Privacy Policy

Last modified: Thursday 25th September 2025

1. Introduction

This Privacy Policy explains how PhishTool Limited (“PhishTool”, “we”, “us”, “our”) collects, processes, and protects personal information when you use our products and services.

PhishTool Limited is a company registered in England and Wales (Company Number: 12126730), with registered office at International House, 36–38 Cornhill, London, EC3V 3NG, United Kingdom.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.

2. Roles and Responsibilities

  • You, the customer, are the data controller for files and personal data you submit to PhishTool.
  • PhishTool acts as the data processor, processing such data only on your documented instructions, for the purposes of providing our services.

Enterprise customers receive a GDPR-compliant Data Processing Agreement (DPA) which supplements this Privacy Policy.

3. Information We Collect

We collect and process the following categories of information on your behalf:

  • Submitted Files: Emails, attachments, and related artefacts uploaded to the service.
  • Analysis Metadata: Information generated when analysing files (timestamps, indicators, results).
  • Account Information: Your email address, password (stored securely using cryptographic methods), and organisation details if applicable.
  • Payment Information: Billing details. Payments are processed securely by our subprocessors Stripe Payments Europe, Limited (card payments) and National Westminster Bank Plc (NatWest) (bank transfers). We do not store full payment card details.
  • Contact and Support Data: If you contact us, we collect your name, email address, and inquiry content. This is managed in HubSpot to handle inbound inquiries, support tickets, and communications.
  • Contract Information: If you enter into a commercial agreement with us, we may process your name, email address, signature, and related contract data through DocuSign for secure digital signatures and contract management.
  • Device and Log Data: IP address, browser type, operating system, and usage activity.
  • Cookies and Local Storage: Small files used for secure logins, preferences, and analytics (see Section 9).

4. How We Use Information

We process data only on your instructions, to:

  • Provide, maintain, and improve our services;
  • Analyse files to identify phishing indicators and generate reports;
  • Generate metrics and threat intelligence to improve detection accuracy;
  • Secure accounts and prevent misuse of our platform;
  • Administer billing and payments;
  • Manage customer inquiries, support tickets, and legal agreements;
  • Communicate with you about your account, updates, or support requests;
  • Comply with applicable legal obligations.

As processor, PhishTool processes personal data under the lawful basis determined by you, the controller.

Where PhishTool acts independently (e.g. processing business contact data for contracts, billing, or compliance), we rely on:

  • Contractual necessity (to deliver services and agreements);
  • Legal obligation (to comply with regulatory or law enforcement requirements);
  • Legitimate interests (to secure and improve our services).

6. Hosting and Data Location

All PhishTool services are hosted within the Amazon Web Services (AWS) Dublin region (eu-west-1).

No customer data is transferred outside the EU/EEA unless legally required or expressly authorised. Where transfers are necessary, we ensure appropriate safeguards (e.g., Standard Contractual Clauses (SCCs)).

7. Subprocessors

We use carefully selected subprocessors to provide our services. These include:

  • Amazon Web Services EMEA SARL (Ireland) – hosting and infrastructure.
  • Stripe Payments Europe, Limited (Ireland) – card payment processing.
  • National Westminster Bank Plc (United Kingdom) – bank transfer payment processing.
  • HubSpot, Inc. (United States, with EU/UK hosting where applicable) – inbound inquiries, CRM, and support ticket management.
  • DocuSign, Inc. (United States, with EU/UK hosting where applicable) – secure digital signatures and contract management.

We remain responsible for the processing activities of our subprocessors. Where subprocessors are located outside the EU/EEA, we ensure appropriate safeguards such as SCCs are in place.

8. Data Retention and Deletion

  • Files you submit can be deleted by you at any time via the PhishTool interface.
  • Account deletion requests result in removal of associated personal data from active systems without undue delay.
  • Backup copies are purged within 30–60 days.
  • Derived, anonymised datasets may be retained on the basis of legitimate interests, but these do not identify you or your organisation.

9. Cookies

PhishTool uses cookies and similar technologies:

  • Strictly necessary cookies – required for secure login and session management.
  • Preference cookies – to store settings such as language.
  • Analytics cookies – to improve our services (aggregated, non-identifying).

You can manage cookies in your browser settings. Disabling cookies may affect functionality.

10. Sharing of Information

We may share personal information only in limited circumstances:

  • With authorised users in your organisation;
  • With subprocessors (see Section 7);
  • With regulators, courts, or law enforcement where legally required;
  • In the event of a business transfer (e.g., merger or acquisition);
  • With the public only in anonymised or aggregated form.

We do not sell personal information and do not use it for third-party advertising.

11. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit and at rest;
  • Role-based access controls;
  • Monitoring and logging;
  • Regular review of security measures.

12. Data Breach Notification

If a personal data breach occurs that may affect your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, in accordance with GDPR requirements.

13. Your Rights

As the controller, you are responsible for fulfilling data subject rights requests. PhishTool will support you by implementing appropriate measures to assist.

Data subjects may have the right to:

  • Access their personal data;
  • Request correction or erasure;
  • Restrict or object to processing;
  • Request data portability;
  • Withdraw consent (where applicable).

Requests can be initiated through you as the controller or by contacting us at support@phishtool.com.

14. Marketing

If you consent, we may send marketing emails about PhishTool services. You can withdraw consent at any time via the unsubscribe link or by contacting us.

15. Contacting Us

For privacy-related questions or requests, please contact:
support@phishtool.com

You also have the right to lodge a complaint with your local Data Protection Authority.

Cookies on PhishTool

We use necessary cookies to make PhishTool work. We'd also like to set analytics cookies that help us make improvements by measuring how you use PhishTool.