Your privacy is important to us. It is Phishr Limited's policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, https://phishr.co.uk, our platform and other sites we own and operate.
This policy is effective as of 20th April 2023 and was last updated on 23rd August 2023.
The legal basis for processing differs for prospective customers and existing customers.
For prospective customers and for contacts of an existing customer, Phishr Limited lawfully processes personal data under (Art 6.1(b)): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;” to provide you with services (including demonstrations, webinars and pricing) that the data subject requests in representation of a prospective customer. We also process personal data under (Art 6.1(a)):” the data subject has given consent to the processing of his or her personal data for one or more specific purposes;” to contact the data subject regarding our products, services, events and special offers. This consent can be withdrawn at any time.
For data subjects using Phishr in their organisation, it is the responsibility of the Data Controller to determine the lawful basis of processing, the below provides a likely basis for an educational organisation in England or Wales. The lawful basis of processing for Phishr may use (Art 6.1(c)): “processing is necessary for compliance with a legal obligation to which the controller is subject;” Alternatively, the lawful basis may be (Art 9.2(g)): “Processing is necessary for reasons of substantial public interest.” with the Condition being:
12 – Regulatory requirement18 – Safeguarding of children and individuals at risk
19 – Safeguarding of economic wellbeing of certain individuals
In England and Wales, the likely legal obligation for data subjects considered to be students is based in the DFE’s statutory guidance “Keeping children safe in education” which in turn is based on the following laws:
Section 175 of the Education Act 2002,
Education (Independent School Standards) Regulations 2014,
Non-Maintained Special Schools (England) Regulations 2015,
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR)
In England and Wales, the likely legal obligation for data subjects considered to be staff or visitors is based on:
Health and Safety at Work Act 1974,
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR)
To lawfully process special category data, the data controller must identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. In the case of education establishments in England and Wales, consent is sought by all schools to use student personal data throughout the curriculum and pastoral care. When seeking this consent, it should be made clear that special category data may be used in Phishr.
It should be noted that in some circumstances this legal basis may vary, however, we always operate in full compliance with Data Protection Law and will only process data with a fair and reasonable legal basis for doing so.
To carry out these services, we obtain (either from the Customer and/or from you directly) and process the following information:
We use your personal information in Phishr, and it should be acknowledged that some of our employees have access to such information, only to the extent required to carry out the services for you.
We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity, and availability of your personal information during storage, processing, and transit.
For our core product platform, we avoid using cloud services that operate outside of the UK or EEA, defined in GDPR as “Third Countries”.
The app notification delivery services provided by Apple, Google, Microsoft, and your own email providers are subject to the terms of those providers.
Some of our business systems (for example our CRM) might use cloud services that operate from Third Countries outside the UK and the EEA. Where we must use cloud services that operate from Third Countries, we ensure that adequate safeguards are established to protect your data.
You have the right of access to your personal information that we process and details about that processing. You can usually access that information directly within the Phishr application. However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format. Please direct your request to the organisation which manages our application.
You have the right to request that information is corrected if it’s inaccurate. You can usually update your own information using the Phishr app. However, should this not be possible, you can contact us to make the changes on your behalf. In the first instance, you should contact your organisation, to correct the data held by them and provided to us for processing.
You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request. Please direct your request to the organisation which manages our application.
You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request. Please direct your request to the organisation which manages our application.
You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request. Please direct your request to the organisation which manages our application.
You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine-readable format suitable for transferring to another controller. Please make enquiries with your organisation.
If you have any concerns or complaints regarding the processing of your personal data, or our compliance with the GDPR and DPA 2018, you should contact your organisation initially. Please state clearly in the subject that your request concerns a privacy matter and provide a clear description of your requirements.
Note: We may need to request additional information to verify your identity before they action your request.
The law allows you to contact us directly. However, as data processors we must seek permission from the data controller (your organisation) before we are able to release any information to you, which will include disclosing the request made and the identity verification undertaken. We recommend that you always contact your organisation to regarding any data we process.
You also have the right to lodge a complaint with the Supervisory Authority. Their contact details in the UK are:
Website: www.ico.org.uk
Telephone: 0303 123 1113
Postal address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law.
When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or home address. We (or service providers on our behalf) may then send communications and marketing to these email or home addresses. You may opt out of receiving this advertising by visiting https://app.retention.com/optout
We will only retain information for as long as is necessary to deliver the service safely and securely. We may need to retain some records to maintain compliance with other applicable legislation.
Your organisation controls the retention of data in the Phishr platform and you should refer to their policies and practices in the first instance.
However, in Phishr:
Security credentials, such as salted hashed password, for a deleted user account are purged immediately on deletion.
If we cease service to a customer then all content and user data is fully deleted from the underlying Phishr platform within 30 days.
This policy will be reviewed regularly, and updated versions will be posted on our websites.
If you are undertaking a DPIA on behalf of your organisation then we can provide additional information to you that answers common questions and shows how we consider and address risks.
If you would like access to this information or any other help completing your DPIA then please contact our Data Protection Lead.
We have appointed a Data Protection Lead (DPL); their contact details are as follows:
E-mail: harvey@phishr.co.uk
By post: Data Protection Lead at Phishr Limited registered company address.
If you can’t find what you’re looking for here, or have a concern about our use of your personal data, please get in touch by emailing hello@phishr.co.uk
