Privacy Policy
This policy describes how SimuPhish LTD (Company Number 16167880, registered at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ) collects, uses, stores, shares, and protects personal data in connection with our services. We operate under the UK GDPR, the Data Protection Act 2018, and other applicable privacy regulations.
Last updated: 6 April 2025
SimuPhish LTD ("SimuPhish", "we", "our", or "us") is a UK-registered company committed to protecting the privacy and data of every user of our platform. This policy explains what we collect, why we collect it, how we keep it safe, and the rights you have over your personal data.
From customers and administrators: name, email, phone, company, job title, billing details, contract history, hashed credentials, authentication tokens, support tickets, feedback, and product preferences. From end users (employees inside customer tenants): name, work email, department, drill performance, behavioural signals, training progress, IP address, device type, and browser metadata for legitimate risk profiling. Automatically collected: log data (timestamps, session IDs), platform usage analytics, and navigation history.
We process personal data only to deliver SimuPhish: to run phishing drills, measure behavioural risk, personalise training, produce dashboards and risk analytics, send reminders and notifications, detect and respond to abuse or breaches, and improve the platform. All processing follows the principle of data minimisation.
We process under one or more of: contractual necessity (to deliver our agreement with customers), legitimate interest (to improve security and workforce defence), consent (where required, e.g. optional cookies), and legal obligation (for regulatory compliance).
Customer data is stored on ISO 27001 and SOC 2 compliant infrastructure inside the UK and the EEA. Retention is set by your contract or 12 months after end of subscription, whichever is later. Customers may request early deletion or anonymisation at any time.
We do not sell personal data. We share only with: subprocessors under signed Data Processing Agreements (hosting, analytics), law enforcement or regulators when legally required, and entities inside our corporate structure for business continuity. The current subprocessor list is available on request.
Under the UK GDPR you have the right to access your data, request rectification or deletion, object to or restrict processing, request portability, and lodge a complaint with the UK Information Commissioner's Office (ICO). Email contact@simuphish.com to exercise any of these rights.
End-to-end encryption in transit and at rest. Multi-factor authentication and role-based access. Continuous vulnerability scanning and annual third-party penetration testing. Background checks and security training for every employee.
Where data is transferred outside the UK or the EEA, we rely on the UK International Data Transfer Addendum (IDTA), the EU Standard Contractual Clauses, and additional technical and organisational safeguards. Customers contracted out of our Dubai entity are covered by UAE PDPL aligned terms.
We use strictly necessary, performance, and analytics cookies. Non-essential cookies are opt-in via the cookie banner. Cookie preferences can be adjusted at any time.
SimuPhish is not designed for or directed at children under 16. We do not knowingly collect personal data from minors.
We may update this policy from time to time. Material changes will be communicated via email or in-app notification. The latest version is always available at simuphish.com/privacy.
Questions on this policy?
Talk to a real person.
Email contact@simuphish.com. We reply within one business day. No bots, no ticket queues.
Contact us
