Privacy Policy

Last updated: May 2026 · Effective: May 2026

Our commitment: PhishGuard does not harvest credentials, sell personal data, or store any information beyond what is needed to run your authorized phishing simulations. This policy is written in plain language because we believe you should understand it.

1. Who We Are

PhishGuard ("we", "our", "us") is a security awareness SaaS platform operated in Canada. We are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the privacy laws of the Province of Ontario.

2. Information We Collect

Account information: When you register, we collect your email address, hashed password, and optional full name. We never store passwords in plain text.

Company information: The name and timezone of your organization, provided by you during onboarding.

Employee data: Email addresses, names, and department names of your employees, uploaded by you via CSV. You are responsible for having a lawful basis to process this data under PIPEDA.

Campaign data: We record whether each employee clicked a simulation link (yes/no) and the timestamp. We record no other interaction data — no keystrokes, no form inputs, no credentials.

Technical data: Server logs (IP addresses, request timestamps) for security and debugging purposes. These are retained for 30 days.

3. Information We Never Collect

Passwords or credentials entered on simulated phishing pages
Financial account numbers or payment card details (Stripe handles payments)
Biometric data or health information
Any data from employees beyond what you explicitly upload

4. How We Use Your Information

To authenticate your account and provide access to the Service
To run phishing simulation campaigns on your behalf
To generate risk score reports and analytics for your organization
To send transactional emails (account verification, password resets, invoices)
To improve service reliability and debug issues

We do not use your data for advertising, profiling, or marketing to third parties.

5. Data Sharing & Third Parties

We share data only with the following categories of service providers, bound by data processing agreements:

Stripe Inc. — Payment processing. Stripe's privacy policy applies to payment card data.
AWS (Amazon Web Services) or SendGrid (Twilio) — Email delivery, if you choose these providers.
Sentry — Error monitoring (crash reports only; no personal data is included in error reports).

We never sell personal information to third parties.

6. Data Retention

Campaign results and employee data are retained for as long as your account is active plus 90 days after account deletion. You can delete your data at any time by contacting us. Server logs are retained for 30 days.

7. Your Rights (PIPEDA)

Under PIPEDA you have the right to:

Access the personal information we hold about you
Correct inaccurate information
Request deletion of your account and associated data
Withdraw consent (subject to legal or contractual obligations)
File a complaint with the Office of the Privacy Commissioner of Canada

To exercise any of these rights, email us at [email protected].

8. Security

We use industry-standard security practices: bcrypt password hashing, HTTPS-only communication, JWT tokens with short expiry, and rate limiting on authentication endpoints. Our infrastructure is hosted in Canadian or US regions with SOC 2-certified providers.

9. Cookies

PhishGuard does not use tracking cookies or third-party analytics cookies. We use localStorage in the browser only to persist your session token and UI preferences (such as dark mode).

10. Changes to This Policy

We will notify you by email and in-app notice at least 14 days before any material changes take effect.

11. Contact

For privacy questions or to exercise your PIPEDA rights: [email protected]