phishtimeSign in →

Privacy Policy

Last updated: 16 May 2026

1. Who we are

Phishtime (“Phishtime”, “we”, “us”) provides a phishing-simulation and security-awareness training platform. This policy explains what personal data we process, why, and the rights available to individuals whose data we handle.

When an organisation (our “Customer”) uses Phishtime to run simulations for its own staff, the Customer is the data controller and Phishtime acts as a data processor on the Customer’s instructions. For account-level and billing data, Phishtime is the controller.

2. Data we collect

  • Account data — names, work email addresses, hashed passwords, role, and authentication metadata (including MFA and SSO identifiers) for administrators and users.
  • Audience data — employee names, email addresses, and group or department attributes uploaded or synced by a Customer to define simulation recipients.
  • Simulation event data — records of email deliveries, opens, link clicks, form submissions, and attachment interactions generated while a campaign runs, together with timestamps, coarse user-agent, and IP-derived data used for bot filtering.
  • Usage and technical data — log data, device and browser information, and diagnostic events needed to operate and secure the service.
  • Billing data — plan, contract, and invoicing details for Customers.

Simulations are designed to measure behaviour, not to capture secrets. Credentials typed into a simulated landing page are not stored; only the fact that a submission occurred is recorded.

3. How we use data

  • To deliver phishing simulations and record their outcomes.
  • To generate awareness training, reporting, and risk scoring for Customers.
  • To authenticate users and secure the platform against abuse.
  • To provide support, administer accounts, and process billing.
  • To meet legal, audit, and security obligations.

4. Legal bases

Where the GDPR or comparable laws apply, we rely on: performance of a contract (providing the service); legitimate interests (securing and improving the platform, and our Customers’ interest in training their workforce); and compliance with legal obligations. Customers are responsible for establishing a lawful basis for including their employees in simulations and for any notice to those employees.

5. Data sharing

We do not sell personal data. We share data only with sub-processors that help us run the service — such as cloud hosting, email delivery, and error-monitoring providers — under contracts that require appropriate safeguards. A current list of sub-processors is available to Customers on request.

6. Retention

Simulation event data is retained for the period configured by the Customer or as required to produce historical reporting, after which it is deleted or aggregated. Account and billing data is retained for the life of the account and for any period required by law. On termination, Customer data is deleted or returned in line with the applicable agreement.

7. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit, tenant isolation, role-based access control, multi-factor authentication, and audit logging. No system is perfectly secure; we maintain an incident-response process and will notify affected parties of breaches as required by law.

8. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port your personal data, and to object to certain processing. Because employee data is processed on behalf of a Customer, requests from an employee are usually best directed to their employer; we will assist our Customer in responding. For account-level data we control, contact us using the details below.

9. International transfers

Where data is transferred across borders, we use recognised safeguards such as Standard Contractual Clauses or transfers to jurisdictions with an adequacy decision.

10. Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated through the service or by email. The “Last updated” date above reflects the current version.

11. Contact

Questions about this policy or our data practices can be sent to privacy@phishtime.app.