Ochrana osobných údajov
Právny text nižšie je autoritatívna anglická verzia.
Last updated: May 8, 2026
1. Who We Are
This Privacy Policy explains how Haxoris Labs s. r. o. ("Haxoris Labs", "PhishGun", "we", "us", or "our") processes personal data when you visit our website, contact us, or use the PhishGun phishing simulation, reporting, and security awareness platform (the "Service").
Controller details:
Haxoris Labs s. r. o.
Karpatské námestie 7770/10A
Bratislava - mestská časť Rača 831 06
Slovak Republic
IČO: 57 591 954
Registered with the Business Register of the City Court Bratislava III, Section Sro, Insert No. 199032/B
Email: info@phishgun.com
2. Scope
This policy covers personal data processed through PhishGun websites, dashboards, customer accounts, integrations, support channels, marketing communications, phishing simulations, reported-email workflows, and related services.
Our customers are usually companies, public-sector bodies, or other organizations using PhishGun for authorized security awareness and resilience testing. This policy does not replace the privacy notice that a customer must provide to its own employees, contractors, or other campaign participants.
3. Our GDPR Role
We process personal data in two main roles:
- Controller. We decide how and why to process personal data relating to website visitors, prospects, customer account administrators, billing contacts, support contacts, and our own marketing communications.
- Processor. For personal data that a customer uploads, syncs, or generates in PhishGun about its employees, contractors, or other campaign participants, the customer is the controller and we process that data on the customer's documented instructions, including under our agreement and any applicable data processing agreement.
4. Personal Data We Process
Website, Sales, and Account Data
- Identification and contact data, such as name, work email, phone number, company, job title, and country.
- Account data, such as user ID, login credentials in protected form, role, permissions, MFA settings, and account preferences.
- Commercial and billing data, such as subscription details, invoices, payment status, billing address, tax details, and purchase history.
- Communications data, such as support tickets, demo requests, form submissions, emails, call notes, and feedback.
- Marketing data, such as newsletter preferences, event registrations, campaign engagement, and opt-out choices.
Customer-Provided Participant Data
Customers may upload, import, or sync data about campaign participants. Depending on the customer's configuration, this may include name, work email address, department, job title, manager, office, country, language, group membership, phone number, employee identifier, and other customer-defined fields.
Simulation, Training, and Reporting Data
PhishGun may process campaign and awareness data such as email delivery events, opens, link clicks, attachment interactions, landing-page visits, QR-code scans, training assignments, course progress, quiz results, reporting-button activity, risk scores, campaign timestamps, IP address, approximate location derived from IP address, browser, device, and operating-system information.
If a simulation uses a fake login or data-entry page, PhishGun is designed to record the security event, not to collect real credentials. Customers must not use PhishGun to collect passwords, MFA codes, payment-card data, government identifiers, health data, or other sensitive information unless this has been expressly agreed in writing and is lawful.
Reported Emails and Threat Analysis
Where a customer enables phishing reporting or email analysis features, we may process reported email content, headers, sender and recipient addresses, attachments, links, security metadata, analysis results, and the identity of the reporting user, depending on the customer's configuration.
Technical and Usage Data
We process technical data needed to operate, secure, debug, and improve the Service, including IP addresses, device identifiers, logs, authentication events, audit logs, feature usage, page views, error reports, and security telemetry.
5. Sources of Personal Data
- Directly from you when you visit our website, contact us, request a demo, create an account, or use the Service.
- From our customers when they upload, import, or sync participant data into PhishGun.
- From connected services, such as Google Workspace, Microsoft 365, identity providers, mail systems, and security tools, when authorized by a customer.
- Automatically from websites, apps, browsers, devices, email systems, and service infrastructure.
- From business partners, public sources, or lead sources where lawful and relevant to business communications.
6. Purposes and Legal Bases
Where we act as controller, we rely on the legal bases below under Article 6 GDPR.
| Purpose | Legal basis |
|---|---|
| Providing, administering, and securing customer accounts and the Service | Contract; legitimate interests in operating and securing the Service |
| Responding to inquiries, demos, support requests, and customer communications | Contract; legitimate interests in customer support and business communication |
| Billing, accounting, tax, and financial administration | Contract; legal obligation |
| Product analytics, troubleshooting, abuse prevention, audit logs, and service improvement | Legitimate interests in reliable and secure service operation |
| Marketing to business contacts, newsletters, events, and product updates | Consent where required; legitimate interests for relevant B2B communications where permitted |
| Establishing, exercising, or defending legal claims and enforcing acceptable-use rules | Legitimate interests; legal obligation |
Where we act as processor, the customer determines the relevant legal basis for processing participant data. Customers commonly rely on legitimate interests, legal obligations, employment-related compliance duties, contractual obligations, or consent, depending on their jurisdiction and use case.
7. How We Use Personal Data
- To provide phishing simulations, security awareness workflows, reporting, analytics, and customer dashboards.
- To import and manage users, groups, campaign lists, templates, training assignments, and results.
- To generate reports that help customers understand security awareness trends and risky patterns.
- To operate integrations requested by customers, including directory, identity, and email-platform integrations.
- To provide customer support, onboarding, billing, account administration, and service notifications.
- To detect abuse, prevent unauthorized use, protect systems, troubleshoot issues, and maintain audit records.
- To improve PhishGun, including templates, localization, reliability, usability, and security features.
- To comply with applicable laws and respond to lawful requests from authorities.
8. Customer Responsibilities
Customers are responsible for ensuring that their use of PhishGun is lawful. This includes having appropriate authorization, choosing a valid legal basis, giving required notices to participants, configuring campaigns lawfully, respecting employment and electronic communications rules, and avoiding the upload of unnecessary or sensitive personal data.
9. Cookies and Similar Technologies
We use cookies and similar technologies for necessary website and Service functions, authentication, security, preferences, analytics, and, where enabled, marketing measurement. Non-essential cookies or similar tracking technologies are used only where we have a lawful basis and, where required, your consent. You can manage cookies through your browser settings and, where available, through our cookie banner or preference tool.
10. How We Share Personal Data
We do not sell personal data. We may share personal data with:
- Customers. Customers receive dashboards, reports, audit logs, and campaign results relating to their authorized users and participants.
- Subprocessors and service providers. These may include cloud hosting, infrastructure, CDN, DNS, email delivery, identity, analytics, logging, monitoring, error tracking, support, CRM, payment, accounting, and security vendors.
- Integration providers. If a customer connects Google Workspace, Microsoft 365, identity providers, mail systems, or other tools, data may be exchanged with those services as configured by the customer.
- Professional advisers. Lawyers, accountants, auditors, insurers, and other advisers where necessary for business, legal, or compliance purposes.
- Authorities and third parties. Courts, regulators, law enforcement, and other parties where required by law or necessary to protect rights, security, or safety.
- Business transfers. Parties involved in a merger, acquisition, financing, reorganization, or sale of business assets, subject to appropriate safeguards.
We require subprocessors that process personal data for us to protect it under contractual confidentiality, security, and data protection obligations.
Current Key Third-Party Providers
The table below lists the key third-party providers currently used to operate PhishGun. This is intended as practical subprocessor and recipient transparency; the exact data processed depends on the features and integrations a customer enables.
| Provider | Purpose | Data involved | Primary processing location |
|---|---|---|---|
| DigitalOcean | Cloud infrastructure, hosting, networking, storage, backups, and service operation. | Customer account data, participant data, campaign data, reported-email data, logs, and technical metadata as needed to provide the Service. | Frankfurt, Germany region for PhishGun production infrastructure, subject to provider support, security, and administration safeguards. |
| Google Workspace / Google Cloud | Business email, workspace administration, service accounts, authentication, API access, and Google Workspace integrations where enabled by a customer. | Business communications, account and integration metadata, service-account credentials or tokens, directory data, and email or user metadata as configured by the customer. | European Economic Area and other locations used by Google under its applicable data protection terms and transfer safeguards. |
| Microsoft Azure / Microsoft Entra / Microsoft 365 | Application registrations, authentication, API access, identity, directory, and Microsoft 365 integrations where enabled by a customer. | Account and integration metadata, OAuth permissions, tokens, directory data, mailbox metadata, and email-related data as configured by the customer. | European Economic Area and other locations used by Microsoft under its applicable data protection terms and transfer safeguards. |
We may add, replace, or remove providers as the Service evolves. Where we act as a processor for a customer, changes to subprocessors are handled under the applicable data processing agreement or customer contract.
11. International Transfers
We are established in Slovakia and aim to process customer data in the European Economic Area where reasonably possible. PhishGun production infrastructure is currently hosted in DigitalOcean's Frankfurt, Germany region. Some service providers, integrations, customer tenants, support operations, or vendor administration activities may process personal data outside the EEA. Where this happens, we use appropriate safeguards, such as adequacy decisions, the EU-U.S. Data Privacy Framework for certified U.S. providers, the European Commission's Standard Contractual Clauses, transfer impact assessments, and supplementary technical and organizational measures where required.
12. Retention
We keep personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required by law, contract, dispute, security need, or a customer's documented instructions.
- Account and customer administration data is kept for the customer relationship and a reasonable period after termination.
- Billing, invoice, accounting, and tax records are kept for the statutory period required by Slovak law, generally up to 10 years after the relevant accounting period.
- Participant data, campaign lists, campaign results, training records, and reported-email data are kept according to the customer's settings, contract, and instructions.
- Security logs and audit logs are typically kept for a limited operational period unless needed for security, abuse prevention, legal claims, or compliance.
- Support and business communications are kept for as long as needed to handle the request and maintain business records.
- Marketing data is kept until you unsubscribe, object, withdraw consent, or the data is no longer useful for the original purpose.
- Backups are overwritten or deleted on a regular cycle, subject to technical and security constraints.
13. Security
We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. These measures include TLS encryption in transit, access controls, role-based permissions, MFA for privileged access, logging, monitoring, backups, vulnerability management, confidentiality obligations, and security review of systems and vendors. No service can be guaranteed to be completely secure, but we work to keep security controls proportionate to the risks of the Service.
14. AI-Assisted Features
PhishGun may use automation or AI-assisted features to help create, localize, analyze, or improve campaign content and security workflows. We do not use customer participant data to train third-party AI models unless this is expressly agreed with the customer. Where an AI-related provider processes personal data for us, it is treated as a subprocessor and is subject to appropriate data protection obligations.
15. Automated Decision-Making
PhishGun may generate risk scores, reports, trends, recommendations, or similar analytics for customers. These outputs are intended to support customer security awareness programs. We do not use PhishGun to make solely automated decisions that produce legal or similarly significant effects about individuals.
16. Special Category Data and Children
PhishGun is not intended to collect special category data, such as health information, biometric data, religious or political views, union membership, or data about criminal offences. Customers must not upload such data unless they have a lawful basis, have completed any required assessments, and have agreed this with us in writing. PhishGun is not intended for use by children, and customers must not target minors unless their use is lawful and covered by appropriate instructions and safeguards.
17. Your GDPR Rights
Where we act as controller, you may have the right to request access, rectification, erasure, restriction, portability, objection to processing, and withdrawal of consent where processing is based on consent. These rights may be limited in certain cases, for example where we must keep data to comply with law, protect security, or establish, exercise, or defend legal claims.
Where we act as processor for a customer, we will normally refer your request to that customer because the customer controls the relevant data. You may still contact us, and we will help the customer respond as required by our agreement and applicable law.
To exercise your rights, contact us at info@phishgun.com. We may need to verify your identity before responding.
18. Supervisory Authority
You have the right to lodge a complaint with a data protection authority. In Slovakia, the supervisory authority is the Office for Personal Data Protection of the Slovak Republic (Úrad na ochranu osobných údajov Slovenskej republiky), Námestie 1. mája 18, 811 06 Bratislava, Slovak Republic, website: dataprotection.gov.sk.
19. Changes to This Policy
We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify customers, for example by email, in-app notice, or a notice on our website. The updated policy applies from the date stated above unless a later effective date is specified.