Legal

Privacy Policy

Effective Date: May 16, 2026

Last Updated: May 17, 2026

Introduction

Phishies, operated by Startupsmith Ltd (“Startupsmith”, “we”, “us”, “our”), respects your privacy and is committed to protecting your personal information.

This Privacy Policy explains how we collect, use, store, disclose, and protect personal information when you access or use the Phishies platform, website, APIs, communications, applications, and related services available at https://catchphishies.com (collectively, the “Service”).

By using the Service, you acknowledge that your information will be processed as described in this Privacy Policy.

If you have questions or privacy requests, contact us at hello@catchphishies.com.

Definitions

  • Personal Information / Personal Data means information relating to an identified or identifiable individual.
  • Processing means any operation performed on personal data, including collection, storage, use, disclosure, transfer, or deletion.
  • User means any person or organisation using the Service.
  • Customer means the organisation or individual administering phishing simulations or security awareness activities through the Service.
  • Participant means an individual who may receive phishing simulations, calls, messages, training exercises, or related interactions through the Service.

Information We Collect

Information You Provide Directly

We may collect information you provide directly, including:

  • name and email address;
  • account credentials and profile information;
  • billing and subscription information;
  • contact support communications;
  • uploaded files, scripts, contact lists, templates, recordings, or training materials;
  • information submitted through forms, surveys, or support channels.

Payment card details are processed securely by third-party payment providers. We do not store full payment card numbers on our systems.

Information Collected Automatically

We may automatically collect:

  • IP address;
  • browser type and device information;
  • operating system;
  • usage activity and interactions with the Service;
  • timestamps, log data, and diagnostics;
  • cookie identifiers and session information;
  • analytics and performance information.

Third-Party Authentication Data

If you sign in using services such as Google, Apple, GitHub, or other identity providers, we may receive limited profile information including:

  • your name;
  • email address; and
  • unique account identifier.

We do not receive passwords from third-party authentication providers.

Security Simulations, Audio, and Behavioural Data

Because Phishies provides cybersecurity awareness and phishing simulation services, we may process additional categories of information related to simulations and training exercises.

Depending on how the Service is used, this may include:

  • participant names and contact details uploaded by customers;
  • simulation delivery records and interaction metadata;
  • behavioural outcomes and training metrics;
  • responses to phishing simulations or awareness exercises;
  • call recordings, transcripts, voice samples, or audio analysis data;
  • AI-generated or AI-assisted simulation content;
  • support interactions and training results.

Customers are responsible for ensuring they have all necessary rights, permissions, notices, and lawful bases required to provide participant information and conduct simulations using the Service.

We process this information for purposes including:

  • delivering cybersecurity awareness and phishing simulations;
  • improving platform functionality and detection systems;
  • fraud prevention and platform security;
  • customer reporting and analytics;
  • troubleshooting and support.

Where required by law, customers are responsible for obtaining any necessary recording or monitoring consents from participants.

How We Use Information

We may use personal information to:

  • provide, operate, and maintain the Service;
  • create and manage accounts;
  • process transactions and subscriptions;
  • deliver phishing simulations and security awareness features;
  • generate reports, analytics, and behavioural insights;
  • improve and develop features;
  • detect fraud, abuse, or security incidents;
  • communicate with users;
  • comply with legal obligations;
  • enforce our Terms and policies.

Where applicable under GDPR or similar laws, our legal bases may include:

  • consent;
  • performance of a contract;
  • compliance with legal obligations; and
  • legitimate interests.

AI-Powered Features

Phishies may use artificial intelligence and machine learning technologies to support simulations, behavioural analysis, recommendations, reporting, and other platform features.

You acknowledge that:

  • information submitted to AI-powered features may be processed by third-party AI infrastructure providers acting on our behalf;
  • AI-generated outputs may not always be accurate or appropriate;
  • AI outputs are provided for informational and training purposes only;
  • users should not rely on AI-generated content as legal, financial, or professional advice.

We recommend that users avoid submitting highly sensitive personal information to AI-powered tools unless necessary for the intended use of the Service.

Where required by applicable law, we seek to implement appropriate human oversight for AI-assisted features.

Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • maintain sessions and authentication;
  • improve functionality and performance;
  • analyse usage patterns;
  • support security features.

Where required by law, non-essential cookies are only placed after consent.

You can control cookies through your browser settings or consent preferences made available through the Service.

Disabling some cookies may impact functionality.

Analytics

We may use analytics providers such as Google Analytics to understand website usage, improve performance, and monitor platform reliability.

Analytics tools may collect information such as:

  • pages visited;
  • session duration;
  • browser and device details;
  • referral information;
  • general geographic region.

Where supported, we may enable privacy-enhancing settings such as IP anonymisation and limited data retention.

You can opt out of certain analytics tracking through browser settings or available opt-out tools.

Payments and Financial Transactions

Payments are processed by third-party payment processors.

We use encryption and industry-standard safeguards to protect payment-related information during transmission.

Transaction records may be retained for accounting, tax, fraud prevention, and legal compliance purposes.

Email Communications

We may send:

  • transactional emails;
  • account notifications;
  • support communications; and
  • marketing communications where permitted by law.

You may unsubscribe from marketing emails at any time using the unsubscribe link included in communications or by contacting hello@catchphishies.com.

We may retain suppression information to ensure opt-out preferences are respected.

User-Uploaded Content

Files, recordings, scripts, templates, contact lists, and other uploaded materials may be stored and processed as part of the Service.

Uploaded content may be scanned using automated tools for:

  • malware detection;
  • abuse prevention;
  • security monitoring;
  • policy enforcement.

Uploaded content is retained only for as long as reasonably necessary to provide the Service, comply with legal obligations, resolve disputes, or enforce agreements.

Third-Party Service Providers

We work with trusted third-party providers that help us operate the Service, including providers relating to:

  • hosting and cloud infrastructure;
  • analytics;
  • authentication;
  • payments;
  • customer support;
  • AI and machine learning infrastructure;
  • monitoring and security.

These providers may process personal information on our behalf subject to contractual and confidentiality obligations.

How We Share Information

We do not sell personal information.

We may share information:

  • with service providers acting on our behalf;
  • where required by law or legal process;
  • to protect rights, safety, security, or property;
  • in connection with mergers, acquisitions, financing, or business transfers;
  • with consent or at the direction of users.

Data Security

We implement reasonable technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, alteration, or disclosure.

Security measures may include:

  • HTTPS/TLS encryption;
  • access controls and authentication safeguards;
  • password hashing;
  • monitoring and logging systems;
  • security reviews and vulnerability management processes.

No method of storage or transmission is completely secure, and we cannot guarantee absolute security.

Data Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, including:

  • providing the Service;
  • complying with legal obligations;
  • resolving disputes;
  • enforcing agreements;
  • maintaining security and backup systems.

Retention periods may vary depending on the type of information and applicable legal requirements.

Where possible, information is deleted, anonymised, or de-identified when no longer required.

International Data Transfers

Your information may be processed or stored in countries outside your jurisdiction, including by third-party service providers.

Where required by applicable law, we take reasonable steps to implement appropriate safeguards for international data transfers.

Your Privacy Rights

Depending on your location and applicable law, you may have rights to:

  • access personal information we hold about you;
  • request correction of inaccurate information;
  • request deletion of personal information;
  • object to or restrict certain processing;
  • withdraw consent where processing relies on consent;
  • request portability of certain information.

To exercise privacy rights, contact hello@catchphishies.com.

We may need to verify your identity before processing requests.

We will not discriminate against individuals for exercising lawful privacy rights.

Children’s Privacy

The Service is not directed to children under 13 years of age.

We do not knowingly collect personal information from children where prohibited by law.

If we become aware that we have collected personal information from a child in violation of applicable law, we will take reasonable steps to delete it.

External Links

The Service may contain links to third-party websites or services.

We are not responsible for the privacy practices or content of third-party services.

Do Not Track Signals

Some browsers support “Do Not Track” signals.

Because there is currently no universally accepted standard for responding to such signals, the Service may not respond differently to them.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

When material changes are made, we will update the “Last Updated” date and may provide additional notice through the Service or by email.

Continued use of the Service after updates take effect constitutes acknowledgment of the revised Privacy Policy.

Contact Us

If you have questions or privacy requests, please contact: