Privacy Policy
This Privacy Notice provides information on data protection and privacy for visitors to our website and users of our services. It explains how we collect and process your personal data and outlines our data protection practices.
Who We Are
We are GoldPhish, located at Dalton House, 60 Windsor Avenue, London, SW19 2RR, United Kingdom. For any data protection and privacy matters, you can contact our designated Data Protection Officer (DPO) at info@goldphish.com.
Your Rights as a Data Subject
You will be referred in this Privacy Notice as a Data Subject and the information about you is known as Personal Data. For the purposes of privacy laws, we are the processor of personal data unless expressly specified otherwise. We take data protection seriously and follow the law and industry best practices to keep your personal data secure. As a data subject, you have certain rights in relation to data privacy. Specifically, you have the right to:
-
Request information about the personal data we process;
-
Rectify inaccurate personal data records;
-
Demand deletion or restriction of processing and object to processing based on legitimate interest under certain circumstances;
-
Revoke any consent to processing that you have given to us;
-
Data portability, allowing you to obtain and transfer your personal data to another controller; and
-
Lodge a complaint with the supervisory authority if you believe your data privacy rights have been violated. A full list of EU regulators is available here, and the contact details of the UK regulator, the ICO, are here.
Third-Party Services
We use third parties to help us provide our service. To facilitate our contractual obligations we use third-party applications such as:
-
Cloud server and data centre service providers like IONOS
-
Administrative and cloud storage services from Google LLC
-
Customer support systems such as Help Scout PBC
-
Customer relations management systems such as Monday.com Ltd
-
Email service and performance measurement systems such as Mailgun Technologies Inc
We only transfer personal data to trusted third parties that comply with current privacy legislation. Data is stored and processed within the EU/EEA or in countries with adequate protection levels as determined by the European Commission, or with suppliers who have binding agreements ensuring lawful third-country transfers. To obtain documentation regarding such adequate safeguards, please email info@goldphish.com.
We do not sell personal data to third parties. Data used for aggregated analysis or market research is anonymised and cannot be used to identify individuals.
Data Security and Integrity
We prioritise data integrity and privacy, processing personal data with the utmost care and in accordance with this Privacy Notice and relevant privacy laws, notably the GDPR.
Transfers and Risks
Transfers of information over the Internet and mobile networks carry inherent risks, and we take measures to ensure data security during transfers. Users are responsible for keeping their login information secure.
Data Processing by User Category
1. Users
As a user of the GoldPhish platform, we hold the following information about you:
-
Name
-
Email address
-
Password (hashed)
-
Employer
-
Employee department
-
Location (country and time zone)
-
Responses to phishing exercises and learning module tests
-
IP address
-
Any personal data accessed by the services using third-party data source integrations activated by GoldPhish’s customer
-
User identifiers on third-party accounts integrated with GoldPhish
This data may come directly from you or your employer and is processed for the legitimate interest of fulfilling our contract and data processing agreement with your employer. Processing includes updating, securing, troubleshooting, adding new features, and providing customer support. We also use this data for business operations, such as analysing performance, determining new feature priorities, meeting legal obligations, and improving our products. Anonymised data is used for trend analysis and product success metrics.
We retain this data only for the duration of our contract with your employer and delete it within 90 days of contract termination.
2. Sales Partners and/or Resellers
As a Partner or Reseller of GoldPhish we hold the following information about you:
-
Name
-
Contact details
-
Job title
This data is processed for the legitimate interest of fulfilling our business-to-business contract with your organisation. We retain this data for up to seven years from contract termination unless you request earlier deletion. Data will be irreversibly deleted at this point.
3. Suppliers
As a supplier to GoldPhish, we hold the following information about you:
-
Name
-
Contact details
-
Bank details
This data is processed for the legitimate interest of fulfilling our contract with you. We cannot continue our contract if we cannot process this data. We retain this data for up to seven years from contract termination or longer for financial transactions to meet legal obligations. Data will be irreversibly deleted at this point.
4. Business Contacts and Prospective Customers
As a business contact or prospective customer of GoldPhish, we hold the following information about you:
-
Name
-
Contact details
-
Job title or description
-
Company
-
Location
We act as a Controller for B2B marketing purposes. This data may come directly from you or from Data as a Service Provider. It is processed for the legitimate interest of business communication or marketing. We retain this data for up to three years from our last contact with you unless you request earlier deletion. Data will be irreversibly deleted at this point.
If you provide personal data on our website (e.g., Contact Us, Start Free Training, Request a Quote, Partner with Us), we use it to manage our response to your requests. We may use third-party applications like Monday.com to facilitate communication. Recorded calls for training, service improvement, and customer support will be subject to consent and strict access control and security protections. These details are retained for up to three years and then irreversibly deleted.
If you contact our DPO, we may retain a log of your enquiry for up to six years for future related enquiries. Data will be irreversibly deleted at this point.
Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to enhance user experience and gather analytics. You can manage your cookie preferences through your browser settings.
Data Breach Notification
In the event of a data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects. Affected data subjects will also be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
Last Updated: 10 July 2024