Updated February 18, 2022
Phishinger takes data privacy seriously. This privacy policy explains who we are, how we collect, share and use Personal Information, and how you can exercise your privacy rights.
We recommend that you read this Privacy Policy in full to ensure you are fully informed. However, to make it easier for you to review the parts of this Privacy Policy that apply to you, we have divided up the document into sections that are specifically applicable to Clients (Section 2), Targets (Section 3), and Visitors (Section 4). Sections 1 and 5 are applicable to everyone.
If you have any questions or concerns about our use of your Personal Information, contact us using the contact details provided at the end of Section 5.
To the extent we provide you with notice of different or additional privacy policies, those policies will
govern such interactions.
Phishinger is a security awareness training and testing application ("we," "us," "our," and "Phishinger"). Our Service enables our Customers to, among other things, send and manage security awareness training campaigns to include simulated phishing emails and assign training courses.
In this privacy policy, these terms have the following meanings:
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
"Target" is a person a Client may Target through our Service. In other words, a Target is anyone on a Client's Campaign List about whom a Client has given us information or is anyone who has otherwise interacted with a Client via the Service.
"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.
"Campaign List " is a list of Targets a Client may upload or manage on our platform and all associated information related to those Targets (for example, email addresses).
"Phishinger Site(s)" has the meaning given to it in our Terms of Service.
"Client" means any person or entity that is registered with us to use the Service.
"Personal Information" means any information that identifies or can be used to identify an individual directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or other demographic information.
Service has the meaning given to it in our Terms of Service.
"Visitor" means, depending on the context, any person who visits any of our Phishinger Sites, offices, or otherwise engages with us at our events or in connection with our marketing or recruitment activities.
"you" and "your" means, depending on the context, either a Client, a Target, or a Visitor.
This section applies to the Personal Information we collect and process from a Client or potential Client through the provision of the Service. If you are not a Client, the Visitors or Targets section of this policy may be more applicable to you and your data. In this section, "you" and "your" refer to Clients and potential Clients.
The Personal Information that we collect depends on the context of your interactions with Phishinger, your Phishinger account settings, the products and features you use, your location, and applicable law. However, the Personal Information we collect broadly falls into the following categories:
This information may include
When you use the Service, we and our third-party partners may automatically collect or receive certain information about your device and usage of the Service (collectively Service Usage Data). In some (but not all) countries, including countries in the European Economic Area (EEA), this information is considered Personal Information under applicable data protection laws. We and our third-party partners use cookies and other tracking technologies to collect some of this information.
Device information: We collect information about the device and applications you use to access the Service, such as your IP address, your operating system, your browser ID, viewfinder size, and other information about your system and connection.
Log data: Our web servers keep log files that record data each time a device accesses those servers and the nature of each access, including originating IP addresses and your activity in the Service (such as the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take (for example, which features you used)), device event information (such as system activity, error reports (sometimes called crash dumps)), and hardware settings. We may also access metadata and other information associated with files that you upload into our Service.
Usage data: We collect usage data about you whenever you interact with our Service, which may include the dates and times you access the Service and your browsing activities (such as what portions of the Service you used, session duration, links clicked, non-sensitive text entered, and mouse movements). We also collect information regarding the performance of the Service, including metrics related to the deliverability of emails and other communications you send through the Service. This information allows us to improve the content and operation of the Service, and to facilitate research and analysis of the Service.
Examples of the information we receive from other sources include demographic information (such as age and gender), device information (such as IP addresses), location (such as city and state), and online behavioral data (such as information about your use of social media websites, page view information and search results and links). We use this information, alone or in combination with other Personal Information we collect, to enhance our ability to provide relevant marketing and content to you and to develop and provide you with more relevant products, features, and service.
We may use the Personal Information we collect or receive through the Service (alone or in combination with other data we source) for the purposes and on the legal bases identified below:
We may use the Personal Information we collect or receive through the Service, as a processor and as otherwise stated in this privacy policy, to enable your use of the integrations and plugins you choose to connect to your Phishinger account.
We and our third-party partners may use various technologies to collect and store Service Usage Data when you use our Service (as discussed above), and this may include using cookies and similar tracking technologies, such as pixels and web beacons. For example, we use web beacons in the emails we send on your behalf, which enable us to track certain behavior, such as whether the email sent through the Service was delivered and opened and whether links within the email were clicked. Web beacons allow us to collect information such as the recipient's IP address, browser, email client type and other similar data as further described above details. We use this information to measure the performance of your campaigns, to provide analytics information, enhance the effectiveness of our Service, and for other purposes described above.
Our use of cookies and other tracking technologies is discussed in more detail in our Cookie Policy available here.
In order to send a campaign or use certain features in your account, you need to upload a Target List that provides us information about your Targets, such as their names and email addresses. We use and process this information to provide the Service in accordance with our contract with you or your organization and this Privacy Policy.
A Target List can be created in a number of ways, including by importing Targets, such as through a CSV, third-party integration or API. We do not, under any circumstances, sell your Target Lists. If someone on your Target List complains or contacts us, we might then contact that person.
Depending on the country in which you reside, you may have the following data protection rights:
We respond to all requests we receive from inpiduals wishing to exercise their data protection rights in accordance with applicable data protection law. We may ask you to verify your identity in order to help us respond efficiently to your request. If we receive a request from one of your Targets, we will either direct the Target to reach out to you, or, if appropriate, we may respond directly to their request.
This section applies to the information we process about our Client's Targets as a data controller. Our Service is intended for use by our Clients. As a result, for much of the Personal Information we collect and process about Targets through the Service, we act as a processor on behalf of our Clients. Phishinger is not responsible for the privacy or security practices of our Clients, which may differ from those set forth in this privacy policy. Please check with individual Clients about the policies they have in place. For purposes of this section, "you" and "your" refer to Targets.
The Personal Information that we may collect or receive about you broadly falls into the following categories:
Device information: We collect information about the device and applications you use to access emails sent through our Service, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
Usage data: It is important for us to ensure the security and reliability of the Service we provide. Therefore, we also collect usage data about your interactions with campaigns (and/or emails) sent through the Service, which may include dates and times you access campaigns (and/or emails) and your browsing activities (such as what pages are viewed and which emails are opened). This information also allows us to ensure compliance with our Terms of Service, to monitor and prevent service abuse, and to ensure we attain certain usage standards and metrics in relation to our Service. We also collect information regarding the performance of the Service, including metrics related to the deliverability of emails and other electronic communications that our Clients send through the Service. This information allows us to improve the content and operation of the Service and facilitate research and perform analysis into the use and performance of the Service.
We may use the Personal Information we collect or receive about you in reliance on our (and where applicable, our Clients) legitimate interests for the following purposes:
We and our third-party partners may use various technologies to automatically collect and store certain device and usage information (as discussed above) when you interact with a Client's campaign, and this may include using cookies and similar tracking technologies, such as pixels and web beacons. For example, we use web beacons in the emails we send on behalf of our Clients. When you receive and engage with a Client's campaign, web beacons track certain behavior such as whether the email sent through the Phishinger platform was delivered and opened and whether links within the email were clicked. Web beacons allow us to collect information such as your IP address, browser, email client type, and other similar data as further described above. We use this information to measure the performance of our Client's campaigns, and to provide analytics information and enhance the effectiveness of our Service, and for the other purposes described above.
Our use of cookies and other tracking technologies is discussed in more detail in our Cookie Policy available here.
Depending on the country in which you reside, you may have the following data protection rights:
As described above, for much of the Personal Information we collect and process about Targets through the Service, we act as a processor on behalf of our Clients. In such cases, if you are a Target and want to exercise any data protection rights that may be available to you under applicable law or have questions or concerns about how your Personal Information is handled by Phishinger as a processor on behalf of our individual Clients, you should contact the relevant Client that is using the Phishinger Service, and refer to their separate privacy policies.
If you no longer want to be contacted by one of our Clients through our Service, contact the Client directly to update or delete your data. If you contact us directly, we may either forward your request to the relevant Client or provide you with the identity of the Client to enable you to contact them directly.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.
This section applies to Personal Information that we collect and process when you visit the Phishinger
Sites, and in the usual course of our business, such as in connection with our recruitment, events, sales and
marketing activities or when you visit our offices. In this section, "you" and "your" refer to Visitors.
The Personal Information we collect may include:
The information we collect automatically includes:
Device information: such as your IP address, your browser, operating system, device information, unique device identifiers, mobile network information, request information (speed, frequency), the site from which you linked to us (referring page), the name of the website you choose to visit immediately after ours (called exit page), information about other websites you have recently visited, the web browser you used (software used to browse the internet) including its type and language), and viewfinder size and scripts errors.
Usage data: such as information about how you interact with our emails, Phishinger Sites, and other websites (such as the pages and files viewed, session duration, links clicked, searches, non-sensitive text entered, mouse movements, operating system and system configuration information and date/time stamps associated with your usage).
We may use the information we collect through our Phishinger Sites and in connection with our events and marketing activities (alone or in combination with other data we collect) for a range of reasons in reliance on our legitimate interests, including:
Blog. We have public blogs on the Phishinger Sites. Any information you include in a comment on our blog may be read, collected, and used by anyone. If your Personal Information appears on our blogs and you want it removed, contact us at support@phishinger.com. If we are unable to remove your information, we will tell you why.
Social media platforms and widgets. The Phishinger Sites include social media features, such as the Facebook Like button. These features may collect information about your IP address and which page you are visiting on our Phishinger Site, and they may set a cookie to make sure the feature functions properly. Social media features and widgets are either hosted by a third party or hosted directly on our Phishinger Site. We also maintain presences on social media platforms, including Facebook, Twitter, and Instagram. Any information, communications, or materials you submit to us via a social media platform is done at your own risk without any expectation of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.
Links to third-party websites. The Phishinger Sites include links to other websites, whose privacy practices may be different from ours. If you submit Personal Information to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.
Contests and sweepstakes. We may, from time to time, offer surveys, contests, sweepstakes, or other promotions on the Phishinger Sites or through social media (collectively, "Promotions"). Participation in our Promotions is completely voluntary. Information requested for entry may include Personal Information such as your name, address, date of birth, phone number, email address, username, and similar details. We use the information you provide to administer our Promotions. We may also, unless prohibited by the Promotions rules or law, use the information provided to communicate with you, or other people you select, about our Service. We may share this information with our subsidiaries or Affiliates and other organizations or service providers in line with this privacy policy and the rules posted for our Promotions.
We and our third-party partners use cookies and similar tracking technologies to collect and use Personal Information about you, including to serve interest-based advertising about Phishinger and its Affiliates. For further information about the types of cookies and tracking technologies we use, why, and how you can control them, please see our Cookie Policy available here.
Depending on the country in which you reside, you may have the following data protection rights:
We respond to all requests we receive from inpiduals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.
We may share and disclose your Personal Information with our subsidiaries or Affiliates and to the following types of third parties for the purposes described in this privacy policy (for purposes of this section, "you" and "your" refer to Clients, Targets, and Visitors unless otherwise indicated).
We may also share anonymized, aggregated information with selected third parties for statistical purposes.
If you are located in the EEA or UK, our legal basis for collecting and using the Personal Information described above will depend on the Personal Information concerned and the specific context in which we collect it.
However, we will normally collect and use Personal Information from you where the processing is in our legitimate interests and not overridden by your data-protection interests or fundamental rights and freedoms. Our legitimate interests are described in more detail in this privacy policy in the sections above titled Use of Personal Information, but they typically include improving, maintaining, providing, and enhancing our technology, products, and services; ensuring the security of the Service and our Phishinger Sites; and supporting our marketing activities.
If you are a Client, we may need the Personal Information to perform a contract with you. In some limited cases, we may also have a legal obligation to collect Personal Information from you. Where required by law, we will collect Personal Information only where we have your consent to do so.
If you have questions or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us using the contact details provided in the "Questions and Concerns" section below.
Clients and Visitors who have opted into our marketing emails can opt out of receiving marketing emails from us at any time by clicking the "unsubscribe" link at the bottom of our marketing messages.
Also, all opt-out requests can be made by emailing us using the Target details provided in the "Questions and Concerns" section below. Please note that some communications (such as service messages, account notifications, billing information) are considered transactional and necessary for account management, and Clients cannot opt out of these messages unless you cancel your Phishinger account.
We take appropriate and reasonable technical and organizational measures designed to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information. If you have any questions about the security of your Personal Information, you may contact us at support@phishinger.com.
(i) We operate in the United States.
Our servers and offices are located in the United States, so your information may be transferred to, stored, or processed in the United States. While the data protection, privacy, and other laws of the United States might not be as comprehensive as those in your country, we take many steps to protect your privacy. Phishinger agrees to abide by and process EU data in compliance with the SCCs in the form set out in Annex C of our SCC document. Clients can request a copy of Phishinger's SCC document by emailing support@phishinger.com.
(ii) For clients located in Switzerland, United Kingdom, and the EEA, Phishinger shall process any Customer Data in compliance with the SCCs or any applicable Alternative Transfer Mechanism implemented in accordance with the document. Clients can request our SCC document by emailing support@phishinger.com.
(iii) Clients, Targets and Visitors located in Australia
If you are a Client, Target or Visitor who accesses our Service in Australia, this section applies to you. We are subject to the operation of the Privacy Act 1988 ("Australian Privacy Act"). Here are the specific points you should be aware of:
You may opt out of any marketing materials we send to you through an unsubscribe mechanism. If you have requested not to receive further direct marketing messages, we may continue to provide you with messages that are not regarded as "direct marketing" under the Australian Privacy Act, including changes to our terms, system alerts, and other information related to your account as permitted under the Australian Privacy Act and the Spam Act 2003 (Cth).
You may access the Personal Information we hold about you. If you wish to access your Personal Information, you may do so by emailing us at support@phishinger.com. We will respond to all requests for access within a reasonable time.
If you think the information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, we will take reasonable steps, consistent with our obligations under the Australian Privacy Act, to correct that information upon your request. If you find that the information we have is not up to date or is inaccurate or incomplete, please contact us in writing at support@phishinger.com so we can update our records. We will respond to all requests for correction within a reasonable time.
If you are unsatisfied with our response to a privacy matter, you may consult either an independent advisor or contact the Office of the Australian Information Commissioner for additional help. We will provide our full cooperation if you pursue this course of action.
We retain Personal Information where we have an ongoing legitimate business or legal need to do so. Our retention periods will vary depending on the type of data involved, but, generally, we'll refer to these criteria in order to determine retention period:
When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Information has been stored in backup archives), then we will securely store your Personal Information and isolate it from any further processing until deletion is possible.
The California Consumer Privacy Act (CCPA) provides consumers with specific rights regarding their Personal Information. You have the right to request that businesses subject to the CCPA (which may include our Clients with whom you have a relationship) disclose certain information to you about their collection and use of your Personal Information over the past 12 months. In addition, you have the right to ask such businesses to delete Personal Information collected from you, subject to certain exceptions. If the business sells Personal Information, you have a right to opt-out of that sale. Finally, a business cannot discriminate against you for exercising a CCPA right.
When offering services to its Clients, Phishinger acts as a service provider under the CCPA and our receipt and collection of any consumer Personal Information is completed on behalf of our Clients in order for us to provide the Service. Please direct any requests for access or deletion of your Personal Information under the CCPA to the Client with whom you have a direct relationship.
Consistent with California law, if you choose to exercise your applicable CCPA rights, we won't charge you different prices or provide you a different quality of services. If we ever offer a financial incentive or product enhancement that is contingent upon you providing your Personal Information, we will not do so unless the benefits to you are reasonably related to the value of the Personal Information that you provide to us.
Certain state laws require us to indicate whether we honor Do Not Track settings in your browser. Phishinger adheres to the standards set out in this Privacy Policy and does not monitor or follow any Do Not Track browser requests.
We may change this privacy policy at any time and from time to time. The most recent version of the privacy policy is reflected by the version date located at the top of this privacy policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including, but not limited to, by posting a revised version of this privacy policy or other notice on the Phishinger Sites. We encourage you to review this privacy policy often to stay informed of changes that may affect you. Our electronically or otherwise properly stored copies of this privacy policy are each deemed to be the true, complete, valid, authentic, and enforceable copy of the version of this privacy policy that was in effect on each respective date you visited the Phishinger Site.
If you have any questions or comments, or if you have a concern about the way in which we have handled any privacy matter, please contact us by postal mail or email at:
Phishinger
Email: support@phishinger.com