I'm worried about what my antivirus reads on my device

Antivirus software requires deep system access to function — it reads files before they execute, monitors process behavior, and inspects network traffic. That access is structurally inseparable from how it works. The question isn't whether AV reads your files (it does, as a functional requirement), but what it does with what it reads: what's transmitted to company servers, who those servers are subject to, and what the company's documented data practices are.

Quick answer

Want AV with the strongest documented privacy posture→F-Secure — explicit no-data-selling policy, minimal telemetry (security events only), Finnish company under EU GDPR, annual transparency report

Want strong protection with EU jurisdiction, standard telemetry→Bitdefender — Romanian company, EU GDPR framework, telemetry collected but no documented data-selling practice

Concerned about Kaspersky specifically→The concern is justified — Russian corporate jurisdiction, US consumer sales banned September 2024, German BSI advisory; switch to F-Secure or Bitdefender if trust is the primary driver

When it matters

Threat telemetry — file hashes, detection events, and malware samples are sent to company servers in most products; this is how cloud-based threat databases are maintained and is functionally necessary
Behavioral data — some products collect data about how you use applications, which sites you visit, and what files you access; this goes beyond threat detection into behavioral profiling
Affiliate data sharing — US-based companies with advertising relationships may share data with affiliates under opt-out models documented in privacy policies but not prominently disclosed
Jurisdiction — where the company is incorporated determines which government can compel data disclosure; EU, US, and Russian frameworks have materially different implications

The privacy policy is the ground truth for what a product claims to collect and share. Annual transparency reports, where published, document actual data requests from law enforcement. Products that publish neither and operate in high-risk jurisdictions are the ones where concern is most warranted.

When it fails

Privacy policies describe what companies are permitted to do, not necessarily what they do — there's no technical enforcement of stated policies
No independent audit of data collection practices exists for most consumer AV products; claims about telemetry minimization are self-reported
Jurisdiction changes — a company can be acquired, restructure corporate ownership, or be subject to new legal frameworks after you've installed their software

The practical approach is to favor products from companies with explicit, documented, auditable commitments — not just favorable-sounding privacy policies. Transparency reports, EU GDPR compliance with enforcement teeth, and no documented data-monetization incidents provide a more durable basis for trust than marketing language alone.

How providers fit

F-Secure fits if privacy of the software itself is the primary selection criterion. Explicit no-data-selling policy documented in the privacy policy. Telemetry limited to security event data — not behavioral profiling. Finnish company, EU GDPR jurisdiction, NATO member state. Annual transparency report documents data requests from law enforcement. Positioned toward enterprise and public-sector clients in Nordic markets, which implies higher trust scrutiny.

Bitdefender fits if you want strong protection with EU jurisdiction and a cleaner data posture than US-based providers. Romanian company operating under EU GDPR. No documented data-selling practice. Telemetry is collected for threat intelligence purposes but not shared with advertising affiliates. A reasonable choice when detection quality and EU data framework are both requirements.

Norton is the comparison point for US jurisdiction with broader data practices. Gen Digital (US) — Five Eyes jurisdiction, US government data access laws apply. Privacy policy permits data sharing with affiliates under an opt-out model. Extensive telemetry collection compared to EU-based providers. Not the privacy-first choice, but transparent about its practices in a way that allows an informed decision.

Bottom line

F-Secure for one of the strongest documented privacy-oriented positions in the category. Bitdefender if detection quality alongside EU jurisdiction is the balance. Avoid Kaspersky if trust in the vendor is a concern — Russian corporate jurisdiction and multiple Western government advisories are facts, not speculation. Norton is a reasonable general-purpose product; its data practices are the most permissive in this group and that's worth knowing.

Do I need both antivirus and VPN?→I just want simple protection that works→Quick decision: I'm worried about AV privacy→