SERVICES PRIVACY POLICY

 
Updated: 05/16/2018
 
PhishingBox LLC (PhishingBox) respects your privacy. This Service Privacy Policy describes the privacy practices for PhishingBox's Services at (https://www.phishingbox.com) the "Service").
 
This policy does not govern information related to our informational website.  For our privacy practices related to our website, please review our Online Privacy Policy.
 
YOUR USE OF THE SERVICES OFFERED BY PHISHINGBOX IS CONDITIONED UPON YOUR ACCEPTANCE OF THE TERMS OF SERVICE LOCATED AT WWW.PHISHINGBOX.COM AS WELL AS THIS SERVICES PRIVACY POLICY. IF YOU DO NOT ACCEPT THE TERMS OF SERVICE OR TERMS OF THIS POLICY, DO NOT USE THE SERVICES OFFERED BY PHISHINGBOX.
 
NOT INTENDED FOR CHILDREN
PhishingBox is a company focused on serving the needs of businesses.  Our services are not intended for children.  PhishingBox does intentionally obtain information from persons under 18 years of age.
 
COMPLIANCE WITH PRIVACY SHIELD FRAMEWORK
PhishingBox complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework(s) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and/or Switzerland, as applicable, to the United States in reliance on Privacy Shield.  PhishingBox has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/participant?id=a2zt00000008RF6AAM&status=Active.
 
TYPE AND PURPOSE OF DATA COLLECTED
 
Personal Data: If you choose to sign up for the Service, we collect the following personal information from you:  your name, email address, and phone number.  We use this information to establish an account on our system for clients to use our Service.  We will also use this information to respond to service requests, and send activity, security, training, or feature notices to users and administrators.
 
Payment Information: We may collect and process payment information from you when you subscribe to the Service, including credit cards numbers and billing information.  We process credit card information using third party PCI-compliant service providers. 
 
Customer Data: PhishingBox provides an online system that our customers use to send simulated phishing emails. In providing this service, PhishingBox processes data our customers submit to our services or instruct us to process on their behalf.  PhishingBox processes data submitted by customers for the purpose of providing simulated email phishing campaigns, training, and reports to our customers.
 
Cookies: We use session cookies to enable certain features of the Service. Session cookies usually expire and are deleted when you close your web browser. Session cookies must be enabled to use the Service. 
 
Log Files: As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.
 
IP Address: In addition to above, the client administrator may configure the system to restrict access to the Service to specific IP addresses, such as an approved corporate network.
 
Single Sign On: Client administrators may configure the Service to import and authenticate users with various Single Sign On providers, including name and email address. It is the client’s responsibility to understand the privacy policies of their Single Sign On provider. 
 
GSuite Plugin: If our Inbox plugin for GSuite is enabled, PhishingBox system will have access to the authorized account's emails header, body, and attachments.  This information is solely used to identify suspicious emails, such as phishing attempts.    Based on user actions, these emails may be forwarded or deleted. 
 
SECURITY
PhishingBox takes reasonable precautions to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration, and destruction. The security principles that govern our Service are outlined in our Security Summary, available at https://www.phishingbox.com/resources
 
SHARING DATA / ACCOUNTABILITY FOR ONWARD TRANSFER
 
Your privacy is important to us. We do not sell or otherwise disclose your personal information we obtain through the Services to third parties, except as described here.
 
PhishingBox uses a limited number of third-party service providers to assist us in providing our services to customers. These third-party providers offer customer support to our customers, perform database monitoring and other technical operations, assist with the transmission of data, and provide data storage services. These third parties may access, process, or store personal data in the course of providing their services. PhishingBox maintains contracts with these third parties, restricting their access, use and disclosure of personal data in compliance with our Privacy Shield obligations, and PhishingBox may be liable if they fail to meet those obligations and we are responsible for the event giving rise to damage.
 
We reserve the right to transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution or liquidation).
 
We reserve the right to disclose your personal information as required by law or legal process, in response to a request by law enforcement authorities, when we believe that disclosure is necessary or appropriate to protect our rights or to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity.
 
RIGHTS TO ACCESS PERSONAL DATA
Where appropriate, PhishingBox provides Consumers with reasonable access to the Personal Data PhishingBox maintains about them. PhishingBox also provides a reasonable opportunity for Consumers to correct, amend or delete that information where it is inaccurate, as appropriate. PhishingBox may limit or deny access to Personal Data where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Privacy Shield principles. The right to access personal information also may be limited in some circumstances by local law requirements. Consumers may request access to their Personal Data by contacting PhishingBox as indicated below.
 
In circumstances in which PhishingBox maintains Personal Data about Consumers with whom PhishingBox does not have a direct relationship because PhishingBox obtained or maintains the Consumers' data as a service provider for its Customers, PhishingBox’s' Customers are responsible for providing Consumers with access to the Personal Data and the right to correct, amend or delete the information where it is inaccurate. In these circumstances, Consumers should direct their questions to the appropriate PhishingBox Customer. When a Consumer is unable to contact the appropriate Customer, or does not obtain a response from the Customer, PhishingBox will provide reasonable assistance in forwarding the individual's request to the Customer.
 
CHOICE
In circumstances in which PhishingBox collects Personal Data directly from Consumers, it offers Consumers the opportunity to choose whether PhishingBox may (i) disclose their Personal Data to certain third parties or (ii) use their Personal Data for a purpose that is incompatible with the purpose for which the information was originally collected or subsequently authorized by the individual. Consumers may contact PhishingBox as indicated below regarding the company's use or disclosure of their Personal Data.
 
In circumstances in which PhishingBox maintains Personal Data about Consumers with whom PhishingBox does not have a direct relationship because PhishingBox obtained or maintains the Consumers' data as a service provider for its Customers, PhishingBox’s' Customers are responsible for providing the relevant individuals with certain choices with respect to the Customers' use or disclosure of the individual's Personal Data.
 
PhishingBox may disclose Personal Data without offering an opportunity to opt out (i) to service providers the Company has retained to perform services on its behalf, (ii) if it is required to do so by law or legal process, (iii) to law enforcement or other government authorities, or (iv) when PhishingBox believes disclosure is necessary to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual illegal activity. PhishingBox also reserves the right to transfer Personal Data in the event it sells or transfers all or a portion of its business or assets (including in the event of a reorganization, dissolution or liquidation). Should such a sale or transfer occur, PhishingBox will use reasonable efforts to direct the transferee to use the Personal Data in a manner that is consistent with PhishingBox’s' privacy policies. PhishingBox uses Personal Data only for the purposes indicated in this Policy or the Online Privacy Policy unless it has a legal basis, such as consent, to use it for other purposes. To the extent required by law, PhishingBox obtains prior opt-in consent at the time of collection for the processing of (i) Personal Data for marketing purposes and (ii) Sensitive Data, to the extent that PhishingBox collects any Sensitive Data.
 
 
FILING A PRIVACY COMPLAINT
In compliance with the EU-US and Swiss-US Privacy Shield Principles, PhishingBox commits to resolve complaints about your privacy and our collection or use of your personal information.  European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact PhishingBox as outlined in the Contact Us section of this policy.
 
PhishingBox has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, JAMS.  If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/eu-us-privacy-shield  for more information and to file a complaint.
 
RECOURSE, ENFORCEMENT AND LIABILITY
PhishingBox is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. PhishingBox complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
 
With respect to personal data received or transferred to the Privacy Shield Framework, PhishingBox is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, PhishingBox may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
 
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
 
DATA INTEGRITY & PURPOSE LIMITATION
PhishingBox takes reasonable steps to ensure that the Personal Data the company processes are (i) relevant for the purposes for which they are to be used, (ii) reliable for their intended use, and (iii) accurate, complete and current. In this regard, PhishingBox depends on its Consumers and Customers (with respect to Personal Data of Consumers with whom PhishingBox does not have a direct relationship) to update and correct Personal Data to the extent necessary for the purposes for which the information was collected or subsequently authorized by the individuals. Consumers (and Customers, as appropriate) may contact PhishingBox as indicated below to request that PhishingBox update or correct relevant Personal Data.
 
LINKS TO OTHER SITES
This service may contain links to other websites that are not owned or controlled by PhishingBox. The linked websites may have their own privacy policies which we strongly suggest you review. To the extent such websites are not owned or controlled by PhishingBox, we are not responsible for the website’s content or privacy practices, or for any use of the websites.
 
FORUMS
This site offers publicly accessible community forums. You should be aware that any information you provide in these areas may be read, collected and used by others who access them. To request removal of your personal information from the community forum, contact us via one of the methods listed in this privacy policy.  In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
 
CHANGES TO POLICY
From time to time, and without prior notice to you, PhishingBox may update this Policy to reflect changes in our personal information practices. We will post the updated version on this page and indicate at the top of the Policy when it was most recently updated.
 
If we make any material changes, we will notify you by email (sent to the email address specified in your account) or by means of a notice within the Service.  We encourage you to periodically review this page for the latest information on our privacy practices.
 
CONTACT US ABOUT PRIVACY
If you have any questions or concerns with regards to these our privacy policies, please contact us by mail, email, or phone.
 
PhishingBox LLC
Attention: Data Privacy Officer
400 East Vine Street, Suite 301
Lexington, KY 40507
 
Email : privacy@phishingbox.com
Phone: 877.634.6847