Last modified: Saturday 14th September 2020
We are keenly aware of the trust placed in us by our users and our responsibility to protect and appropriately handle the information we collect whilst providing our service to our users.
Any reference to “user” or “users”, “you” or “your” refers to you as a user of PhishTool’s services. Any reference to “we”, “us”, “our” or “PhishTool” refers to PhishTool Limited, a Limited Company registered in England and Wales with company number: 12126730, registered office address: PhishTool Limited, International House, 24 Holborn Viaduct, London, EC1A 2BN, United Kingdom. Any reference to “service” or “services” refers to the applications, websites, services and products produced and provided by PhishTool. Any reference to “agent’ or “agents” refers to you as a user being a member of an organisation that you legitimately act on behalf of. Any reference to “organisation” or “organisations” refers to any company, business, trader, charity, public service, non-governmental organisation, club or group to which one or more registered users of our services are members, and has been registered as an organisation through our services. Any reference to “file” or “files” refers to a digital file that is or contains one or more emails, or the contents of an email in whole or in part, as well as all included attachments or other data within the email.
2. When we collect information
We collect information from our users, including personal information when our users access our website, products or services. The users we collect information from includes both registered and non-registered users. The information we collect is collected to the extent that it is necessary to provide our services to our users, to protect our user’s interests and to secure our platform and services against abuse.
2.1 If you contact us
We collect all submitted information, including personal information from both our registered and non-registered users at the point that a user makes contact with us. If you send us an email, or complete a webform provided by us via our services, all information that you share with us via these means will be collected and processed by us to the extent that is required to provide our services to you and/or to assist in improving or changing our services or to satisfy a request you make of us.
2.2 If you submit a file to our service
We will collect all information contained within files that you submit to our service and metadata related to the submission of the file. We will collect, process and store all files, including all data and information contained therein, both personal and otherwise. We will collect and store the metadata generated by your analysis of a file submitted to us. Collecting, processing and storing the files that you submit to us and the metadata you generate is a fundamental aspect of our service, and is necessary for the purposes of provide our services to you and other users aswell as to assist in the further development of our existing and future services.
Our Terms of Service requires you to be the owner of any file you submit, or to have all necessary rights and permissions to use, access and submit the file to us. Any file that you submit may contain within it further files, specifically email attachments which may contain further information both personal or otherwise which you are also required to have the rights and permissions to use, access and submit to us.
2.3 If you register with us
If you create an account (register) with us, you are required to submit a unique legitimate email address to which you have the rights of access and use. You are also required to submit a sufficiently complex password to be used in conjunction with your email address to access our services. We will collect, process and store both your email address and password in our systems. Once collected, we take steps to secure your email address and password in our systems, including in-transit and at rest encryption. We also use other cryptographic techniques to appropriately store and verify passwords.
2.4 If you pay us
If you purchase our services we may collect or receive your personal information, including debit or credit card information and/or any other payment related information from you and/or our payment processor. We take steps to ensure that your personal information is processed securely.
2.5 If you access our services and products
When you access our services we may collect specific information about the device you are using. This may include network information, information about your browser and information about your operating system. This information is collected and processed to secure our products and services from abuse, such as Distributed Denial of Service attacks, or other Denial of Service attacks, as well as to secure against brute forcing of account credentials and other account related functions provided by our services. We may also process this information in order to provide you with a device specific user interface for our services.
This information is collected automatically when you use our services. We may automatically collect and store network related information such as your Internet Protocol address, device specific information such as browser type and HTTP request headers, including but not limited to your User-Agent string, referral URL, date and time, language, as well as cookie related information. The confluence of this information may be used to uniquely identify your browser, which may be used to correlate your browser to your PhishTool user account.
This information may be used to improve our products and services by identifying how and when our users access our services, for compiling metrics to facilitate our business activities or to assist in detecting breaches of our Terms of Service.
2.5.1 Cookies and local storage
A cookie is a small file that contains a string of text and is stored on your computer when you navigate to a website.
Most browsers have the functionality to remove cookies and/or prevent cookies being stored on your system. Our services may not function properly if you disable cookie functionality.
We may also collect and store information through other mechanisms, such as storing files related to the provision of our services to you in your local cache (local storage) as facilitated by your system and browser.
3. How we use the information we collect
The information we collect from you is used for the maintenance and administration of your account, to provide a service experience customised to you or to secure and protect your account and our services and intellectual property and the security and integrity of the information that we have been entrusted with.
We may also use your information to facilitate appropriate payment for our services and to perform contracts that we may have with you or an organisation for which you are an agent.
Additionally, we may use the information that we collect from you to provide, maintain and improve our services, to create and develop new features for our services and to create new services and products.
3.1 How we use submitted files
We use the files our users submit to produce analysis of those files to our users. This functionality is at the core of our service.
We also use the files our users submit to test, improve and secure our services, to develop new functionality and to improve our services. Specifically, we may use submitted files and the information contained within submitted files for the following purposes:
To provide analysis of the file to the submitting user, and other users authorised to have access to that file;
To archive the analysis generated by us, and store the submitted file to keep the file available to download by the submitting user, relevant organisation and other relevant authorised users;
To produce metrics for the submitting user, relevant organisation and other relevant authorised users;
To further analyse the file to generate useful information for the benefit of our users in order to better identify evidence of phishing in other submitted files;
To develop new features and functionality in our services and to improve our services;
To develop new services and products;
To understand how our users use our services by identifying what files users are submitting;
To test our services;
To compile collections of indicators of phishing, which may be shared among our users;
To identify patterns in collections of indicators of phishing, which may be shared among our users;
To identify attempts to interfere or damage our services and to investigate successful interference or damage to our services.
3.2 How we use analysis metadata
We use the metadata generated during the analysis of a file by a user for the following purposes:
To keep a record of the analysis taken so that it can be viewed by the submitting user and other authorised users;
To generate reports for a user, so the reports can be downloaded;
To build collections of artefacts, that may be sold or shared with users, organisations or other authorised parties;
To integrate with other PhishTool products and services;
To integrate with third party products and services.
3.3 How we use account information
We use the information you provide us in relation to your account to administer access to our service and to maintain the security of user accounts and the security of our services as a whole. User account information may be used for the following purposes:
To control access to our platforms and to prevent illegitimate access to user accounts;
To enforce the use of secure passwords and other authentication methods;
To confirm users information is legitimate, such as sending a user an automated email to confirm the email address belongs to that user;
To restrict access to our services, such as preventing an email address from being used to register an account with our services;
To identify illegitimate access to our services and to identify attempts to illegitimately access our services;
To investigate and identify breaches of our Terms of Service;
To contact you in relation to changes made to your account or in relation to other security related events, such as sending a user an automated email if the user requests to change their password or email address;
To administer payment of our services, such as sending a user a receipt of payment;
To understand how and when our users access our services and to produce reports to improve our services and support our business goals. This information may include, but is not limited to the date and time a user accessed our services, how many files a user has submitted and the date and time that a user created an account on our service.
3.4 How we use information we receive when we are contacted
When you contact us we may store the communication you send us, including all information it contains. This is to enable us to appropriately respond to that communication, which may be feedback or a question. We may use information from your communication such as your email address, to inform you about aspects of our service if requested by you, or if you have requested that we contact you or otherwise agreed to receive communications from us.
If you consent, or at your request, we may contact you with relevant marketing or promotional information regarding the services that we provide that may be of interest to you. If you consent to receive marketing emails from us, you can unsubscribe using the unsubscribe URL included in our marketing emails, or by contacting us at any time. Unsubscribing from marketing emails will not stop account and security related emails from being sent to you, it is not possible to opt-out of these emails.
4. The legal grounds we use to process personal information
In accordance with applicable data protection laws we are required to state the legal basis that we use to process personal information. There are 6 available legal bases outlined within the General Data Protection Regulation (GDPR), from which we have selected the most appropriate basis for our processing. That basis is “Legitimate Interests”.
Our legitimate interests are as follows: PhishTool has been designed and built as a service to assist in the detection of malicious emails. Phishing causes significant harm to its victims, be them individuals or organisations. Our service is used by our users and by our organisations to help secure their environments and/or themselves against phishing, where phishing represents a serious financial risk and serious risk to reputation, among other risks.
In order to detect indicators of phishing and therefore malicious emails, it is necessary to provide our users with the functionality to upload suspicious emails to our services. By the very nature of this functionality it is vitally important the we process any email or email related file that we receive and report to our users our findings.
By the nature of email, it is entirely possible that an email or email chain could contain personally identifiable information among other information, which at minimum would include an email address or email addresses. It is also possible for malicious actors to insert false personally identifiable information into an email, where it is not practicable for us to determine if that information is legitimate or not. Therefore, if we were to deliberately screen for all personally identifiable information and refuse to process these submitted emails, then we would provide malicious actors with a means to circumvent the security we offer to our users, and expose them to risk. Fundamentally, screening emails for personal information and refusing to process them would render our services impossible to deliver.
The storage of submitted emails and email attachments is necessary to provide our users with the future access to the emails and attachments they have submitted to us and to provide our users and organisations with access to the associated reports that we generate.
The storage of submitted emails also enables us to display to our users and organisations a range of metrics and analytical reports to our users and organisations, so that they can understand the specific tactics and techniques used against them in phishing emails.
Additionally, it is necessary for us to store submitted emails to produce macro analysis of the emails we receive over time, so that we can identify patterns and trends in the collections of phishing emails we receive, to better identify false positives and more accurately identify indicators of phishing which we use to improve our services for our users.
As the body of stored emails grows, so will our ability to detect phishing emails, making our services more accurate and more useful, directly benefitting our users, our organisations and the wider community.
We have determined that the identification of personally identifiable information in all of it forms (as we cannot control the information contained in the emails users submit to our services) whilst providing our services is technically impossible. Doing so would prevent our services from detecting phishing emails and would result in our services ceasing to work. Our users expect that we will identify indicators of phishing in the emails that they submit to us, therefore we must process the emails our users submit, regardless of their content.
We aim to grow our services so that they become increasingly more integral part of securing against phishing emails across the Internet. The less effective phishing becomes as an attack vector, the less likely it is for malicious actors to use it to attempt to achieve malicious and criminal goals. Broadly, reducing the efficacy of phishing as an attack vector is desirable for not just our users and organisations, but also all legitimate users of email.
4.1 The measures we take to reduce the impact of processing personal information
We have built in to our services the following measures to reduce the impact of processing personal information:
Our users agree to our Terms of Service in order to successfully create an account with us and to access our services. Our Terms of Service obliges our users to exclusively submit files which they have a right in law to have access. We stipulate that the files our users submit, including all information that the file may contain must be either owned by the user or the user must have all necessary rights and permissions to the file and to the information the file contains;
We take technical steps to check that our users submit files that are, or contain an email or emails. The file type and structure is automatically analysed by our services to prevent unintended or accidental upload and retention of files that our services are not designed to process. Thereby reducing the likelihood of personal information being processed from files that our services are not intended for;
We use technology, operational architecture and internal procedures to securely store the files that are submitted to our services. This includes using encryption in transit and at rest;
We do not make available any submitted files or personal information to the public. All submitted files and associated information is made available through our services only to registered users, organisations and collections of users that are authorised by us to access them.
4.2 The information we share
We may share information, including personal information (where stipulated) in the following circumstances:
With our users: Where they have been identified as authorised users with the rights and permissions necessary to access the information and where the information pertains to them or the organisation which they have been identified as being a member of;
With our users: Where the information has been derived from the analysis of emails submitted to our services;
With threat intelligence feed providers: So that indicators of phishing can be identified from a diverse range of both public and commercial data sets and integrated in to our services;
With payment processors: It is necessary to share your information including personal information with our payment processors so that we can appropriately process payments for our services (where payment is applicable);
In the event of an acquisition, merger or sale of business and/or business assets: We may disclose your information including personal information with a relevant prospective buyer or seller of such business and/or business assets;
To comply with the law: We will share information including personal information with companies, organisations, agencies, courts, governments or individuals where we have reasonable grounds to believe that access, disclosure or transfer is necessary to comply with the law or where compelled by a legal request, warrant or lawful responsibility. Specifically this may include:
To comply with any applicable laws regulations, legal processes or lawful requests in a relevant jurisdiction;
To assist law enforcement, where lawfully requested and disclosure of such information is necessary to detect, prevent or defend against crime;
To protect against harm to the rights, property or safety of PhishTool, our users or the public as required or permitted by law.
With the public: We may share aggregated and anonymised information with our customers, partners, future customers or the public. For example, we may share statistical information about our services or general information about the use of our services for business or marketing purposes.
We will never use your information for the purposes of third party advertising.
5. Data transfers
We process information including personal information on our systems which are hosted within a distributed architecture, which may be located across multiple jurisdictions and countries around the world. We may process, transfer or store your information and personal information on a server, database or other storage system which is physically located outside of the country or jurisdiction that you are located in.
It is important to be aware that the privacy protections applied in your local jurisdiction may differ from the jurisdiction that your personal information is stored in. If we transfer your personal information we will take all steps as required by applicable law to ensure that your personal information is adequately protected by appropriate safeguards.
6. Information security and retention
You will be asked to create a password If you create an account on our services. This password - in conjunction with your registered email address - is used to give you secure access to our services. We ask that you take adequate steps to keep this password confidential and not to share your password with anyone.
We take steps to ensure that the information and personal information that you provide to us is only retained for as long as is necessary, for the purposes it was collected. Each file that you submit to our services can be deleted by you via the PhishTool user interface. The deletion of a file will not remove, nullify or restrict the license granted to us by you at the time the file was submitted to our services. The file and/or artefacts of the file may be integrated in to other PhishTool datasets after the file has been submitted, but before it is deleted; Deletion of the file will not remove the file and/or artefacts of the file from these additional datasets.
7. Your rights
You have certain rights in relation to your personal information, the rights you have depend on your location. Your rights may include the right to update, correct, access, restrict or erase your personal information or halt the processing of your personal information. You may also have the right to a copy of all the personal information we hold in relation to you.
Please contact us if you wish to exercise any of these rights; we will handle and respond to any request in accordance with applicable laws. In some instances it may be necessary for us to request further details from you to identify you and appropriately handle your request.
When we collect personal information from you, we will ask for your consent if we intend to process the information we collect for the purposes of marketing. You can elect to prevent the use of your information for marketing purposes at any time. You can opt-out of marketing emails by logging in to your PhishTool account and choosing the appropriate option in the 'Settings' screen. Alternatively, you can contact us directly to stop us from using you personal information for marketing purposes.
7.2 Making changes to your user account or personal information
If you have registered for a user account with us, you will be able to change your email address and password when you are logged in to your account, if you wish. Additionally, If we hold other personal information about you, it may be possible to view and change this information when you are logged in.
The quickest and easiest way to entirely delete your personal information from our systems is to delete your account. Otherwise we can be contacted directly to erase your personal information, if necessary.
Please note, in some circumstances we may not erase personal information if it is included in a submitted file which forms part of the historical file submissions of a registered organisation that you are a member of or if it is a part of a submitted file which is currently being used to generate useful information for the benefit of our users, our organisations or the broader community to better identify evidence of phishing in other submitted files.
We may reject requests to change or erase information, including personal information if the requests are unreasonable, disproportionality repetitive, require disproportionate technical effort, risk the privacy and/or rights of others or are extremely impractical.
In some jurisdictions you may have the right to complain to a Data Protection Authority if you think we have unlawfully processed your information, or have violated your rights in relation to the processing of your information. We politely request that you contact us first so that we can seek to adequately resolve your concerns directly.
8. Links to third party websites
9. Third party integrations and OAuth applications
We provide our users with the ability to integrate PhishTool services with selected third party service providers, if our users choose to do so. These integrations are made available in order to enhance the utility of PhishTool and the third party service.
9.1 Google API services
We provide users with the ability to authorise PhishTool to have read-only access to a user owned Gmail/Gsuite mailbox so that PhishTool can automatically ingest emails received by the mailbox, making the process of analysing emails with PhishTool quicker and easier.
PhishTool's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We will request read-only access to the Gmail/Gsuite mailbox you specify, exclusively;
We will only ingest the emails that match the conditions you specify when you configure the Google OAuth integration;
You can revoke PhishTool's OAuth access to Gmail/Gsuite at any time.
9.2 Microsoft API services
We provide users with the ability to authorise PhishTool to have read-only access to a user owned Microsoft 365 mailbox so that PhishTool can automatically ingest emails received by the mailbox, making the process of analysing emails with PhishTool quicker and easier.
We will request read-only access to the Microsoft 365 mailbox you specify, exclusively;
We will only ingest the emails that match the conditions you specify when you configure the Microsoft 365 OAuth integration;
You can revoke PhishTool's OAuth access to Microsoft 365 at any time.
12. Contacting us
Depending on the jurisdiction you are in, if you wish to complain about our processing of personal information, you may have the right to lodge a complaint with a Data Protection Authority.