Effective Date: 18/03/2025

CyberSapiens Pty Ltd (“Company,” “we,” “our,” or “us”) operates PhishCare, a phishing simulation and cybersecurity training tool. This Privacy Policy explains how we collect, use, disclose, and protect your personal data. By using PhishCare, you consent to the practices outlined in this policy.

1. Information We Collect

We may collect the following types of information:

1.1 Personal Information

• Name, email address, job title, and contact details when you register or communicate with us.
• Payment details if you subscribe to PhishCare.
• User account credentials and preferences.

1.2 Technical and Usage Data

• IP address, browser type, and device information.
• Log data related to interactions with PhishCare.
• Cookies and similar tracking technologies.

1.3 Phishing Simulation Data

• Name, email address, job title for user group list
• Responses to phishing simulations.
• Performance analytics and reporting data.
• Employee awareness assessment results.

1.4 Third-Party SMTP Mail Data

• PhishCare use third-party SMTP services to send phishing simulation emails on behalf of organizations.
• To facilitate email delivery, we may collect and store:
• Email addresses of users participating in simulations.
• SMTP server details, including hostname and authentication credentials (encrypted where applicable).
• Email delivery status, logs, and bounce reports for tracking email performance.
• Metadata related to emails sent through the system (e.g., timestamps, recipient details).
• We do not access the content of emails beyond what is necessary for phishing simulations.

2. Lawful Basis for Processing

We process personal data based on the following legal bases under GDPR:

• Contractual Necessity: To provide and maintain PhishCare services.
• Legitimate Interest: To improve phishing simulations and user experience.
• Consent: For optional tracking, marketing, and non-essential data collection.
• Legal Obligation: To comply with applicable laws and regulations.

Users can withdraw consent at any time by contacting sales@phishcare.com.

3. How We Use Your Information

We use collected data to:

• Provide and maintain PhishCare services.
• Improve the effectiveness of phishing simulations.
• Enhance user experience and cybersecurity training.
• Process payments and manage subscriptions.
• Ensure compliance with legal and regulatory requirements.
• Detect, prevent, and address security risks or fraud.
• Monitor third-party SMTP email delivery performance and troubleshoot issues.

4. Sharing and Disclosure of Data

We do not sell, rent, or trade personal information. However, we may share data in the following circumstances:

• With Your Organization: If you use PhishCare through your employer, simulation results and analytics may be shared with your organization.
• Service Providers: Third-party vendors may process payments, provide hosting, or support PhishCare operations under strict confidentiality agreements.
• Third-Party SMTP Providers: If PhishCare integrates with an external SMTP service, email delivery logs and metadata may be shared with the provider for operational purposes. We ensure that all third-party SMTP providers are contractually bound under a Data Processing Agreement (DPA) ensuring GDPR compliance
• Legal Compliance: If required by law, we may disclose data to law enforcement or regulatory authorities.
• Business Transfers: In case of a merger, acquisition, or sale of assets, data may be transferred to the new entity.

5. Data Security

We implement industry-standard security measures to protect personal data, including:

• Encryption and secure storage of sensitive information.
• Access controls to limit unauthorized access.
• Regular security assessments and monitoring.

6. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law. Data related to phishing simulations may be anonymized and retained for analytical purposes.

7. User Rights Under GDPR

Under GDPR, users have the following rights:

• Access & Rectification: Request access to and correction of personal data.
• Erasure (Right to be Forgotten): Request deletion of personal data under applicable conditions.
• Restriction & Objection: Restrict or object to certain data processing activities.
• Data Portability: Request a copy of data in a portable format.
• Withdraw Consent: Withdraw consent for processing where applicable.

To exercise these rights, contact us at sales@phishcare.com.

8. Data Breach Notification

In the event of a data breach affecting personal data, we will:

• Assess and mitigate the impact.
• Notify affected users if there is a high risk to their rights and freedoms.
• Inform relevant data protection authorities within 72 hours, as required under GDPR.

9. Cookies and Tracking Technologies

We use cookies and similar tracking tools to:

• Improve website functionality and user experience.
• Analyse usage patterns for better service delivery.

Users can manage cookie preferences through browser settings or opt out where applicable

10. International Data Transfers

If you access PhishCare outside Australia, your data may be transferred and stored in jurisdictions with data protection laws as per the applicability. We ensure appropriate safeguards, such as Standard Contractual Clauses (SCCs), are in place to protect your information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Users will be notified of significant changes, and continued use of PhishCare implies acceptance of the revised policy.

12. Contact Information

For any privacy-related inquiries, contact us at: CyberSapiens Pty Ltd
Email: sales@phishcare.com
Address: Lvl 1 206 Lorimer St, Port Melbourne, Australia