers: trusted partners providing cloud hosting, communication tools, billing systems, analytics, and security services under Data Processing Agreements (DPAs).

Authorities and legal disclosures: data may be provided to authorities where legally required (e.g. tax, law enforcement, regulatory).

Intragroup transfers: within the Koll Group, data may be transferred between subsidiaries for service delivery or administration — all entities follow the same Privacy Policy.

Cross-border transfers outside the EU/EEA:
Koll stores data primarily within the EU/EEA.
Transfers outside the EU/EEA occur only under recognised safeguards:

  • adequacy decisions by the European Commission,

  • Standard Contractual Clauses (SCC), or

  • the EU–US Data Privacy Framework (DPF).

If data is transferred to service providers whose parent companies are located in the United States, Koll assesses potential risks under U.S. law (such as the CLOUD Act and FISA 702), which may in limited cases allow U.S. authorities to request access to data stored in the EU.

Koll ensures that such transfers are made only to DPF-certified or SCC-compliant entities and implements additional safeguards, such as encryption and pseudonymisation, to prevent identification without a separate key.

Koll does not transfer personal data to countries lacking adequate protection unless the user has given explicit, informed consent.


11. Minors

Koll’s services are primarily intended for adults and business users. If a user is under 16 years of age, parental or guardian consent is required before using the service.

Koll does not knowingly collect data from minors without valid consent.

If such data is discovered, it will be deleted immediately and the account closed.

Guardians may request access to or deletion of a child’s data by contacting email@kollapp.com.


12. Changes to This Privacy Policy

Koll may update this Privacy Policy when operations, services, or laws change.

All updates are documented and compliant with current legislation.

Significant changes will be announced via in-app notices, email, or publication on www.kollapp.com/privacy.

The new version becomes effective upon publication unless stated otherwise.

Last updated: 9.10.2025


13. Contact for Privacy Matters

For any questions or requests related to personal data or privacy, please contact:

Koll Group Oy
Joensuunkatu 7, 24100 Salo, Finland
Email: email@kollapp.com
Website: www.kollapp.com

Requests for access, rectification, deletion, portability, or other GDPR rights can be sent to the above address.

Koll will respond without undue delay and within the time limits set by law.

If Koll appoints a Data Protection Officer (DPO), their contact details will be published on this page and communicated directly to users.

Effective date: 10.11.2025