Privacy Policy
Welcome to the PHISHX ecosystem!
Thank you for using our products ("PRODUCTS"). The "PRODUCTS" will be provided by P2 TECHNOLOGY INFORMÁTICA LTDA ("P2 TECHNOLOGY" or "P2" or "PHISHX"), through its SaaS platform with Cloud Computing Architecture for digital security for people (the "PHISHX" or the "PLATFORM)".
"PHISHX" values and respects the privacy of its users ("COMPANY", "YOUR", "USER" or "CLIENT"), whether they are internal or external and, through this Privacy Policy ("PRIVACY POLICY or "POLICY"), demonstrates its commitment to the protection of "YOUR" data, in addition to establishing the rules on the Processing of Personal Data of "USERS", within the scope of the functionalities of "OUR" website, software, platforms and physical environments, in accordance with the laws in force, especially Law No. 13,709/2018 (General Law for the Protection of Personal Data – LGPD) with transparency and clarity with your "COMPANY" and the market in general.
This "COMPANY", "USER" and/or "CLIENT" declares that it has read this "POLICY" completely and carefully, being fully aware, thus conferring its free and express agreement with the terms stipulated herein, including the collection of the data mentioned herein, as well as its use for the purposes specified below.
"PHISHX" is committed to protecting your privacy. Therefore, this Instrument contains the Privacy Policy of the websites "phishx.io", "www.phishx.io" and "*.phishx.io" (together, the "WEBSITES", or, individually and indistinctly, the "WEBSITE"), as well as the PRODUCT offered through such "WEBSITES" (the "PRODUCT"), within the scope of the PHISHX PLATFORM ("PLATFORM" or "PHISHX"), clarifying what information is collected from the "USERS" of "OUR" websites, as well as how such data is used.
1. About Data Collection
1.1. This "COMPANY", "USER" and/or "CLIENT" is (are) solely responsible for the accuracy, veracity or lack thereof in relation to the data it provides or for its outdatedness. Therefore, it is imperative to pay attention, as it is "YOUR" responsibility to ensure accuracy or keep them up to date.
1.2. Likewise, "PHISHX" is not obliged to process any of "OUR" data if (i) there is reason to believe that such processing or treatment may impute "US" to impute any violation of any applicable law or if (ii) such "COMPANY", "USER" and/or "CLIENT" is using "OUR" environments for any illegal, illicit or contrary to morality purposes.
1.3. ON OUR WEBSITES, INFORMATION IS COLLECTED IN THE FOLLOWING WAYS:
1.3.1. Information provided by this "COMPANY", "USER" and/or "CLIENT": We collect personally identifiable information, such as: User Name; Telephone; Email; Company Name and Position - by filling out the registration in our application (APP or portal) and through the forms to download "OUR" free content. Eventually, requests for some information may be made through direct contact with "PHISHX", via e-mail, telephone or other electronic means.
1.3.2. Navigation information on the "WEBSITE": When this "COMPANY", "USER" and/or "CLIENT" visits "OUR WEBSITE", a "cookie" is placed in your browser through the Google Analytics software, to identify how many times this "COMPANY", "USER" and/or "CLIENT" returns to "OUR" address. Information such as IP address; geographic location; reference source; browser type; duration of visit and pages visited.
1.3.3. Contact history: "PHISHX" stores information about all contacts already made with our "USERS", such as content downloaded from our pages and interactions via E-mail, for a period of 06 (six) months specified in the table contained in clause 13.1.
2. About the Use of Personal Information
2.1. The data collected by "PHISHX" may be used by other companies that may arise and form an economic group with it, always respecting this "PRIVACY POLICY". By submitting the data on the "WEBSITES", this "COMPANY", "USER" and/or "CLIENT" agrees with this mode of use. "PHISHX" will not transfer "YOUR" data to third parties outside any economic group without your prior and express consent, unless obliged to do so under the applicable legislation.
3. Purpose of Data Processing
3.1. This "POLICY" allows "PHISHX" to use "YOUR" personal information for the following purposes:
Provide, operate and improve our "PRODUCT";
Manage your account and authenticate access;
Personalize the user experience;
Comply with legal and regulatory obligations;
Conduct marketing and promotional communications (with consent).
4. Data Sharing
4.1. The data collected and the activities recorded may be shared:
With competent judicial, administrative or governmental authorities, whenever there is a legal determination, request, request and/or court order;
Automatically, in case of corporate transactions, such as merger, acquisition and incorporation, with due notice to the user;
For the proper supply of the "PRODUCT", with group companies, partners, service providers or third parties, within the limits required and authorized by law.
Sole Paragraph: For the purposes of market intelligence research, disclosure of data to the press and advertising, the data provided by this "COMPANY", "USER" and/or "CLIENT" will be shared in an anonymized form, that is, in a way that does not allow "HIS" identification.
5. Rights of Data Subjects
5.1. In accordance with the GDPR, LGPD or other applicable laws, the Data Subject has the following rights:
Access, correct, or delete your data;
Revoke consent to the use of personal data;
Request the portability of your data;
File complaints with regulatory authorities.
5.2. The rights of the Data Subject are also specifically highlighted:
a) Confirmation of the existence of processing: "PHISHX" processes the Personal Data of its customers, employees, visitors, suppliers, partners, among others, keeping this Data stored in environments in a secure and controlled manner. The Data Subject may request confirmation of processing of their Personal Data;
b) Access to Data: At any time, the Holder may request "PHISHX" to inform which Personal Data is being processed;
c) Correction of incomplete, inaccurate or outdated Personal Data: If the Data Subject finds that the information is incomplete, inaccurate or outdated, he/she may request the correction and/or completion of the missing or inaccurate Personal Data, as the case may be;
d) Anonymization, blocking or deletion of unnecessary, excessive or processed Personal Data in non-compliance with the LGPD: The Data Subject may request anonymization, blocking or deletion of the Personal Data that "PHISHX" is processing when it does not have a legal basis justifying the processing. However, if "PHISHX" has legal or regulatory justification for maintaining the data, they will be retained for the period necessary for the exercise of the legal obligation or for the right of defense in judicial, administrative or arbitration proceedings or, in certain situations, in the legitimate interest of "PHISHX" (such as, for example, to avoid infractions and fraud);
e) Portability of Personal Data to another service or product provider, upon express request by the Data Subject: The Data Subject may request "PHISHX" to portability their Personal Data to another service or product provider. If applicable, the Holder's request will be met in the shortest possible time;
f) Obtaining information about the public or private entities with which "PHISHX" shares the Holder's Personal Data: The Holder may contact PHISHX through the Holder's rights service channel to obtain information about who their Personal Data has been shared with;
g) Information about the possibility of the Holder not providing consent for the processing of Personal Data, as well as being informed about the consequences in case of refusal: If the Holder does not want to provide his/her consent for the specific processing that "PHISHX" needs to perform, PHISHX will clarify to the Holder if it is possible to provide the software of your interest without the processing of your Personal Data, also informing you of the consequences of your non-consent;
h) Revocation of consent: When the processing of Personal Data is based on the consent of the Data Subject, the Data Subject may revoke their consent and the deletion of their Personal Data at any time. The revocation of consent may imply the impossibility of the Holder to enjoy the "PRODUCT" provided by "PHISHX". The interruption of the processing of Personal Data will not be effective when the Data is: (i) anonymized; or (ii) necessary for "PHISHX" and/or Third Parties involved in the supply of the "PRODUCT" for judicial, arbitral or administrative defense purposes, as well as for compliance with legal and regulatory obligations;
i) Deletion of data: In some cases, the Holder may request the deletion of their personal data.
Paragraph One: It is also noteworthy the respective way of exercising them through "OUR" Service Channels, an opportunity in which this "COMPANY", "USER" and/or "CLIENT" may request directly to our Personal Data Officer, under the terms of 'Clause 18 – Contacts'.
Paragraph Two: In the event that this "COMPANY", "USER" and/or "CLIENT" requests the deletion of "HIS" personal data, there may be a need to keep the data for a period longer than the deletion request, under the terms of Article 16 of the General Law for the Protection of Personal Data to:
Compliance with a legal or regulatory obligation;
Study by research body; and
Transfer to a third party (subject to the data processing requirements set forth in the same Law).
Paragraph Three: In all cases provided for in the previous paragraph, always through the anonymization of personal data, provided that it is possible and, at the end of the maintenance period and legal necessity, the personal data will be deleted using secure disposal methods or used anonymously for statistical purposes.
5.3. "PHISHX", acting as Operator, is not responsible for the definitions of data processing. This activity is the responsibility of the client, as Controller, as established in the Contract, ensuring that all instructions directed to "PHISHX" respect the Data Protection and Privacy Legislation of Personal Data Subjects.
5.4. "PHISHX" undertakes to meet all requests from the Data Subjects in the shortest possible time, also in accordance with the deadlines stipulated by the ANPD.
6. Sharing of Personal Data
6.1. "PHISHX" responsibly treats the Personal Data of your "COMPANY", "USER" and/or "CLIENT".
6.2. The Personal Data of "PHISHX" employees may be shared to meet: (i) the legal obligations in force and the defense of the rights of the Data Subjects; (ii) contractual obligations to the employees themselves; (iii) the benefits provided to employees.
6.3. In relation to customers, "PHISHX" may share Personal Data to meet: (i) the requests made by the customer himself; and (ii) the legal obligations arising from the business relationship.
6.4. "PHISHX" may also, subject to compliance with the LGPD, share such Personal Data with Third Parties: (i) Service providers; (ii) Partners; (iii) Government authorities; (iv) Group companies.
6.5. When sharing is necessary, "PHISHX" adopts the appropriate measures so that the shared information is processed only for specific purposes.
6.6. "PHISHX" has commercial partners who, eventually, may offer products and services through functionalities or websites that can be accessed from "OUR" environments. The data provided by this "COMPANY", "USER" and/or "CLIENT" to these Partners will be their responsibility, thus being subject to their own data collection and use practices.
6.7. "PHISHX" develops partnerships with companies in order to use technologies and processes to expand the supply of its "PRODUCT". These Partners must also strictly submit to all contractual security guidelines and those set forth in this "POLICY", ensuring that all Customer or Employee Personal Data is treated as confidential.
6.8. "PHISHX" also undertakes not to sell, rent or pass on your information to third parties, except when such information is required by the courts, in which case it will be passed on without prior authorization.
7. Data Security
7.1. "PHISHX" ratifies that it carries out its activities based on good protection and security practices, implementing technical and organizational measures to protect your information against unauthorized access, loss or alteration. However, no data transmission via the internet is completely secure, that is, no WEB service has a 100% (one hundred percent) guarantee against intrusions.
8. About Sharing Content on Social Media
8.1. By clicking on the content sharing buttons on social media available on "OUR" pages, the "USER" will publish the content through their profile on the selected network. "PHISHX" does not have access to the login and password of users on these networks, nor will it publish content on behalf of the "USER", without him performing this action.
9. About the Use of Information Provided by "OUR" Customers
9.1. Through the "PLATFORM", "PHISHX" makes available to its "CLIENTS" tools for creating E-mails; Landing Pages; Training; sending educational messages; among others that involve the management of personal information of "USERS" with whom its "CUSTOMERS" maintain a business and/or employer relationship. However, "PHISHX" does not control the requested information using "ITS" system. This data belongs to the "CUSTOMERS", who use, disclose and protect it in accordance with "THEIR" privacy policies. The "CLIENTS" are also responsible for collecting, managing and processing such confidential information.
10. About Subscription Cancellation and Change/Deletion of Registration and Personal Information
10.1. This "COMPANY", "USER" and/or "CLIENT" may choose not to receive any more E-mail from "PHISHX".
10.2. In all e-mails that are sent by "PHISHX", there is always a link to cancel the subscription at the end. By clicking on this link, this "COMPANY", "USER" and/or "CUSTOMER" will be automatically unregistered from the list.
10.3. It is important to mention that when filling out any form again, it will be characterized as the reinsertion of "YOUR" E-mail to the list. Therefore, the cancellation request must be made again, if it is of "YOUR" interest.
10.4. To change "YOUR" personal information or even delete it from "OUR" database, just send an E-mail to meajude@phishx.io.
11. International Data Transfer
11.1. Your data may be transferred to and processed on servers located outside of your country of residence. We ensure that these transfers follow security standards and legal compliance.
12. Data Protection
12.1. "PHISHX" implements strict measures to ensure the integrity and security of Personal Data. Authorization to access data is granted, for example, so that the responsible areas can meet the needs of their activities and for possible support dealings. PHISHX implements procedures to ensure that PHISHX's internal areas and Operators process Personal Data in accordance with the protection and privacy guidelines determined by PHISHX.
12.2. In addition, "PHISHX" invests in awareness programs for its employees, Third Parties and Partners. The Privacy and Data Protection Program aims to present good practices that should be adopted in the processing of Personal Data.
12.3. In order to ensure the privacy and security of its customers' personal data, "PHISHX" implements the best information security and secure development practices available in the market. "PHISHX" designs its "PRODUCT" in a way that allows the customer to manage their information directly and securely.
12.4. "PHISHX" will never send electronic messages requesting confirmation of data or with attachments that may be executed (extensions: ".exe", ".com", among others). When sending "OUR" links for eventual downloads, it is important that this "COMPANY", "USER" and/or "CUSTOMER" be aware and verify if the recipient is any of "OUR" domains.
12.5. Access to personal data, proportionality and relevance. Internally, the personal data collected is accessed only by duly authorized professionals, respecting the principles of proportionality, necessity and relevance to the objectives of "OUR" business, in addition to the commitment to confidentiality and preservation of "YOUR" privacy under the terms of this "POLICY".
12.6. External Links. When this "COMPANY", "USER" and/or "CLIENT" uses "OUR" environments, it may be led, via link, to other portals or related platforms, which may collect "YOUR" information and have their own Data Processing Policy. Therefore, it will be up to this "COMPANY", "USER" and/or "CLIENT" to read the respective Privacy and Data Processing Policy of such portals or platforms outside our environment, and it is "HIS" responsibility to accept or reject it. "PHISHX" is not responsible for the Privacy and Data Processing Policies of third parties or for the content of any websites or services linked to environments other than exclusively "OUR".
12.7. Processing by third parties under "OUR" guideline. If third-party companies carry out the Processing on "OUR" behalf of any personal data we collect, they will comply with the conditions stipulated herein and the information security standards, mandatorily.
12.8. Communication by E-mail. For the sole purpose of optimizing and improving our communication, when we send an E-mail to this "COMPANY", we will receive a notification when they are accessed, as long as this possibility is available. It is important to pay close attention, as the E-mails will be sent exclusively through the domains related to "OUR" operations, such as: "@phishx.io".
13. Data Storage and Activity Log
13.1. The personal data collected and the records of activities are stored in a secure and controlled environment for a minimum period of time, the table below:
TYPES OF DATA STORAGE PERIOD LEGAL BASIS
Registration data 05 years after the end of the relationship Articles 12 and 34 of the Consumer Protection Code
Digital identification data 06 months Art. 15, Marco Civil from the Internet
Other data As long as the relationship lasts and there is no request for erasure or revocation of consent Article 9, Item II of the General Law for the Protection of Personal Data
13.2. The Personal Data necessary to comply with the Civil Rights Framework for the Internet are stored in a secure and controlled environment for a minimum period of six (6) months, subject to change depending on the type of Contracts with customers.
13.3. Personal Data is stored on servers of Third Parties hired for this purpose, whether they are located in Brazil or abroad, in accordance with the applicable legislation, and may also be stored by means of other technologies that may arise in the future, always aiming at the improvement and enhancement of services.
13.4. "PHISHX" processes Personal Data for the period strictly necessary to fulfill the predetermined purposes, including for the purpose of complying with any legal or contractual obligations, or requests from competent authorities or while the Holder's registration remains active in its environment.
13.5. The Client's account information will be kept for as long as the account is active. If the customer requests cancellation, the account data will be deleted within 60 (sixty) days after the request. Even after the account deletion request, "PHISHX" will keep a backup of the customer's account information for seventy-two (72) hours for security and compliance purposes.
13.6. Regarding the data processing carried out based on the consent of the Holder, "PHISHX" terminates the processing of Personal Data, when applicable, if the Holder opposes or revokes the consent. In case of doubts about the period in which "PHISHX" will process Personal Data after the end of the contractual relationship, it is possible to contact our DPO via the following email: dpo@phishx.io and obtain the information applicable to the specific case.
13.7. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purpose of processing your personal data and whether we can achieve such purposes through other means, and the applicable legal requirements.
14. Consequence Management
14.1. In case of non-compliance with this Policy, measures will be adopted to manage labor, civil, criminal and administrative consequences that may be applicable to those responsible for the unlawful acts, including the possibility of dismissal for just cause and contractual termination for just cause in the case of Third Parties.
15. Amendments
15.1. This "POLICY" may be updated. Therefore, we recommend that you periodically visit this page so that you are aware of the modifications. If material changes are made that lead to a new consent "YOURS", we will publish this update and request a new consent for that "COMPANY", "USER" and/or "CUSTOMER".
16. Normative References
Law 13.709/2018 – General Law for the Protection of Personal Data.
Law 12.965/2014 – Civil Rights Framework for the Internet.
17. Glossary
Processing Agent: the Controller or the Operator.
ANPD – National Data Protection Authority: public administration body responsible for ensuring, implementing, and supervising compliance with the General Data Protection Law (LGPD).
International Data Collection: collection of the Holder's Personal Data carried out directly by the Processing Agent located abroad.
Controller: natural or legal person, under public or private law, who is responsible for decisions regarding the processing of Personal Data. The Controller is the one who determines the purpose and means of carrying out this processing.
Personal Data: any information related to an identified or identifiable natural person.
Sensitive Personal Data: personal data on racial or ethnic origin, religious conviction, political opinion, membership in a union or organization of a religious, philosophical or political nature, data related to health or sex life, genetic or biometric data, when linked to a natural person.
DPA – Data Processing Agreement: document that aims to regulate the contractual relationship between processing agents, when the main contract involves the processing of Personal Data. This document defines the limits, means, purposes and all the obligations that the processing agents will have to fulfill.
DPO – Data Protection Officer: PHISHX employee who acts as responsible for the communication between PHISHX, the Personal Data Subjects and the ANPD.
Supplier(s): are legal entities or individuals that offer goods or services to PHISHX within a certain period agreed between the parties.
LGPD – General Data Protection Law: Law No. 13,709/2018 that regulates the processing of Personal Data carried out in the Brazilian territory or that aims to provide goods or services to individuals located in the national territory or even if the Data object of the processing has been collected in the Brazilian territory regardless of where the Data is located.
Civil Rights Framework for the Internet – Law No. 12,965/2014 that aims to guide the rights and duties of users, service providers and others involved with the use of the Internet in Brazil.
Operator: natural or legal person, under public or private law, who processes Personal Data on behalf of the Controller.
Partner: companies with which "PHISHX" maintains contractual relations in order to develop commercial activities.
PhishX: Sometimes qualified as a "PRODUCT", sometimes qualified as P2 TECHNOLOGY INFORMÁTICA LTDA.
Service provider(s): are individuals or legal entities that provide some type of service contracted by "PHISHX".
Privacy and Data Protection Program: structured set of organizational policies, procedures and practices designed to protect the privacy and security of personal data collected, processed and stored by "PHISHX".
Third parties: individuals or legal entities hired to perform certain activities within a pre-established period.
Data subjects: are the natural persons to whom the Personal Data refers.
International Data Transfer: transfer of personal data carried out by a Processing Agent located in Brazil to a foreign country or international organization to which Brazil is a member.
18. Contact
18.1. Questions related to the Protection and Privacy Policy of "PHISHX" or any other questions related to the security and protection of Personal Data, should be sent to the appointed DPO and through the following contact addresses:
- Appointed DPO: Gabriela Sampaio | OAB/SP 256.619-B
- E-mail: dpo@phishx.io
- Address: Rua Jacareí, nº 41, Parque Dom Henrique, Cotia/SP, CEP: 06.716-310
19. Applicable Laws
19.1. This "PRIVACY POLICY" will be interpreted in accordance with Brazilian Law, in Portuguese, and the Court of "YOUR" domicile will be elected to settle any controversy involving this Instrument, except for specific reservation of personal, territorial or functional jurisdiction by the applicable legislation.
19.2. If this "COMPANY", "USER" and/or "CLIENT" does not have a domicile in Brazil and, exclusively, due to the "PRODUCT" provided offered by "US", it must submit to Brazilian Law, agreeing, therefore, that in the event of litigation to be resolved, the action must be filed in the Court of the City of São Paulo, State of São Paulo.
20. Privacy Policy Management
20.1. The "PRIVACY POLICY" is approved by the following areas: the area responsible for Data Processing Security and the Legal & Compliance area of "PHISHX".
São Paulo/SP, March 11, 2025.
PhishX | Cybersecurity for People Created by our Legal & Compliance Team
For privacy and data protection concerns, please contact our DPO.
Gabriela Sampaio
Head of Legal & Compliance and DPO
dpo@phishx.io