Privacy Policy

1. Introduction

PhishShield ("we", "us", "our") operates the PhishShield security awareness and phishing simulation platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website, APIs, and related services.

2. Information We Collect

2.1 Account Information

When you register or are added by your organization administrator, we collect:

• Name, email address, and job title
• Organization name and department
• Role and permission level within the platform

2.2 Simulation & Training Data

As part of phishing simulation campaigns, we collect:

• Email interaction data (opens, clicks, reports)
• Training module completion and quiz scores
• Phishing report submissions
• Risk scores and awareness metrics

2.3 Technical Data

We automatically collect:

• IP address and approximate geolocation
• Browser type, device type, and operating system
• Timestamps of interactions

2.4 Geolocation Data

When employees interact with phishing simulations, we collect IP-based geolocation data to provide geographic analytics and help identify suspicious access patterns.

3. How We Use Your Information

• To operate and deliver phishing simulations and security awareness training
• To generate risk scores, analytics, and compliance reports for your organization
• To detect and filter bot activity for accurate campaign metrics
• To award gamification points and track training progress
• To improve our platform's threat detection capabilities
• To communicate service updates and security alerts

4. Data Sharing & Disclosure

We do not sell your personal information. We may share data with:

• Your organization administrators — Campaign results, risk scores, and training progress are visible to authorized administrators within your organization
• Service providers — Trusted third parties that help us operate the platform (hosting, email delivery, analytics)
• Legal requirements — When required by law, regulation, or legal process

5. Data Retention

We retain simulation and training data for the duration of your organization's subscription plus 90 days. Credential capture data from simulations is hashed and automatically purged according to your organization's configured data retention policy. You may request earlier deletion at any time.

6. Data Security

We implement industry-standard security measures including:

• Encryption in transit (TLS) and at rest
• Credential hashing — captured simulation credentials are hashed, never stored in plaintext
• Role-based access control with organization-level isolation
• Regular security audits and monitoring
• Soft deletion for data recovery

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (right to be forgotten)
• Export your data in a portable format
• Withdraw consent where processing is consent-based

Organization administrators can manage data export and deletion requests through the GDPR settings in the platform. Individual users may contact their organization administrator or reach out to us directly.

8. Cookies & Tracking

Our platform uses essential cookies for authentication and session management. Phishing simulation tracking uses unique tracking identifiers (not cookies) to measure campaign interactions. We do not use third-party advertising trackers.

9. International Data Transfers

Your data may be processed in servers located outside your country of residence. We ensure appropriate safeguards are in place for any cross-border data transfers in compliance with applicable data protection laws.

10. Children's Privacy

PhishShield is designed for enterprise use and is not intended for individuals under the age of 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or platform notification. Continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: