Introduction
At Phished, safeguarding your privacy as a Phished software user and ensuring data protection are paramount. We process certain personal information of Phished software users as part of our contractual obligations. In the spirit of transparency, we provide insight into the personal data processed by Phished.
Answer
In compliance with the GDPR, and to adhere to the principle of purpose limitation, Phished processes personal data solely for the purposes outlined in our Data Processing Agreement (DPA), primarily making the Phished software available.
For creating users and using the Phished software
Phished processes the following personal data:
- Name
- Email address
- Language
- Position within the company
- Behaviour (open/click/report) and results
Optionally (namely if the client decides to provide this information to Phished), the following personal data may also be processed:
- Department within the company
- Location of the company
For reporting emails
When reporting phishing simulations or actual phishing threats, only the following personal data will be stored by Phished:
- If the client chooses the option “handle reports in application” or “handle reports in application & forward reports to email” in their Phished account and the users report possible phishing e-mails to Phished:
- via the Phished Report Button in Gmail: Phished will only process Gmail message bodies (incl. attachments), metadata, headers and settings, to identify a mail as a phishing simulation from Phished or as a potential phishing threat when reported via the Phished Report Button.
- via the Phished Report Button in Outlook: Phished will only process Outlook message bodies (incl. attachments), metadata, headers and language settings, to identify a mail as a phishing simulation from Phished or as a potential phishing threat when reported via the Phished Report Button.
- by forwarding them: Phished will only process the message bodies (incl. attachments) and headers to identify a mail as a phishing simulation from Phished or as a potential phishing threat when forwarded.
- If the client chooses the option “forward reports to email” in their Phished account and possible phishing e-mails are reported to Phished via the Phished Report Button in Gmail or Outlook or by forwarding, Phished will not store these e-mails. The incoming e-mail will be held in (volatile) memory and the forwarded to the client without it being stored by Phished.
The client/controller can choose a retention period for the reported e-mails in their Phished account.
For our AI-assistant, ARIA
When your Phished admin utilizes ARIA (the chatbot function) to address inquiries, the following personal data is stored:
- Any personal data included in the text prompt
- The answer provided by ARIA
ARIA solely relies on the knowledge base created by Phished and does not access personal data of users on our platform.
For example, if you inquire about Sarah's login issue, ARIA will provide an answer based on why a log-in could fail, without accessing Sarah's specific user account.
ARIA will never use any personal data received via the admin or any other personal data which is being processed by Phished for machine-learning purposes, nor will this data be added to the knowledge base.
Other useful FAQ's
How long does Phished store personal data? – Help Center Phished