Last updated: 1 April 2026 · Effective: 1 April 2026
PhishShield is operated by PhishShield, Inc. ("we", "us", "our"). We provide a security awareness training and phishing simulation platform. Our registered address is in London, United Kingdom. For data protection queries, contact us at [email protected].
We collect information you provide directly, such as your name, work email address, organisation name, and billing details when you register or subscribe. We also collect information automatically when you use our platform, including log data (IP address, browser type, pages visited), usage data (campaign results, click events), and cookies for session management and analytics.
We use your information to provide and improve the PhishShield service, process payments, send transactional emails (account confirmations, password resets, support replies), send security awareness training materials to your nominated targets (only with your explicit instruction), and comply with legal obligations. We do not sell your personal data to third parties.
When you run phishing simulations, we process data about your employees' interactions with simulation emails (opens, clicks, credential submissions). This data is processed on your behalf as a data controller — you instruct us to run the simulation, and we act as data processor. You are responsible for obtaining appropriate consent or having a legitimate basis under your employment agreements.
We share data with: (a) payment processors (Stripe) for billing; (b) cloud infrastructure providers (Supabase/AWS) for hosting; (c) email delivery providers for transactional emails. All sub-processors are bound by data processing agreements and GDPR-compliant terms. We will disclose data to law enforcement where required by law.
We retain your account data for the duration of your subscription plus 90 days after cancellation, after which it is permanently deleted. Campaign results and training records are retained for 24 months by default. You may request earlier deletion at any time by contacting [email protected].
Under GDPR and UK data protection law, you have the right to access, rectify, erase, restrict, or port your personal data. You also have the right to object to processing and to withdraw consent at any time. To exercise any of these rights, contact [email protected]. You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We implement industry-standard security measures including encryption in transit (TLS 1.3), encryption at rest (AES-256), access controls, and regular security testing. For more detail, see our Security page.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notification at least 14 days before the changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy.
Questions about this policy? Email us at [email protected]