Privacy policy

Interpretation and definitions

Capitalized terms used in this policy have the meanings below, whether they appear in singular or plural.

• Account means a registered profile that lets you access parts of the Service.
• Company means PhishEye Ltd, with its registered office at 17 Hanover Square, London W1S 1BN, United Kingdom. For the UK GDPR and the EU GDPR (where applicable), the Company is typically the data controller for personal data described in this policy unless we tell you otherwise (for example, where we act only as a processor on behalf of your organization). Contact details are listed under Contact us.
• Cookies are small files stored on your device that help operate the Service, remember preferences, measure performance, or support security.
• Device means any computer, phone, tablet, or other device used to access the Service.
• Personal data / personal information means information that identifies or relates to an identified or identifiable individual, as defined by applicable law (including the UK GDPR, the EU GDPR, and the CCPA/CPRA where those laws apply).
• Service means PhishEye websites, the PhishEye platform and related APIs, onboarding and support flows, and other online properties we operate in connection with digital risk protection (such as phishing, scam, impersonation, and typosquat monitoring and takedown workflows).
• Service provider means a vendor that processes information on our behalf (for example, hosting, email delivery, authentication, analytics, customer support tooling, or payment processing). Under the GDPR, service providers are often referred to as processors.
• Usage data means technical and activity information collected automatically, such as IP address, browser type, pages viewed, timestamps, diagnostic logs, and security signals.
• You means the individual using the Service, or the organization on whose behalf that individual acts, as applicable.

Information we collect

Information you provide

We collect information you submit when you request a demo, use our contact form, create or administer an Account, complete onboarding, correspond with support, sign contracts, or otherwise engage with us. This may include:

• Name, work email address, phone number, job title, and company name
• Account credentials and security settings (including when you sign in through an identity provider)
• Billing and procurement contacts (billing details are generally handled by payment processors)
• Content you upload or generate in the product (for example, domains, alerts, notes, attachments, and workflow data you choose to store in PhishEye)
• Survey responses, event registrations, and marketing preferences

Usage data and device information

When you use the Service, we automatically collect certain technical information, which may include IP address, device identifiers, browser and operating system details, referring URLs, pages and features used, time spent, crash diagnostics, and similar telemetry needed to operate, secure, and improve the Service.

Single sign-on and identity providers

If you authenticate through a third-party identity service (such as Google, Microsoft, or an enterprise SSO provider), we may receive profile details that provider makes available to us, such as your name and email address. That provider's use of your information is governed by its own policies.

Cookies and similar technologies

We use cookies, local storage, pixels, and similar technologies for essential functions (such as authentication and security), to remember preferences, to measure how the Service performs, and—where permitted—to support marketing and analytics. You can control many cookies through your browser settings; blocking required cookies may limit certain features.

We may use session cookies (which expire when you close your browser) and persistent cookies (which remain for a defined period). Third-party service providers may also set cookies subject to their policies.

How we use information

We use personal information to:

• Provide, operate, maintain, and secure the Service
• Create and manage Accounts; authenticate users; detect fraud and abuse
• Perform our contract with you (including billing, renewals, and service levels where applicable)
• Communicate about the Service, including technical notices, security alerts, and support responses
• Send promotional or educational communications where permitted, and honor unsubscribe requests
• Analyze usage trends, debug issues, and improve features, reliability, and documentation
• Comply with law, enforce our terms, and protect rights, safety, and property
• Evaluate or complete a merger, acquisition, financing, reorganization, or asset sale (see below)

How we share information

We may disclose personal information:

• To service providers who assist us under contractual obligations consistent with this policy (hosting, email, analytics, security, payments, and similar functions)
• With affiliates under common control, where they are bound to appropriate confidentiality and processing rules
• With professional advisers (such as auditors or counsel) where necessary
• For business transfers in connection with a merger, acquisition, or sale of assets, subject to applicable notice requirements
• When required by law or to respond to lawful requests by public authorities
• To protect PhishEye and others where we reasonably believe disclosure is necessary to prevent harm, investigate misuse, or defend legal claims
• With your direction or consent

We do not sell your personal information to data brokers. Certain partnerships—such as analytics or advertising technologies—may involve disclosures that are treated as a "sale," "sharing," or "targeted advertising" under U.S. state privacy laws. Where those laws apply, we describe additional rights and choices below.

Retention

We retain personal information for as long as needed to provide the Service, meet legal, tax, and accounting obligations, resolve disputes, and enforce agreements. Usage data may be kept for shorter periods unless needed for security, fraud prevention, or product improvement. Retention schedules can vary by data category and jurisdiction.

International transfers

We are established in the United Kingdom. We may process and store information in the UK, the EEA, the United States, and other countries where we or our service providers operate. Those countries may have data protection laws that differ from your own. Where UK or EU law requires safeguards for transfers outside the UK or EEA, we use appropriate mechanisms (such as the UK International Data Transfer Agreement or Addendum, the EU Commission standard contractual clauses with the UK Addendum where applicable, or other lawful transfer tools).

Security

We implement administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security. See Trust for a high-level overview of how we approach security and availability.

Service providers and specific processing activities

Our vendors may process personal information to deliver the Service. Categories commonly include cloud infrastructure, authentication, email and messaging, analytics, customer relationship management, security monitoring, and payment processing. We require service providers to use information only as instructed and subject to confidentiality and security obligations.

Email and transactional messages

We use email providers (including Resend) to send messages such as contact form submissions, account notifications, and—where you have opted in or the law allows—marketing. Those providers process recipient addresses and message metadata as described in their policies.

Analytics

We may use analytics tools to understand traffic and product usage. Depending on configuration, analytics providers may collect device and usage information subject to their own privacy policies and your browser or device controls.

Payments

If you purchase paid offerings, payment details are collected directly by payment processors. We do not store full payment card numbers on our servers. Processors handle card data in line with PCI-DSS and their privacy policies.

Advertising and remarketing

We may work with advertising partners to measure campaigns or deliver ads on third-party sites or apps. Those partners may use cookies or similar technologies. Industry opt-out tools include the NAI opt-out page, the DAA opt-out page, and (for users in the EEA/UK) Your Online Choices. Mobile devices may offer settings to limit ad tracking.

Legal bases (UK GDPR and EU GDPR)

Where the UK GDPR or the EU GDPR applies, we rely on one or more of the following legal bases:

• Contract — processing necessary to provide the Service or take steps before entering a contract
• Legitimate interests — for example, securing the Service, improving features, and limited marketing to business contacts, balanced against your rights
• Consent — where we ask for it (such as certain cookies or marketing), which you may withdraw at any time
• Legal obligation — where processing is required by law

Where statutory or contractual requirements apply to providing personal data, we will explain that at the point of collection.

Your rights (UK GDPR and EU GDPR)

If you are in the UK, EEA, or Switzerland, you may have the right to access, correct, delete, or restrict processing of your personal data; to receive a portable copy where applicable; to object to certain processing (including direct marketing); and to lodge a complaint with a supervisory authority. In the UK, the supervisory authority is the Information Commissioner's Office (ICO). You may exercise these rights by contacting us. We may need to verify your identity before responding.

California and other U.S. state privacy rights

This section supplements the rest of the policy for residents of U.S. states that grant privacy rights (such as California under the CCPA/CPRA). Terms like "sell," "share," and "personal information" follow those laws.

Categories collected (illustrative)

In the preceding twelve months, we may have collected the following categories of personal information, depending on how you use the Service:

• Identifiers — such as name, email, phone, IP address, and online identifiers
• Customer records (Cal. Civ. Code § 1798.80(e)) — such as contact details you provide in a business context
• Commercial information — such as records of services purchased or considered
• Internet or network activity — such as browsing or usage interactions with the Service
• Professional or employment-related information — such as employer and role, when you provide it

We do not knowingly collect sensitive categories enumerated in applicable law for discriminatory profiling, and the Service is not intended to collect biometric, health, or education records within the scope of specialized sector laws referenced in the CCPA.

Sources and purposes

We collect personal information directly from you, automatically through your use of the Service, and in some cases from service providers, identity partners, or your organization. We use it for the purposes described in How we use information and How we share information above.

Your California rights

California residents may request access to categories and specific pieces of personal information we hold, correction of inaccuracies, deletion subject to exceptions, information about certain disclosures, and—to the extent applicable—opt-out of sale/sharing or targeted advertising. We will not discriminate against you for exercising these rights.

To submit a request, use the contact page or the email below. We will verify your request in line with applicable law (which may include matching information you provide with our records). You may designate an authorized agent where permitted; we may require proof of authorization.

Do Not Track

There is no uniform industry standard for how browsers communicate Do Not Track signals. We may not respond to all such signals; you can control cookies through browser settings and the tools described above.

Children

The Service is directed to businesses and adult users. We do not knowingly collect personal information from children under 13 (or under 16 where a higher age threshold applies). If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.

California Shine the Light

California residents with an established business relationship may request certain information about personal information disclosed to third parties for their direct marketing purposes once per calendar year. Submit requests through the contact methods below.

California minors (Business & Professions Code § 22581)

If you are a California resident under 18 and a registered user, you may ask us to remove content you publicly posted on the Service. Requests must identify the material and your account. Removal may not be complete where law permits retention or third parties have republished content.

Third-party links

The Service may link to third-party sites or integrations. We are not responsible for their privacy practices. Please read their policies before providing information.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. If changes are material, we will provide additional notice as required by law (for example, by email or an in-product message).

Contact us

Registered office of PhishEye Ltd: 17 Hanover Square, London W1S 1BN, United Kingdom.

For privacy questions or requests, contact us via phisheye.com/contact or email contact@phisheye.com. Please include enough detail for us to verify and fulfill your request.