PRIVACY POLICY

Phished BV is committed to protecting your personal data and in compliance with the applicable legislation.

1. The controller

Phished BV (hereinafter Phished, “we”, “us” or “our”) with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and registered number 0735.908.019, is the controller for the processing of your personal data.

2. The personal data we process

Depending on your role, we collect the following data:

  • Customers: general identification data (such as name, title/function, address, mobile phone or telephone number, email, assigned identification data), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or to be paid), compensations, professional activities (including the company, the nature of the activity, the nature of the goods/services used, business relations), contracts and agreements with Phished, any other personal data that they lawfully provided Phished. The source of this personal data is you or your employer.
  • Partners: general identification data (such as name, title/function, address, mobile phone or telephone number, email, assigned identification data), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or to be paid), compensations, professional activities (including the nature of the activity, the nature of the goods/services used, business relations), contracts and agreements with Phished, any other personal data that they lawfully provided Phished. The source of this personal data is you or your employer.
  • Prospects: general identification data (such as name, title/function, address, mobile phone or telephone number, email), professional activities (including the nature of the activity, the nature of the goods/services used, business relations), any other personal data that they lawfully provided Phished. The source of this personal data is you or your employer.
  • Suppliers: general identification data (such as name, title/function, address, mobile phone or telephone number, email, assigned identification data), financial identification data (such as identification and bank account numbers), financial transactions (such as amounts paid or to be paid), compensations, professional activities (including the nature of the activity, the nature of the goods/services supplied), contracts and agreements with Phished, any other personal data that they lawfully provided Phished. The source of this personal data is you or your employer.
  • Applicants: all personal data which they communicated and lawfully provided Phished (such as a resume and/or cover letter);
  • Website visitors: personal data collected through cookies (see our cookie policy);
  • Social media users: advertising through the personal data they provided to social media channels.

In the exercise of its activities, Phished is also a processor of personal data (for example when sending a phishing simulations to audience specified by the customer). The processing of personal data by Phished, as a processor, is part of the agreements between Phished and the controller(s) and does not constitute a part of this privacy policy.

If you provide us with personal data of a third party, such as your staff, freelancers, customers, suppliers, partners, then you warrant Phished that you have (a) lawfully obtained such personal data from the third party and lawfully provided it to Phished, (b) provided Phished with personal data that is accurate and up to date, (c) provided said person with relevant information about the existence and content of this policy.

3. Purposes

We process the personal data for the following purposes:

  • 3.1. Execution of the agreement: the creation of a personal account and/or profile, the correct execution and observance of the agreements (including communications), invoicing, customer service and support: so that we can help you in case of questions and/or problems.
  • 3.2. Purchases via website: the correct execution and observance of the agreements regarding purchases via the website (including communications), processing orders and any after-sales services, invoicing.
  • 3.3. Direct marketing: Sending out email notifications and/or newsletters. If you no longer wish to receive these communications, you cans use the opt-out provided. Afterwards, you will no longer receive the unwanted direct marketing communications, and we will no longer process your personal data for these direct marketing purposes.
  • 3.4. Applicants’ management.
  • 3.5. Necessary for the functioning of our company: to improve and optimize our services (including through cookies and advertising via social media), to maintain and improve the Website (including through cookies), to ensure the security of our Website and services, to prevent abuse or improper use of our services, to store personal data as evidence or for the purpose of legal, administrative or extrajudicial proceedings, to store personal data to obtain or maintain insurance coverage, manage risk or obtain expert advice, to store personal data to ensure attendance at/participation in events.
  • 3.6. To comply with legal obligations (for example in connection with anti-money laundering and counter terrorism legislation).
  • 3.7. In general: you are not obliged to share your personal data with us, but if you do not communicate the requested personal data, it is possible that we cannot provide you with the desired services and/or products.

4. Legal basis for processing the personal data

The processing of personal data under section 3.1 and 3.2 is based on the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

The processing of personal data of prospects under section 3.3 and the processing of personal data through cookies (other than strictly necessary and functional cookies) under section 3.5 is based on the consent of the data subject.

The processing of personal data of prospects under section 3.3 for customers and the first contact with prospects, as well as the other processing of personal data under section 3.4 and 3.5 is based on our legitimate interests (only when the legitimate interest of our company override the interest of the data subjects). The interests were set out under section 3.3-3.5.

The processing of personal data of prospects under section 3.6 is necessary to comply with a legal obligation to which we are subject.

5. Sharing the personal data with others/international transfers

We only disclose relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract to Phished. Naturally, we have made agreements with these parties regarding the protection of your personal data.

However, we may disclose your personal information when such disclosure is necessary to comply with a legal obligation to which we are subject, or to protect your (vital) interests. We may also disclose your personal information when such disclosure is necessary to establish, exercise or defend legal claims, in court proceedings or in administrative or extra-judicial proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision, standard provisions, appropriate safeguards, binding corporate rules or transfers referred to in Article 49 (1) GDPR.

In the event of a full or partial reorganisation, merger, demerger, acquisition or sale of assets, we are entitled to transfer personal data to the relevant third party.

You acknowledge that personal data that you submit for publication via our website or services may be available worldwide via the Internet. We cannot prevent the use (or misuse) of such personal information by others.

6. Storage and deletion of personal data

We retain personal data only for as long as necessary for the fulfilment of the purpose set out above. As the retention period depends on the purpose, but also on the type of personal data, these retention periods vary.

7. Your rights

We’ve summarised your rights in this section. As some of these rights are complex, not all details are included in our summaries. Therefore, you should read the relevant laws and regulatory guidelines for a full explanation of these rights.

  • 7.1. Right of access: you have the right to confirm whether or not we process your personal data and, where we do, have access to the personal data, together with the additional information mentioned in article 15 GDPR. Safeguarding the rights and freedoms of others is not affected, we will provide you with a copy of your personal data.
  • 7.2. Right of rectification: you have the right to have incorrect and/or incomplete personal data corrected and/or completed.
  • 7.3. Right to erase: have the right to have your personal data deleted in the circumstances mentioned in article 17 (1) GDPR, such as when you withdraw your consent for consent-based processing or object to the processing for direct marketing purposes.

    Phished will then delete your personal data without undue delay, unless the exclusions mentioned in article 17 (3) GDPR apply. For example, Phished will not need to delete your data in case the processing is necessary in order to comply with a legal obligation.
  • 7.4. Right to restrict processing: you have the right to restrict the processing of your personal data in the circumstances mentioned in article 18 (1) GDPR, such as in case you contest the accuracy of the personal data.
  • 7.5. Right to data portability: you have the right to receive the personal data concerning you, which you provided us, in a structured, commonly used and machine-readable format and to transmit such data to another controller if (a) the processing is based on consent or necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract, and (b) such processing is automated. However, this right does not apply where this would harm the rights and freedoms of others.
  • 7.6. Right to withdraw consent: insofar as the legal basis for our processing of your personal data is consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing before its withdrawal.
  • 7.7. Right to lodge a complaint with the supervisory authority: if you believe that our processing of your personal data violates data protection laws, if you do not agree with Phished’s position or if you have any comments regarding the exercise of your personal data, you have the right to file a complaint with the competent supervisory authority.
  • 7.8. Right to object to processing: you have the right to object to our processing of your personal data for direct marketing purposes at any time. Practically, you can do this via the “opt-out”-option. Afterwards, you will no longer receive the unwanted direct marketing communications, and we will no longer process your personal data for these direct marketing purposes. Of course it is possible, that we may still contact you in connection to the execution of the agreement.

You also have the right to object to our processing of your personal data based on Article 6 (e) or (f) GDPR for reasons relating to your specific situation. If you object, we will no longer process your personal information unless we can demonstrate compelling legitimate reasons for the processing that exceed your interests, rights and freedoms, or the processing to establish, exercise or defend legal claims.

In addition, you have the right to object to our processing of your personal data for scientific, historical or statistical (research) purposes for reasons relating to your specific situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8. Contact

In case you want to contact us regarding this policy, you can contact us via mail to our DPO: [email protected].

If you are contacting us because you want to exercise one of your rights (see section 7), we kindly request you to indicate clearly which right you want to exercise. Please be as specific as possible when exercising your rights.

9. Cookies

You can read more about our use of cookies via the following link.

-> PRIVACY POLICY FOR RECIPIENTS

Phished BV (hereinafter “Phished” , “we”, “us” or “our”) is committed to processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”) and other applicable legislation.

Phished will process your personal data for and on behalf of its customer, the organisation who will be using our services. Phished therefore qualifies as the processor of your personal data; and the customer qualifies as the controller

The controller may have its own privacy policy regarding the processing of your personal data by Phished, in which case these policies should be read together. In case of contradiction, the policy of the Controller prevails (as certain specific agreements may have been made with the Controller).

1. The controller

Your organisation (hereinafter “the Controller” or “the Customer”) appointed you as part of the target audience for the performance of the following services (hereinafter “Services”) by Phished:

  • performing simulated phishing attacks on the logged employees of the Customer (in its broadest sense, hereinafter “Employees”) (and systems of the Customer);
  • training the Employees by means of e-learning;
  • the automatic delivery (via web portal) of detailed reports regarding the results hereof.

The Customer and Phished have concluded an agreement on the performance of these Services

2. The processor

Phished BV with registered office at Bondgenotenlaan 138, 3000 Leuven, Belgium and registered number 0735.908.019, is the processor for the processing of your personal data in order to execute the Services.

3. Contact

In case you want to contact us regarding this policy, you can contact us via mail to our DPO: [email protected].

If you want to exercise one of your rights (see section 8), we kindly request to contact the Customer.

4. The personal data we process

We process the following of your personal data:

  • name
  • email address;
  • language;
  • position at the company;
  • open/click/report behaviour and results.

Optional :

  • department within the company;
  • location within and/or of the company;
  • mobile phone or telephone number.
  • E-mail data (see below) (depending on settings in the Phished account).

This data is provided to us by the Customer, who (a) lawfully obtained such personal data from you and lawfully provided it to Phished, (b) provided Phished with personal data that is accurate and up to date, and (c) will provide you with relevant information about the processing activities.

5. Purposes

We process the personal data because it is necessary for the performance of the Services. In this regard we process your personal data for the following purposes on behalf of the Customer:

  • making the Phished software available in accordance with the agreements between Phished and the Customer (including, but not limited to, creating a recipient account for you and ensuring the proper functioning of the Phished software);
  • increasing the awareness level of the dangers of phishing via the Phished software and tracking the users of the software, including (but not limited to):
    • sending and receiving communications via email, text or voice message (depending on the settings) (e.g. notification of phishing simulation or a suspected real phishing e-mail).
      • These do not constitute direct marketing. Nevertheless, if you no longer wish to receive these communications, please contact the Customer, who may give its permission to stop these communications. However, we do not recommend this as you will no longer benefit from our training and the Customer benefits best from training when as many of its Employees as possible are participating.
      • If the Customer chose the option “handle reports in application” or “handle reports in application & forward reports to email” in the Phished account and possible phishing e-mails are reported:
        • via the Phished Report Button in Gmail: Phished will only process Gmail message bodies (incl. attachments), metadata, headers and settings, to identify a mail as a phishing simulation from Phished or as a potential phishing threat when reported via the Phished Report Button. This data is encrypted and the processing will also adhere to the Google API Services User Data Policy (Policy), incl. Limited Use requirements.
        • via the Phished Report Button in Outlook: Phished will only process Outlook message bodies (incl. attachments), metadata, headers and language settings, to identify a mail as a phishing simulation from Phished or as a potential phishing threat when reported via the Phished Report Button. This data is encrypted.
        • by forwarding them: Phished will only process the message bodies (incl. attachments) and headers to identify a mail as a phishing simulation from Phished or as a potential phishing threat when forwarded. This data is encrypted.
      • If the Customer chose the option “forward reports to email” in the Phished account and possible phishing e-mails are reported to Phished via the Phished Report Button in Gmail or Outlook or by forwarding, Phished will not process these e-mails..
    • organizing continuous performance management: keeping track of personal objectives, 1on1s and feedback for you.
    • measuring engagement on a continuous basis via the Phished Academy, using e.g. either PHISHED’s set of questions or a self-chosen set of questions.
    • storage of phishing results.
    • keeping phishing results available for the Customer via statistics.
    • adjustments of the phishing simulations.

Phished will not process your personal data for any other purpose than for the performance of the Services and/or for the fulfilment of the responsibilities laid down in the agreement entered into between Phished and the Customer. Phished will only process your personal data on behalf of the Customer and in accordance with the documented instructions of the Customer.

6. Sharing the personal data with others/international transfers

We only disclose relevant aspects of personal data to third parties if those parties are contractually bound to Phished or act on behalf of or under contract to Phished. Naturally, we have made agreements with these parties regarding the protection of your personal data.

Phished may disclose personal data when such disclosure is necessary to comply with a legal obligation to which we are subject, or to protect (vital) interests. We may also disclose the personal data when such disclosure is necessary to establish, exercise or defend legal claims, in court proceedings or in administrative or extra-judicial proceedings.

We do not provide personal data to companies outside the European Economic Area, unless there is an adequacy decision, standard provisions, appropriate safeguards, binding corporate rules or transfers referred to in Article 49 (1) GDPR.

In the event of a full or partial reorganisation, merger, demerger, acquisition or sale of assets, we are entitled to transfer the personal data to the relevant third party.

7. Storage and deletion of personal data

The personal data will be retained for the duration of the contract between Phished and the Customer and they will be deleted through e.g. anonymization, after 6 months of inactivity following termination of this contract. Unless otherwise agreed upon between Phished and the Customer, we are allowed to further use anonymized aggregated data, which does not constitute personal data, to improve our services.

In any case, you, as a data subject, or the Customer may contact us at any time regarding a request to anonymize or delete certain personal data (for example if you are no longer working for the Customer).

8. Your data protection rights

Your requests concerning the exercise of your data protection rights should be addressed to the Customer. Nevertheless, for clarity, we’ve summarised your rights in this section. As some of these rights are complex, not all details are included in this summary. Therefore, you can read the relevant laws and regulatory guidelines for a full explanation of these rights or contact the Customer .

8.1. Right of access and a copy of your personal data: you have the right to be informed on whether or not the Customer processes your personal data and, where it does, to have access to the personal data, together with the additional information mentioned in article 15 GDPR. Safeguarding the rights and freedoms of others is not affected, the Customer shall provide you with a copy of your personal data.

8.2. Right of rectification: you have the right to have incorrect and/or incomplete personal data corrected and/or completed.

8.3. Right to erase: you have the right to have your personal data deleted in the circumstances mentioned in article 17 (1) GDPR, such as when you withdraw your consent for consent-based processing.

8.4. Right to restrict processing: you have the right to restrict the processing of your personal data in the circumstances mentioned in article 18 (1) GDPR, such as in case you contest the accuracy of the personal data.

8.5. Right to data portability: you have the right to receive the personal data concerning you, which you provided to the Customer, in a structured, commonly used and machine-readable format and to transmit such data to another controller if (a) the processing is based on consent or necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract, and (b) such processing is automated. However, this right does not apply where this would harm the rights and freedoms of others.

8.6. Right to withdraw consent: insofar as the legal basis for the processing of your personal data is consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing before its withdrawal.

8.7. Right to lodge a complaint with the supervisory authority: if you believe that the processing of your personal data violates data protection laws, if you do not agree with the Customer’s position or if you have any comments regarding the exercise of your rights, you have the right to file a complaint with the competent supervisory authority.

8.8. Right to object to processing: you have the right to object to the processing of your personal data for direct marketing purposes at any time as long as the exclusions mentioned in article 17 (3) GDPR do not apply (for example if processing is necessary in order to comply with a legal obligation). As mentioned above, any communication you receive from Phished does not qualify as direct marketing.

You also have the right to object to the processing of your personal data based on Article 6 (e) or (f) GDPR for reasons relating to your specific situation. In addition, you have the right to object to the processing of your personal data for scientific, historical or statistical (research) purposes for reasons relating to your specific situation.

9. Cookies

You can read more about our use of cookies via the following link.

10. Updates

Phished reserves the right to make changes and / or updates to this Privacy Policy to reflect technological advancements, legal and regulatory changes and good business practices.