Privacy Policy

1. Personal Data Definition

Under the GDPR, personal data refers to:

“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to identifiers such as a name, identification number, location data, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”

2. Information Collection

On Our Website

You are free to explore our website without providing personal information. However, we may request personal data such as your name, email, and place of work when you engage with our chatbot or register for our services. By providing this information, you consent to us processing it for the purposes outlined in this policy.

When Using the HookPhish SaaS Platform

Clients using the HookPhish platform are responsible for managing their own data as the data controller. HookPhish acts as the data processor and does not store your data for more than 7 days, except in cases where you need assistance recovering data due to an error.

If you grant our team temporary administrative access to assist with platform management, we will only access your data for the duration of the task and will not store or retain it once access is revoked.

From Third-Party Providers

We may receive personal data from third-party providers relevant to HookPhish's operations. Any data received will be processed in accordance with GDPR requirements and not retained longer than necessary.

3. Purpose of Data Collection

We collect personal data to provide and enhance our services. This data helps us:

• Contact you about your account and services
• Set up user accounts and manage access to the HookPhish platform
• Provide updates or news about our services, if you have given your consent

We strive to collect only the data necessary for these purposes and ensure it is handled with care to avoid any invasion of your privacy.

4. Data Sharing

We may share your personal data with trusted third-party service providers to help deliver our services. These third parties are required to handle your data securely and use it solely for the intended purposes. For example:

• HubSpot (CRM): Stores customer information and communication details. HubSpot complies with GDPR and the EU-US Data Privacy Framework.
• Amazon Web Services (AWS): Stores platform data. AWS is ISO 27001 and SOC2 certified, ensuring industry-standard data protection.
• SendGrid: Manages email communications.
• Intercom: Supports chatbot interactions.

We will not share your sensitive personal data without your explicit consent or unless legally required.

5. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. After this period, your data will be securely deleted or anonymized.

For instance:

• Personal data collected for account registration will be kept for the duration of your subscription and deleted upon cancellation.
• Data related to communications or interactions with our platform may be retained for up to 12 months for operational and audit purposes.

6. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Access: You can request confirmation of what personal data we hold about you and how it is processed.
• Rectification: You can request corrections to inaccurate data.
• Erasure: You can request the deletion of your personal data.
• Restriction: You can request limits on how we process your data.
• Objection: You can object to processing for specific purposes.
• Withdraw Consent: You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, contact our Data Protection Officer (DPO) at [email protected]. We will respond to your request within the timeframes outlined in the GDPR.

7. Automated Decision Making and Profiling

HookPhish does not use automated decision-making or profiling that significantly impacts your rights or privacy. Any profiling that occurs will be transparent, and we will provide insight into the logic used and potential outcomes of the processing.

8. Data Security

We are committed to protecting your data from unauthorized access, alteration, disclosure, or destruction. We implement industry-standard security measures, including encryption and access controls, to safeguard your information.

9. Data Transfers

If your personal data is transferred outside the European Economic Area (EEA), we will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or reliance on providers compliant with GDPR, like HubSpot, which follows the EU-US Data Privacy Framework.

10. Communication and Contact

We may contact you in relation to your account or to provide updates about our services, but we aim to be non-intrusive and relevant. If you no longer wish to receive communications from us, you can unsubscribe at any time via the link provided in our emails or by contacting us.

11. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy as necessary to comply with legal and regulatory changes. Any significant changes will be communicated via email or through our website.

12. Contact Information

If you have any questions or concerns about this Privacy Policy or how we handle your data, please contact our Data Protection Officer at:

Email: [email protected]
Address: 17 Hanover Square, London, W1S 1BN