Acceptable Use Policy

Last updated: May 16, 2026

1. Agreement and Scope

This Acceptable Use Policy (the "AUP") is a binding agreement between you as an individual user ("you" or "User") and Haxoris Labs s. r. o. ("Haxoris Labs", "PhishGun", "we", "us", or "our"). It governs your access to and use of PhishGun websites, dashboards, training pages, phishing simulation pages, reporting workflows, integrations, support channels, and related services (the "Service").

PhishGun is a defensive security awareness and phishing simulation platform. The Service must be used only for lawful, authorized, internal security awareness, training, simulation, reporting, and related defensive testing. It must not be used for real phishing, fraud, credential theft, malware delivery, harassment, unlawful surveillance, or unauthorized social engineering.

If you use PhishGun through your employer or another organization, that organization may have a separate agreement with us, including our Terms of Service. That organization-level agreement governs the organization's commercial rights and responsibilities. This AUP governs your individual conduct when you access or use the Service.

2. Acceptance and Privacy Notice

You accept this AUP when you click or tap an acceptance control, create an account, sign in, access a PhishGun training or simulation page, use a reporting button or workflow, or otherwise use the Service after this AUP has been made available to you. If you do not accept this AUP, you must not use the Service.

Our Privacy Policy explains how Haxoris Labs processes personal data. The Privacy Policy is a notice, not a contract. By accepting this AUP, you acknowledge that the Privacy Policy has been made available to you, but you are not being asked to agree to the Privacy Policy as a separate legal agreement.

3. Company Details

Haxoris Labs s. r. o.
Karpatské námestie 7770/10A
Bratislava - mestská časť Rača 831 06
Slovak Republic
IČO: 57 591 954
Registered with the Business Register of the City Court Bratislava III, Section Sro, Insert No. 199032/B
Email: info@phishgun.com

4. User Roles

This AUP applies to all Users, including:

  • Administrators and customer users who configure accounts, campaigns, integrations, participant lists, templates, domains, mail settings, reporting workflows, or analytics.
  • Participants who receive training, interact with simulated phishing messages or pages, submit reported emails, complete quizzes, or otherwise participate in security awareness activities.
  • Visitors who access PhishGun websites, support materials, forms, or other public parts of the Service.

5. Authorized Use

You may use the Service only in the way your organization, your role, and this AUP allow. You must comply with applicable laws, this AUP, our instructions, and any lawful internal policies or instructions from the organization that provides your access.

Administrators and customer users may use the Service only for organizations, domains, inboxes, users, systems, integrations, and data that they own, control, administer, or are expressly authorized in writing to use for security awareness or defensive testing.

Participants may use the Service only to complete assigned training, interact with authorized simulations, report suspicious emails, review feedback, and access their own allowed results or learning materials.

6. Campaign and Administrator Rules

If you configure, approve, launch, or manage a phishing simulation, training assignment, email reporting workflow, landing page, template, integration, or related campaign, you must:

  • have express authorization for the campaign, target list, domain, sender identity, mailbox, and integration;
  • use only domains, sender addresses, and participant email domains that your organization owns, controls, or is authorized to use;
  • complete any domain verification, deliverability testing, identity verification, or approval steps we require;
  • choose a lawful and proportionate campaign scope, frequency, timing, target population, and scenario;
  • provide or coordinate any required notices, legal bases, consents, works council approvals, union consultations, or internal approvals;
  • review and approve all customer-created, customized, imported, or AI-assisted content before use;
  • avoid simulation themes that are likely to cause disproportionate distress, humiliation, discrimination, or workplace harm;
  • ensure that fake login pages record only the security event, not real passwords, MFA codes, payment data, tokens, private keys, or other secrets;
  • not use PhishGun outputs as the sole basis for employment, disciplinary, legal, financial, or similarly significant decisions; and
  • promptly stop a campaign if you learn that it is unauthorized, unlawful, harmful, or materially outside the approved scope.

7. Participant Rules

If you receive or interact with PhishGun training, simulations, reporting workflows, or feedback pages, you must use them only as intended. You must not attack, probe, scan, overload, bypass, tamper with, automate, scrape, or attempt to defeat PhishGun pages, links, forms, tracking, training, or reporting workflows.

Do not enter real passwords, MFA codes, payment-card details, private keys, tokens, health data, government identifiers, or other sensitive information into a simulation page. If you are unsure whether something is a simulation, follow your organization's security reporting process.

Do not forward simulation messages, training materials, links, screenshots, or reported email data outside your organization unless your organization has authorized that sharing or the sharing is required by law.

8. Prohibited Misuse

You must not, and must not help anyone else, use the Service to:

  • conduct real phishing, business email compromise, fraud, extortion, credential theft, identity theft, or other deceptive abuse;
  • target any person, inbox, domain, organization, system, network, or account without authorization;
  • collect, harvest, store, solicit, or attempt to obtain passwords, MFA codes, payment-card data, authentication tokens, private keys, session cookies, secrets, or other credentials;
  • upload, host, link to, deliver, or execute malware, ransomware, spyware, exploit code, credential harvesters, destructive payloads, or code designed to compromise systems;
  • send spam, unsolicited commercial messages, unauthorized bulk messages, mailbombs, or messages that violate anti-spam, telecommunications, or platform rules;
  • make unauthorized calls, texts, voice messages, or other communications where those features are supported;
  • misrepresent your identity, authorization, affiliation, role, or relationship with any person or organization;
  • impersonate a government agency, regulator, law-enforcement body, court, emergency service, or other authority in a misleading or unlawful way;
  • invade privacy, harass, threaten, defame, shame, discriminate against, intimidate, or knowingly cause needless anxiety to any person;
  • submit or transmit content that is abusive, obscene, pornographic, hateful, discriminatory, violent, defamatory, malicious, or otherwise unlawful;
  • violate intellectual property, trademark, publicity, confidentiality, data protection, employment, telecommunications, export, sanctions, or other legal rights or duties;
  • damage, disable, overburden, impair, interfere with, or disrupt the Service, our infrastructure, our sending reputation, our domains, our IP addresses, or another user's use of the Service;
  • probe, scan, penetration test, vulnerability test, bypass, or attempt unauthorized access to the Service or any related system unless we have expressly authorized it in writing;
  • scrape, crawl, copy, benchmark for competitive purposes, reverse engineer, decompile, disassemble, or attempt to derive source code, models, algorithms, non-public APIs, or non-public information from the Service;
  • share accounts, passwords, API keys, tokens, integration secrets, or unique access links with unauthorized people;
  • bypass usage limits, sending limits, seat limits, rate limits, safety controls, payment controls, or security features;
  • resell, sublicense, lease, timeshare, service-bureau, or otherwise provide the Service to a third party unless our written agreement with your organization allows it; or
  • use the Service to build, train, improve, benchmark, or market a competing product or service.

9. Names, Brands, and Legal Notices

You must not use third-party names, logos, brands, trademarks, likenesses, copyrighted materials, or confidential information in the Service unless you have a lawful basis to do so. When a simulation uses third-party branding for security awareness purposes, you must use appropriate disclaimers and avoid suggesting endorsement, sponsorship, or affiliation where none exists.

You must not remove, hide, alter, or interfere with PhishGun legal notices, proprietary notices, security warnings, disclaimers, unsubscribe or opt-out mechanisms where required, or educational disclosures that appear in templates, landing pages, training materials, or other parts of the Service.

10. Account and System Security

You are responsible for keeping your account credentials, access links, API keys, tokens, integration secrets, devices, and sessions secure. You must use reasonable security practices, including strong authentication where available, and promptly notify your organization or us if you suspect unauthorized access, credential compromise, data loss, or misuse involving the Service.

You must not access another person's account, training record, report, campaign, mailbox, integration, or data unless you are authorized to do so.

11. Customer Content and Data You Submit

You are responsible for content, files, emails, URLs, templates, participant data, reported messages, comments, prompts, configurations, and other materials that you submit to or use with the Service. You must have the rights and authority needed to submit and use those materials.

Do not submit unnecessary personal data, sensitive data, confidential data, live malware, real credentials, private keys, or other secrets unless your organization's agreement with us expressly allows it and you have confirmed that the submission is lawful, necessary, authorized, and appropriately protected.

12. Reporting Violations and Abuse

You must promptly report actual or suspected illegal, unauthorized, harmful, or abusive use of the Service. If you use PhishGun through an organization, first follow that organization's security reporting process unless doing so is impossible or unsafe.

You may also contact us at info@phishgun.com. Abuse reports should include enough detail for us to investigate, such as URLs, message headers, screenshots, campaign names, timestamps, account identifiers, or other relevant context where lawful to provide.

13. Enforcement

If we reasonably believe this AUP has been violated, or that use of the Service creates legal, security, operational, deliverability, reputational, privacy, or third-party risk, we may take action immediately. This may include limiting, suspending, or terminating access; pausing campaigns; disabling links, pages, templates, domains, integrations, or sending; removing content; preserving evidence; notifying the relevant customer; and cooperating with service providers, regulators, or law enforcement where appropriate.

Violations may also result in civil, criminal, employment, or contractual consequences under applicable law or under your organization's policies and agreements. We are not liable for losses caused by enforcement actions taken in good faith under this AUP.

14. Changes to This AUP

We may update this AUP from time to time. Updated versions will be posted on our website or made available through the Service. If a change is material, we will take reasonable steps to notify customers or Users where required. Continued use of the Service after an updated AUP becomes effective means you accept the updated AUP.

15. Contact

Questions about this AUP may be sent to:
Haxoris Labs s. r. o.
Email: info@phishgun.com