1. Introduction
Phishy provides phishing simulation and security awareness services. This policy covers how we handle personal data for marketing, trials, billing, support, and the product itself.
2. Data we process
For marketing and sales we process the contact information you choose to submit. Inside the product we process workspace names, employee names, work emails, campaign events, reporting data, and support communications needed to run the service.
3. Why we process it
We process data to provide the service, operate trials, answer support requests, collect subscription payments, and improve the product. Marketing messages require opt-in consent where that is legally required.
4. Retention & deletion
We keep customer data only for as long as it is needed to operate the service, meet legal obligations, support customer exports, or complete deletion requests. If you need a specific deletion or export timeline, email privacy@phishy.dk and we will confirm the current process in writing.
6. Security posture
Phishy is currently operated as an early-access service. Security controls, support promises, and compliance claims are described conservatively in the public Security page and contract materials rather than overstated here.
7. Sub-processors
We use third parties only where needed to operate the product, such as hosting, email delivery, and payments. If you need the current sub-processor list for review, request it by emailing privacy@phishy.dk.
8. Your rights
You can ask for access, correction, export, deletion, restriction, or objection by emailing privacy@phishy.dk. If we act as a processor for your workspace, we will route the request through your administrator where appropriate.
9. Contact
For privacy questions, DPA requests, or deletion requests, email privacy@phishy.dk.