Privacy Policy

PhishShield Technologies Pvt. Ltd. ('PhishShield', 'we', 'us', or 'our') operates the phishing simulation and security awareness platform at phishshield.in ('Platform'). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Platform.

This policy applies to all visitors, registered users, and organizations ('Customers') that access the Platform. By using PhishShield, you agree to the collection and use of information in accordance with this policy.

We comply with India's Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, and, where applicable, the EU General Data Protection Regulation (GDPR).

We collect the following categories of personal data:

• Account data: name, email address, organization name, job title, and password hash when you register.
• Billing data: payment method details processed by Razorpay. We do not store full card numbers — Razorpay tokenizes payment credentials on their PCI-DSS compliant servers.
• Usage data: pages visited, features used, campaign configurations, and interaction timestamps collected automatically.
• Target employee data: names, email addresses, phone numbers, and department information uploaded by Customers for simulation purposes.
• Simulation event data: click events, form submissions, and training completion records generated during phishing simulations.
• Device data: IP address, browser type, operating system, and referring URL collected via server logs and analytics.
• Communications: emails or messages you send to our support or sales team.

We use collected data for the following purposes:

• Providing and operating the Platform — delivering phishing simulations, training modules, and analytics dashboards.
• Billing and payments — processing subscriptions and invoices via Razorpay.
• Security — detecting and preventing fraud, abuse, and unauthorized access.
• Product improvement — analyzing aggregated usage patterns to improve Platform features.
• Customer support — responding to support tickets and technical queries.
• Legal compliance — meeting obligations under applicable Indian and international laws.
• Marketing communications — only if you have explicitly opted in. You may unsubscribe at any time.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

PhishShield processes personal data about your employees ('targets') solely as a Data Processor acting on your instructions as the Data Fiduciary (as defined under DPDPA 2023).

Target data is used exclusively to execute phishing simulations you configure. We do not use target employee data for any purpose outside your organization's simulation program.

Simulation tracking data (click events, credential submissions) is simulated — no real credentials are captured. All tracking is scoped to your private organizational tenant and is not accessible to other customers.

Customers are responsible for obtaining appropriate consent from employees before enrolling them in simulation programs, as required by applicable employment laws and DPDPA 2023.

We share data with the following categories of third-party service providers, under strict data processing agreements:

• Razorpay Financial Solutions Pvt. Ltd. — payment processing and subscription billing.
• Twilio Inc. — SMS and voice call delivery for smishing and vishing simulations.
• SendGrid (Twilio) — transactional email delivery for phishing simulation emails.
• Anthropic PBC — AI language model inference for AI spear phishing template generation.
• Neon Technologies Inc. — managed PostgreSQL database hosting.
• Vercel Inc. — application hosting and edge delivery.
• Upstash Inc. — Redis-based job queuing for campaign dispatch.
• Vercel Analytics — anonymized, privacy-first website analytics.
• Google Analytics — website traffic analytics (see Cookie Policy).

We do not transfer personal data outside India except where required to use the above services, in which case appropriate safeguards (Standard Contractual Clauses or equivalent) are in place.

We retain personal data for as long as your account is active or as needed to provide services. Specific retention periods:

• Account data: retained for the duration of your subscription and deleted within 30 days of account closure upon request.
• Simulation event data: retained for 24 months by default; Customers may request earlier deletion.
• Billing records: retained for 7 years as required by Indian tax and financial regulations.
• Support communications: retained for 3 years.
• Server logs: retained for 90 days.

Under DPDPA 2023 and GDPR (where applicable), you have the following rights:

• Right to access: request a copy of the personal data we hold about you.
• Right to correction: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: receive your data in a machine-readable format.
• Right to withdraw consent: withdraw consent for marketing communications at any time.
• Right to grievance redressal: lodge a complaint with our Grievance Officer or the Data Protection Board of India.

To exercise any of these rights, email legal@phishshield.in with subject line 'Data Rights Request'. We will respond within 30 days.

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted using TLS 1.3.
• All data at rest is encrypted using AES-256.
• Access to production systems is restricted to authorized personnel via MFA-protected accounts.
• Passwords are stored as bcrypt hashes — we never store plaintext passwords.
• We conduct regular security assessments and penetration testing.

No method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

We use cookies and similar tracking technologies. Please see our Cookie Policy at phishshield.in/cookies for full details of which cookies we set, their purpose, and how to control them.

The Platform is intended for use by organizations and their adult employees. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a minor has provided us with personal data, contact us at legal@phishshield.in.

We may update this Privacy Policy from time to time. We will notify you of material changes via email (if you are a registered user) and by posting the updated policy on this page with a revised 'Last updated' date. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

PhishShield Technologies Pvt. Ltd.

Grievance Officer: legal@phishshield.in

For data protection queries under DPDPA 2023, email legal@phishshield.in with subject 'DPDPA Grievance'. We will respond within 30 days as required by applicable law.