Skip to content

Legal

Privacy Policy

How we process personal data when you use PhishSpot.

This is a template pending legal review. It is provided for transparency and does not yet constitute final legal terms.

Last updated: 13 July 2026

Data controller

DEVTALENTS Sp. z o.o., ul. Mazowiecka 11/49, 00-052 Warszawa, Poland (NIP PL5272643080) is the controller of personal data processed through PhishSpot. For any privacy question, contact us at [email protected].

Scope of this policy

This policy explains how we process personal data when you use the PhishSpot platform (platform.phishspot.com), our marketing site (phishspot.com), and related services. It does not cover the internal phishing simulations our customers run against their own employees — for those, the customer is the controller and PhishSpot acts as a processor.

What data we process

We process only the data needed to provide the service:

  • Account and profile data — name, work email, organization, role and authentication details.
  • Usage data — pages visited, features used, log and device data needed to operate and secure the service.
  • Campaign and contact data uploaded by customers — the employee contacts and results processed on the customer's behalf.
  • Communications — messages you send to support and any information you choose to share.
  • Cookies and similar technologies — see the Cookies section below.

Purposes of processing

  • Providing, maintaining and securing the PhishSpot platform.
  • Authenticating users and managing accounts and roles.
  • Delivering phishing simulations, training and reporting on behalf of customers.
  • Communicating about support, security and product updates.
  • Complying with legal obligations and preventing abuse.

Legal basis (GDPR)

  • Performance of a contract (Art. 6(1)(b)) — to provide the service you or your organization signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to secure, improve and operate the platform.
  • Consent (Art. 6(1)(a)) — for optional cookies and marketing communications, where required.
  • Legal obligation (Art. 6(1)(c)) — where processing is required by law.

Data retention

We keep personal data only as long as needed for the purposes above or as required by law. Account data is retained for the life of the account and deleted or anonymized after termination, subject to legal retention periods. Customers control the retention of the contact and campaign data they upload.

Your rights

Under the GDPR you have the right to:

  • Access, rectification and erasure of your personal data.
  • Restriction of, and objection to, certain processing.
  • Data portability, where applicable.
  • Withdrawal of consent at any time, without affecting prior processing.
  • Lodging a complaint with a supervisory authority — in Poland, the President of the Personal Data Protection Office (UODO).

International transfers

PhishSpot is built and hosted in the European Union. Where a sub-processor operates outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

Cookies

We use strictly necessary cookies to run the site and, with your consent, analytics cookies to understand usage. You can control cookies through your browser settings and any cookie banner we present.

Sub-processors

We use a limited set of vetted providers — for example cloud hosting, email delivery (Postal), and DNS (Cloudflare) — bound by data processing agreements. A current list is available on request.

Contact

For any question about this policy or your personal data, contact DEVTALENTS Sp. z o.o. at [email protected] or by post at the address above.