Privacy Policy

1. Introduction

Phishgate (“we”, “our”, or “us”) operates the Phishgate browser extension and the Phishgate dashboard at phishgate.io (collectively, the “Service”). This Privacy Policy explains what personal data we collect, how we use it, and what rights you have in relation to it. By using the Service, you agree to the practices described in this policy.

2. Data Controller

The data controller responsible for processing your personal data is Phishgate GmbH, [Address], [City], [Country]. If you have questions about data processing, you can contact our Data Protection Officer at [email protected].

3. What Data We Collect

• Account data: Name, work email address, and company name provided during registration.
• Authentication data: Encrypted session tokens stored in HTTP-only cookies.
• Extension activity data: URLs visited by employees that are flagged as potential phishing attempts, along with timestamps and device identifiers. No browsing history outside of flagged events is collected.
• Configuration data:Trusted and blocked domain lists configured by your organization's administrator.
• Usage data: Aggregated, anonymized metrics about dashboard usage (page views, feature interactions) to improve user experience.

4. Legal Basis for Processing

We process personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service under your subscription agreement.
• Legitimate interests (Art. 6(1)(f) GDPR): Security monitoring, fraud prevention, and product improvement.
• Legal obligation (Art. 6(1)(c) GDPR): Where required by applicable law.

5. How We Use Your Data

• To provision and maintain your organization's account.
• To detect and report phishing attempts to authorized administrators.
• To send transactional emails (e.g., password resets).
• To comply with legal obligations and enforce our Terms of Service.
• To analyze anonymized usage patterns and improve the Service.

6. Data Sharing and Third Parties

We do not sell your personal data. We may share data with trusted third-party service providers (e.g., cloud hosting, email delivery) under data processing agreements that comply with GDPR. We may disclose data to law enforcement when required by a valid legal order.

7. Data Retention

Account data is retained for the duration of your subscription plus 90 days after termination, after which it is permanently deleted. Phishing event logs are retained for 12 months by default. Anonymized usage statistics may be retained indefinitely.

8. Your Rights

Under GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (“right to be forgotten”) where legally permissible.
• Object to or restrict certain processing activities.
• Receive your data in a machine-readable format (data portability).
• Lodge a complaint with your national data protection authority.

To exercise any of these rights, contact us at [email protected].

9. Security

We implement industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security audits. However, no system is completely immune to vulnerabilities.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify registered users of material changes via email at least 14 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the updated policy.

11. Contact

For any privacy-related inquiries, please email us at [email protected] or write to us at: Phishgate GmbH, [Address], [City], [Country].