Privacy Policy 

Updated March 9, 2021
 
PhishingBox takes data privacy seriously.  This privacy policy explains who we are, how we collect, share and use Personal Information, and how you can exercise your privacy rights.
 
We recommend that you read this Privacy Policy in full to ensure you are fully informed. However, to make it easier for you to review the parts of this Privacy Policy that apply to you, we have divided up the document into sections that are specifically applicable to Clients (Section 2), Targets (Section 3), and Visitors (Section 4). Sections 1 and 5 are applicable to everyone.
 
If you have any questions or concerns about our use of your Personal Information, contact us using the contact details provided at the end of Section 5.
To the extent we provide you with notice of different or additional privacy policies, those policies will govern such interactions.
 
1. BASIC INFORMATION
 
A. About Us
 
PhishingBox is a security awareness training and testing company, headquartered in Lexington, Kentucky, in the United States ("we," "us," "our," and "PhishingBox"). Our Service enables our Customers to, among other things, send and manage security awareness training campaigns to include simulated phishing emails and assign training courses. 
 
B. Key Terms
 
In this privacy policy, these terms have the following meanings:
 
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
 
"Target" is a person a Client may Target through our Service. In other words, a Target is anyone on a Client's Campaign List about whom a Client has given us information or is anyone who has otherwise interacted with a Client via the Service.  
 
"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.
 
"Campaign List " is a list of Targets a Client may upload or manage on our platform and all associated information related to those Targets (for example, email addresses).

"PhishingBox Site(s)" has the meaning given to it in our Terms of Service.
 
"Client" means any person or entity that is registered with us to use the Service.
 
"Personal Information" means any information that identifies or can be used to identify an individual directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or other demographic information.
 
Service has the meaning given to it in our Terms of Service.
 
"Visitor" means, depending on the context, any person who visits any of our PhishingBox Sites, offices, or otherwise engages with us at our events or in connection with our marketing or recruitment activities.
 
"you" and "your" means, depending on the context, either a Client, a Target, or a Visitor.
 
2. Privacy for Clients
 
This section applies to the Personal Information we collect and process from a Client or potential Client through the provision of the Service. If you are not a Client, the Visitors or Targets section of this policy may be more applicable to you and your data. In this section, "you" and "your" refer to Clients and potential Clients.
 
A. Information We Collect
 
The Personal Information that we collect depends on the context of your interactions with PhishingBox, your PhishingBox account settings, the products and features you use, your location, and applicable law.  However, the Personal Information we collect broadly falls into the following categories:
 
(i) Information you provide to us: You (or your organization) may provide certain Personal Information to us when you sign up for a PhishingBox account and use the Service, consult with our customer service team, send us an email, integrate the Service with another website or service, or communicate with us in any other way.
 
This information may include:
 
  • Business Target information (such as your name, job title, organization, location, phone number, email address, and country);
  • Marketing information (such as your contact preferences);
  • Account log-in credentials (such as your email address or username and password when you sign up for an account with us);
  • Troubleshooting and support data (which is data you provide or we otherwise collect in connection with support queries we receive from you. This may include Target or authentication data, the content of your chats and other communications with us, and the product or service you are using related to your help inquiry); and
  • Payment information (including your credit card numbers and associated identifiers and billing address).
(ii) Information we collect automatically: When you use the Service, we and our third-party partners may automatically collect or receive certain information about your device and usage of the Service (collectively Service Usage Data). In some (but not all) countries, including countries in the European Economic Area (EEA), this information is considered Personal Information under applicable data protection laws. We and our third-party partners use cookies and other tracking technologies to collect some of this information.
 
Service Usage Data may include:
 
Device information: We collect information about the device and applications you use to access the Service, such as your IP address, your operating system, your browser ID, viewfinder size, and other information about your system and connection. 
 
Log data: Our web servers keep log files that record data each time a device accesses those servers and the nature of each access, including originating IP addresses and your activity in the Service (such as the date/time stamps associated with your usage, pages and files viewed, searches and other actions you take (for example, which features you used)), device event information (such as system activity, error reports (sometimes called crash dumps)), and hardware settings. We may also access metadata and other information associated with files that you upload into our Service.
 
Usage data: We collect usage data about you whenever you interact with our Service, which may include the dates and times you access the Service and your browsing activities (such as what portions of the Service you used, session duration, links clicked, non-sensitive text entered, and mouse movements). We also collect information regarding the performance of the Service, including metrics related to the deliverability of emails and other communications you send through the Service. This information allows us to improve the content and operation of the Service, and to facilitate research and analysis of the Service.
 
(iii) Information we collect from other sources: From time to time, we may obtain information about you from third-party sources, such as public databases, social media platforms, third-party data providers, and our joint marketing partners.
Examples of the information we receive from other sources include demographic information (such as age and gender), device information (such as IP addresses), location (such as city and state), and online behavioral data (such as information about your use of social media websites, page view information and search results and links). We use this information, alone or in combination with other Personal Information we collect, to enhance our ability to provide relevant marketing and content to you and to develop and provide you with more relevant products, features, and service.
 
B. Use of Personal Information
 
We may use the Personal Information we collect or receive through the Service (alone or in combination with other data we source) for the purposes and on the legal bases identified below:
 
  • To bill and collect money owed to us by you to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in accordance with our legitimate interests to operate and administer our Service. This includes sending you emails, invoices, receipts, notices of delinquency, and alerting you if we need a different credit card number. We use third parties for secure credit card transaction processing, and those third parties collect billing information to process your orders and credit card payments. To learn more about the steps we take to safeguard that data, see the "Our Security" section of this privacy policy.
  • To send you system alert messages in reliance on our legitimate interests in administering the Service and providing certain features. For example, we may inform you about temporary or permanent changes to our Service, such as planned outages, or send you account, security or compliance notifications, such as new features, version updates, releases, abuse warnings, and changes to this Privacy Policy.
  • To communicate with you about your account and provide customer support to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in reliance on our legitimate interests in administering and supporting our Service. 
  • To enforce compliance with our Terms of Service and applicable law, and to protect the rights and safety of our Clients in reliance on our legitimate interest to protect against misuse or abuse of our Service and to pursue remedies available. This may include developing tools and algorithms that help us prevent violations. For example, sometimes we review the content our Clients send or display to ensure it complies with our Terms of Service. To improve that process, we have software that helps us find content that may violate our Terms of Service. We may or our third-party service provider may also review content that our Clients send or display. This benefits all Clients who comply with our Terms of Service because it reduces abuse and helps us maintain a reliable platform.  Do not use PhishingBox to send or display confidential information.
  • To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
  • To provide information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements in reliance on our legitimate interests.
  • To prosecute and defend a court, arbitration, or similar legal proceeding.
  • To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements. 
  • To provide, support and improve the Service to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in reliance on our legitimate interests in administering and improving the Service and providing certain features. For example, this may include improving the navigation and content of the Service and sharing your information with third parties in order to provide and support our Service or to make certain features of the Service available to you. When we share your Personal Information with third parties, we take steps to protect your information in a manner that is consistent with our obligations under applicable privacy laws. For further information about how we share your information, refer to Section 5 below.
  • To provide suggestions to you and to provide tailored features within our Service that optimize and personalize your experience in reliance on our legitimate interests in administering the Service and providing certain features. 
  • To perform data analytics projects in reliance on our legitimate business interests in improving and enhancing our products and services for our Clients. Our data analytics projects DO NOT USE Personal Information of Targets.
  • To combine and anonymize data about our Clients and our Client's use of the Service in order to create aggregate, anonymized statistics which we may use to provide certain features within the Service and for promoting and improving the Service in reliance on our legitimate interests.
  • To personalize the Service, content and advertisements we serve to you in reliance on our legitimate interests in supporting our marketing activities and providing certain features within the Service. We may use your Personal Information to serve you specifically, such as to deliver marketing information, product recommendations and non-transactional communications (e.g., email, telemarketing calls, SMS, or push notifications) about us, in accordance with your marketing preferences and this Privacy Policy.
C. Third-Party Integrations
 
We may use the Personal Information we collect or receive through the Service, as a processor and as otherwise stated in this privacy policy, to enable your use of the integrations and plugins you choose to connect to your PhishingBox account.  
 
D. Cookies and Tracking Technologies
 
We and our third-party partners may use various technologies to collect and store Service Usage Data when you use our Service (as discussed above), and this may include using cookies and similar tracking technologies, such as pixels and web beacons. For example, we use web beacons in the emails we send on your behalf, which enable us to track certain behavior, such as whether the email sent through the Service was delivered and opened and whether links within the email were clicked. Web beacons allow us to collect information such as the recipient's IP address, browser, email client type and other similar data as further described above details. We use this information to measure the performance of your campaigns, to provide analytics information, enhance the effectiveness of our Service, and for other purposes described above.
 
Our use of cookies and other tracking technologies is discussed in more detail in our Cookie Policy available here.
 
E. Client Target Lists
 
In order to send a campaign or use certain features in your account, you need to upload a Target List that provides us information about your Targets, such as their names and email addresses. We use and process this information to provide the Service in accordance with our contract with you or your organization and this Privacy Policy.
 
A Target List can be created in a number of ways, including by importing Targets, such as through a CSV, third-party integration or API.  We do not, under any circumstances, sell your Target Lists. If someone on your Target List complains or contacts us, we might then contact that person. 
 
F. Your Data Protection Rights
 
Depending on the country in which you reside, you may have the following data protection rights:
 
  • To access; correct; update; port; delete; restrict; or object to our processing of your Personal Information.
  •  You can manage your individual account and profile settings within the dashboard provided through the PhishingBox platform, or you may contact us directly by emailing us at privacy@phishingbox.com. You can also manage information about your Tartgets within the dashboard provided through the PhishingBox platform to assist you with responding to requests to access, correct, update, port or delete information that you receive from your Targets. Note, if any of your Targets wish to exercise any of these rights, they should contact you directly, or contact us as described in the Privacy for Targets section below. You can also contact us at any time to update your own marketing preferences (see Section 5. General Information, C. Your Choices and Opt-Outs below). PhishingBox takes reasonable steps to ensure that the data we collect is reliable for its intended use, accurate, complete, and up to date.
  • The right to complain to a data protection authority about the collection and use of Personal Information. For more information, please Target your local data protection authority. Target details for data protection authorities in the EEA and UK are available here and Switzerland are available here.
  • Similarly, if Personal Information is collected or processed on the basis of consent, the data subject can withdraw their consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on lawful processing grounds other than consent. If you receive these requests from Targets, you can segment your lists within the PhishingBox platform to ensure that you only contact Targets who have not opted out.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection law. We may ask you to verify your identity in order to help us respond efficiently to your request. If we receive a request from one of your Targets, we will either direct the Target to reach out to you, or, if appropriate, we may respond directly to their request.
 
3. Privacy for Targets
 
This section applies to the information we process about our Client's Targets as a data controller. Our Service is intended for use by our Clients. As a result, for much of the Personal Information we collect and process about Targets through the Service, we act as a processor on behalf of our Clients. PhishingBox is not responsible for the privacy or security practices of our Clients, which may differ from those set forth in this privacy policy. Please check with individual Clients about the policies they have in place.  For purposes of this section, "you" and "your" refer to Targets.
 
A. Information We Collect
 
The Personal Information that we may collect or receive about you broadly falls into the following categories:
 
(i) Information we receive about Targets from our Clients: A Client may provide Personal Information about you to us through the Service. When a Client uploads their Target List or integrates the Service with another website or, or when you contract for services from a Client, the Client may provide us with certain Target information or other Personal Information about you such as your name, email address, address, or telephone number. 
 
(ii) Information we collect automatically: When you interact with a campaign that you receive from a Client, we may collect information about your device and interaction with an email. We use cookies and other tracking technologies to collect some of this information. Our use of cookies and other tracking technologies is discussed more below and in more detail in our Cookie Policy available here.
 
Device information: We collect information about the device and applications you use to access emails sent through our Service, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
 
Usage data: It is important for us to ensure the security and reliability of the Service we provide. Therefore, we also collect usage data about your interactions with campaigns (and/or emails) sent through the Service, which may include dates and times you access campaigns (and/or emails) and your browsing activities (such as what pages are viewed and which emails are opened). This information also allows us to ensure compliance with our Terms of Service, to monitor and prevent service abuse, and to ensure we attain certain usage standards and metrics in relation to our Service. We also collect information regarding the performance of the Service, including metrics related to the deliverability of emails and other electronic communications that our Clients send through the Service. This information allows us to improve the content and operation of the Service and facilitate research and perform analysis into the use and performance of the Service.
 
(iii) Information we collect from other sources: From time to time, we may obtain information about you from third-party sources, such as social media platforms, and third-party data providers.
 
B. Use of Personal Information
 
We may use the Personal Information we collect or receive about you in reliance on our (and where applicable, our Clients) legitimate interests for the following purposes:
 
  • To enforce compliance with our Terms of Service and applicable law. This may include utilizing usage data and developing tools and algorithms that help us prevent violations.
  • To protect the rights and safety of Clients, third parties, or PhishingBox. For example, sometimes we review the content of our Clients campaigns to make sure they comply with our Terms of Service. To improve that process, we have software that helps us find campaigns that may violate our Terms of Service. We, or our third-party service provider, may review those particular campaigns, which may include your Target information. 
  • To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
  • To provide information to representatives and advisors, including attorneys and accountants, to help us comply with legal, accounting, or security requirements.
  • To prosecute and defend a court, arbitration, or similar legal proceeding.
  • To respond to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  • To provide, support and improve the Service. For example, this may include sharing your information with third parties in order to provide and support our Service or to make certain features of the Service available to our Clients. When we share Personal Information with third parties, we take steps to protect your information in a manner that is consistent with applicable privacy laws. For further information about how we share information, refer to Section 5 below.
  • To perform data analytics projects in reliance on our legitimate business interests in improving and enhancing our products and services for our Clients. Our data analytics projects DO NOT USE Personal Information of Targets.
  • To carry out other business purposes. To carry out other legitimate business purposes, as well as other lawful purposes about which we will notify you.
C. Cookies and Tracking Technologies
 
We and our third-party partners may use various technologies to automatically collect and store certain device and usage information (as discussed above) when you interact with a Client's campaign, and this may include using cookies and similar tracking technologies, such as pixels and web beacons.  For example, we use web beacons in the emails we send on behalf of our Clients. When you receive and engage with a Client's campaign, web beacons track certain behavior such as whether the email sent through the PhishingBox platform was delivered and opened and whether links within the email were clicked.  Web beacons allow us to collect information such as your IP address, browser, email client type, and other similar data as further described above. We use this information to measure the performance of our Client's campaigns, and to provide analytics information and enhance the effectiveness of our Service, and for the other purposes described above.
 
Our use of cookies and other tracking technologies is discussed in more detail in our Cookie Policy available here.
 
D. Your Data Protection Rights

Depending on the country in which you reside, you may have the following data protection rights:
 
  • To access; correct; update; port; delete; restrict or object to our processing of your Personal Information.
  • You also have the right to complain to a data protection authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority. Target details for data protection authorities in the EEA are available here.
As described above, for much of the Personal Information we collect and process about Targets through the Service, we act as a processor on behalf of our Clients. In such cases, if you are a Target and want to exercise any data protection rights that may be available to you under applicable law or have questions or concerns about how your Personal Information is handled by PhishingBox as a processor on behalf of our individual Clients, you should contact the relevant Client that is using the PhishingBox Service, and refer to their separate privacy policies.
 
If you no longer want to be contacted by one of our Clients through our Service, contact the Client directly to update or delete your data. If you contact us directly, we may either forward your request to the relevant Client or provide you with the identity of the Client to enable you to contact them directly.
 
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.
 
4. Privacy for Visitors

This section applies to Personal Information that we collect and process when you visit the PhishingBox Sites, and in the usual course of our business, such as in connection with our recruitment, events, sales and marketing activities or when you visit our offices. In this section, "you" and "your" refer to Visitors.
 
A. Information We Collect
 
(i) Information you provide to us on the PhishingBox Sites or otherwise: Our PhishingBox Sites offer various ways to contact us, such as through form submissions, email or phone, to inquire about our company and Service. For example, we may ask you to provide certain Personal Information when you express an interest in obtaining information about us or our Service, take part in surveys, subscribe to marketing, apply for a role with PhishingBox, or otherwise contact us. We may also collect Personal Information from you in person when you attend our events or trade shows, if you visit our offices (where you will be required to register as a visitor and provide us with certain information that may also be shared with our service providers) or via a phone call with one of our sales representatives. You may choose to provide additional information when you communicate with us or otherwise interact with us, and we may keep copies of any such communications for our records.
 
The Personal Information we collect may include:
 
  • Business Target information (such as your name, phone number, email address and country);
  • Professional information (such as your job title, institution or company);
  • Nature of your communication;
  • Marketing information (such as your Target preferences); and
  • Any information you choose to provide to us when completing any free text boxes in our forms.
(ii) Information we collect automatically through the PhishingBox Sites: When you visit our PhishingBox Sites or interact with our emails, we and our third-party partners use cookies and similar technologies such as pixels or web beacons, alone or in conjunction with cookies, to collect certain information automatically from your browser or device. In some countries, including countries in the EEA, this information may be considered Personal Information under applicable data protection laws. Our use of cookies and other tracking technologies is discussed more below, and in more detail in our Cookie Policy available here.
 
The information we collect automatically includes:
 
Device information: such as your IP address, your browser, operating system, device information, unique device identifiers, mobile network information, request information (speed, frequency), the site from which you linked to us (referring page), the name of the website you choose to visit immediately after ours (called exit page), information about other websites you have recently visited, the web browser you used (software used to browse the internet) including its type and language), and viewfinder size and scripts errors.
 
Usage data: such as information about how you interact with our emails, PhishingBox Sites, and other websites (such as the pages and files viewed, session duration, links clicked, searches, non-sensitive text entered, mouse movements, operating system and system configuration information and date/time stamps associated with your usage).
 
B. Use of Personal Information
 
We may use the information we collect through our PhishingBox Sites and in connection with our events and marketing activities (alone or in combination with other data we collect) for a range of reasons in reliance on our legitimate interests, including:
 
  • To provide, operate, optimize, and maintain the PhishingBox Sites.
  • To send you marketing information, product recommendations and non-transactional communications (e.g., email, telemarketing calls, SMS, or push notifications) about us, in accordance with your marketing preferences, including information about our products, services, promotions or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent.
  • For recruitment purposes if you have applied for a role with PhishingBox.
  • To respond to your online inquiries and requests, and to provide you with information and access to resources or services that you have requested from us.
  • To manage the PhishingBox Sites and system administration and security.
  • To manage event registrations and attendance, including sending related communications to you.
  • To register visitors to our offices for security reasons and to manage non-disclosure agreements that visitors may be required to sign.
  • To improve the navigation and content of the PhishingBox Sites.
  • To identify any server problems or other IT or network issues.
  • To process transactions and to set up online accounts.
  • To compile aggregated statistics about site usage and to better understand the preferences of our Visitors.
  • To help us provide, improve and personalize our marketing activities.
  • To facilitate the security and continued proper functioning of the PhishingBox Sites.
  • To carry out research and development to improve our PhishingBox Sites, products and services.
  • To conduct marketing research, advertise to you, provide personalized information about us on and off our PhishingBox Sites, and to provide other personalized content based on your activities and interests to the extent necessary for our legitimate interests in supporting our marketing activities or advertising our Service or instances where we seek your consent.
  • To carry out other legitimate business purposes, as well as other lawful purposes, such as data analysis, fraud monitoring and prevention, identifying usage trends and expanding our business activities in reliance on our legitimate interests.
  • To cooperate with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of Personal Information to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our PhishingBox Sites and Service, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or responding to lawful requests.
C. Public Information and Third-Party Websites
 
Blog. We have public blogs on the PhishingBox Sites. Any information you include in a comment on our blog may be read, collected, and used by anyone. If your Personal Information appears on our blogs and you want it removed, contact us at privacy@phishingbox.com. If we are unable to remove your information, we will tell you why.
 
Social media platforms and widgets. The PhishingBox Sites include social media features, such as the Facebook Like button. These features may collect information about your IP address and which page you are visiting on our PhishingBox Site, and they may set a cookie to make sure the feature functions properly. Social media features and widgets are either hosted by a third party or hosted directly on our PhishingBox Site. We also maintain presences on social media platforms, including Facebook, Twitter, and Instagram. Any information, communications, or materials you submit to us via a social media platform is done at your own risk without any expectation of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.
 
Links to third-party websites. The PhishingBox Sites include links to other websites, whose privacy practices may be different from ours. If you submit Personal Information to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.
 
Contests and sweepstakes. We may, from time to time, offer surveys, contests, sweepstakes, or other promotions on the PhishingBox Sites or through social media (collectively, "Promotions"). Participation in our Promotions is completely voluntary. Information requested for entry may include Personal Information such as your name, address, date of birth, phone number, email address, username, and similar details. We use the information you provide to administer our Promotions. We may also, unless prohibited by the Promotions rules or law, use the information provided to communicate with you, or other people you select, about our Service. We may share this information with our subsidiaries or Affiliates and other organizations or service providers in line with this privacy policy and the rules posted for our Promotions.
 
D. Cookies and Tracking Technologies
 
We and our third-party partners use cookies and similar tracking technologies to collect and use Personal Information about you, including to serve interest-based advertising about PhishingBox and its Affiliates. For further information about the types of cookies and tracking technologies we use, why, and how you can control them, please see our Cookie Policy available here.
 
E. Other Data Protection Rights
 
Depending on the country in which you reside, you may have the following data protection rights:
 
  • To access; correct; update; port; delete; restrict or object to our processing of your Personal Information. You can exercise these rights by emailing privacy@phishingbox.com.
  • You may also have the right to complain to a data protection authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA are available here.
  • Similarly, if we have collected and processed your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Information conducted in reliance on lawful processing grounds other than consent. You can also contact us at any time to update your marketing preferences (see Section 5. General Information, C. Your Choices and Opt-Outs below).
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. We may ask you to verify your identity in order to help us respond efficiently to your request.
 
5. General Information
 
A. How We Share Information
 
We may share and disclose your Personal Information with our subsidiaries or Affiliates and to the following types of third parties for the purposes described in this privacy policy (for purposes of this section, "you" and "your" refer to Clients, Targets, and Visitors unless otherwise indicated). 
 
(i) Our service providers: Sometimes, we share your information with our third-party service providers working on our behalf for the purposes described in this privacy policy. For example, companies we've hired to help us provide and support our Service or assist in protecting and securing our systems and services and other business-related functions.
 
(ii) Advertising partners: We may partner with third-party advertising networks, exchanges, and social media platforms (like Facebook) to display advertising on the PhishingBox Sites or to manage and serve our advertising on other sites, and we may share Personal Information of Clients and Visitors with them for this purpose. We and our third-party partners may use cookies and other similar tracking technologies, such as pixels and web beacons, to gather information about your activities on the PhishingBox Sites and other sites in order to provide you with targeted advertising based on your browsing activities and interests. For more information, please see our Cookie Policy available here.
 
(iii) Any competent law enforcement body, regulatory body, government agency, court or other third party where we believe disclosure is necessary (a) as a matter of applicable law or regulation, (b) to exercise, establish, or defend our legal rights, or (c) to protect your vital interests or those of any other person.
 
(iv) A potential buyer (and its agents and advisors) in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition. In that event, any acquirer will be subject to our obligations under this privacy policy, including your rights to access and choice. We will notify you of the change either by sending you an email or posting a notice on our PhishingBox Site.
 
(v) Any other person with your consent.
 
We may also share anonymized, aggregated information with selected third parties for statistical purposes.
 
B. Legal Basis for Processing Personal Information (EEA and UK Persons Only)
 
If you are located in the EEA or UK, our legal basis for collecting and using the Personal Information described above will depend on the Personal Information concerned and the specific context in which we collect it.
 
However, we will normally collect and use Personal Information from you where the processing is in our legitimate interests and not overridden by your data-protection interests or fundamental rights and freedoms. Our legitimate interests are described in more detail in this privacy policy in the sections above titled Use of Personal Information, but they typically include improving, maintaining, providing, and enhancing our technology, products, and services; ensuring the security of the Service and our PhishingBox Sites; and supporting our marketing activities.
 
If you are a Client, we may need the Personal Information to perform a contract with you. In some limited cases, we may also have a legal obligation to collect Personal Information from you. Where required by law, we will collect Personal Information only where we have your consent to do so.
 
If you have questions or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us using the contact details provided in the "Questions and Concerns" section below.
 
C. Your Choices and Opt-Outs
 
Clients and Visitors who have opted into our marketing emails can opt out of receiving marketing emails from us at any time by clicking the "unsubscribe" link at the bottom of our marketing messages.
 
Also, all opt-out requests can be made by emailing us using the Target details provided in the "Questions and Concerns" section below. Please note that some communications (such as service messages, account notifications, billing information) are considered transactional and necessary for account management, and Clients cannot opt out of these messages unless you cancel your PhishingBox account.
 
D. Our Security
 
We take appropriate and reasonable technical and organizational measures designed to protect Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information. For further information about our security practices, please see our Security page available here. If you have any questions about the security of your Personal Information, you may contact us at privacy@phishingbox.com.
 
E. International Transfers
 
(i) We operate in the United States.
 
Our servers and offices are located in the United States, so your information may be transferred to, stored, or processed in the United States. While the data protection, privacy, and other laws of the United States might not be as comprehensive as those in your country, we take many steps to protect your privacy, including offering our Clients a Data Processing Agreement available by emailing privacy@phishingbox.com.
 
(ii) Clients located in Switzerland, United Kingdom, and the EEA are subject to our Data Processing Addendum available by emailing privacy@phishingbox.com.  
 
(iii) Clients, Targets and Visitors located in Australia
 
If you are a Client, Target or Visitor who accesses our Service in Australia, this section applies to you. We are subject to the operation of the Privacy Act 1988 ("Australian Privacy Act"). Here are the specific points you should be aware of:
  • As stated in our Terms of Service, sensitive personal information is not permitted on PhishingBox's platform and Clients are prohibited from importing or incorporating any sensitive personal information into their PhishingBox accounts or uploading any sensitive personal information to PhishingBox's servers.
  • Please note that if you do not provide us with your Personal Information or if you withdraw your consent for us to collect, use and disclose your Personal Information, we may be unable to provide the Service to you.
  • Where we collect Personal Information of our Visitors, the Personal Information we ask you to provide will be information that is reasonably necessary for, or directly related to, one or more of our functions or activities. Please see Section 4 of this privacy policy for examples of the types of Personal Information we may ask Visitors to provide.
  • Where we say we assume an obligation about Personal Information, we will also require our contractors and subcontractors to undertake a similar obligation.
  • We will not use or disclose Personal Information for the purpose of our direct marketing to you unless:
    • you have consented to receive direct marketing;
    • you would reasonably expect us to use your personal details for marketing; or
    • we believe you may be interested in the material but it is impractical for us to obtain your consent.
You may opt out of any marketing materials we send to you through an unsubscribe mechanism. If you have requested not to receive further direct marketing messages, we may continue to provide you with messages that are not regarded as "direct marketing" under the Australian Privacy Act, including changes to our terms, system alerts, and other information related to your account as permitted under the Australian Privacy Act and the Spam Act 2003 (Cth).
 
  • Our servers are located in the United States. In addition, we or our subcontractors may use cloud technology to store or process Personal Information, which may result in storage of data outside Australia. It is not practicable for us to specify in advance which country will have jurisdiction over this type of offshore activity. All of our subcontractors, however, are required to comply with the Australian Privacy Act in relation to the transfer or storage of Personal Information overseas.
  • We may also share your Personal Information outside of Australia to our business operations in other countries. While it is not practicable for us to specify in advance each country where your Personal Information may be disclosed, typically we may disclose your Personal Information to the United States, Canada and the European Union.
You may access the Personal Information we hold about you. If you wish to access your Personal Information, you may do so by emailing us at privacy@phishingbox.com. We will respond to all requests for access within a reasonable time.
 
If you think the information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, we will take reasonable steps, consistent with our obligations under the Australian Privacy Act, to correct that information upon your request. If you find that the information we have is not up to date or is inaccurate or incomplete, please contact us in writing at privacy@phishingbox.com so we can update our records. We will respond to all requests for correction within a reasonable time.
 
If you are unsatisfied with our response to a privacy matter, you may consult either an independent advisor or contact the Office of the Australian Information Commissioner for additional help. We will provide our full cooperation if you pursue this course of action.
 
F. Retention of Data
 
We retain Personal Information where we have an ongoing legitimate business or legal need to do so. Our retention periods will vary depending on the type of data involved, but, generally, we'll refer to these criteria in order to determine retention period:
 
  • Whether we have a legal or contractual need to retain the data.
  • Whether the data is necessary to provide our Service.
  • Whether our Clients have the ability to access and delete the data within their PhishingBox accounts.
  • Whether our Clients would reasonably expect that we would retain the data until they remove it or until their PhishingBox accounts are closed or terminated.
When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Information has been stored in backup archives), then we will securely store your Personal Information and isolate it from any further processing until deletion is possible.
 
G. California Privacy
 
The California Consumer Privacy Act (CCPA) provides consumers with specific rights regarding their Personal Information. You have the right to request that businesses subject to the CCPA (which may include our Clients with whom you have a relationship) disclose certain information to you about their collection and use of your Personal Information over the past 12 months. In addition, you have the right to ask such businesses to delete Personal Information collected from you, subject to certain exceptions. If the business sells Personal Information, you have a right to opt-out of that sale. Finally, a business cannot discriminate against you for exercising a CCPA right.
 
When offering services to its Clients, PhishingBox acts as a service provider under the CCPA and our receipt and collection of any consumer Personal Information is completed on behalf of our Clients in order for us to provide the Service. Please direct any requests for access or deletion of your Personal Information under the CCPA to the Client with whom you have a direct relationship.
 
Consistent with California law, if you choose to exercise your applicable CCPA rights, we won't charge you different prices or provide you a different quality of services. If we ever offer a financial incentive or product enhancement that is contingent upon you providing your Personal Information, we will not do so unless the benefits to you are reasonably related to the value of the Personal Information that you provide to us.
 
H. Do not Track
 
Certain state laws require us to indicate whether we honor Do Not Track settings in your browser. PhishingBox adheres to the standards set out in this Privacy Policy and does not monitor or follow any Do Not Track browser requests.
 
I. Changes to this Policy
 
We may change this privacy policy at any time and from time to time. The most recent version of the privacy policy is reflected by the version date located at the top of this privacy policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including, but not limited to, by posting a revised version of this privacy policy or other notice on the PhishingBox Sites. We encourage you to review this privacy policy often to stay informed of changes that may affect you. Our electronically or otherwise properly stored copies of this privacy policy are each deemed to be the true, complete, valid, authentic, and enforceable copy of the version of this privacy policy that was in effect on each respective date you visited the PhishingBox Site.
 
J. Questions & Concerns
 
If you have any questions or comments, or if you have a concern about the way in which we have handled any privacy matter, please contact us by postal mail or email at:
 
PhishingBox, LLC
Attention: Privacy Officer
400 East Vine Street, Suite 301
Lexington, KY 40507
Email: privacy@phishingbox.com
Phone: 877-634-6847