Privacy Policy

Your privacy is important to us. It is Phishr Limited's policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, https://phishr.co.uk, our platform and other sites we own and operate.

This policy is effective as of 20th April 2023 and was last updated on 23rd August 2023.

This privacy notice covers

  • Why we use your personal information
  • The legal basis for processing
  • What personal information we use
  • How we use your personal information
  • Your rights under data protection legislation
  • Sharing personal information with third parties
  • How long we may keep your information
  • Changes to our privacy notice
  • Help undertaking a Data Privacy Impact Assessment (DPIA)
  • Contact details for our Data Protection Lead
  • Why we use your personal information

We process your personal data for the following purposes

  • Why we use your personal information
  • The legal basis for processing
  • What personal information we use
  • How we use your personal information
  • Your rights under data protection legislation
  • Sharing personal information with third parties
  • How long we may keep your information
  • Changes to our privacy notice
  • Help undertaking a Data Privacy Impact Assessment (DPIA)
  • Contact details for our Data Protection Lead
  • Why we use your personal information

The legal basis for processing

The legal basis for processing differs for prospective customers and existing customers.

For prospective customers and for contacts of an existing customer, Phishr Limited lawfully processes personal data under (Art 6.1(b)): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;” to provide you with services (including demonstrations, webinars and pricing) that the data subject requests in representation of a prospective customer. We also process personal data under (Art 6.1(a)):” the data subject has given consent to the processing of his or her personal data for one or more specific purposes;” to contact the data subject regarding our products, services, events and special offers. This consent can be withdrawn at any time.

For data subjects using Phishr in their organisation, it is the responsibility of the Data Controller to determine the lawful basis of processing, the below provides a likely basis for an educational organisation in England or Wales. The lawful basis of processing for Phishr may use (Art 6.1(c)): “processing is necessary for compliance with a legal obligation to which the controller is subject;” Alternatively, the lawful basis may be (Art 9.2(g)): “Processing is necessary for reasons of substantial public interest.” with the Condition being:

12 – Regulatory requirement18 – Safeguarding of children and individuals at risk
19 – Safeguarding of economic wellbeing of certain individuals

In England and Wales, the likely legal obligation for data subjects considered to be students is based in the DFE’s statutory guidance “Keeping children safe in education” which in turn is based on the following laws:

Section 175 of the Education Act 2002,
Education (Independent School Standards) Regulations 2014,
Non-Maintained Special Schools (England) Regulations 2015,
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR)

In England and Wales, the likely legal obligation for data subjects considered to be staff or visitors is based on:

Health and Safety at Work Act 1974,
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR)

To lawfully process special category data, the data controller must identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. In the case of education establishments in England and Wales, consent is sought by all schools to use student personal data throughout the curriculum and pastoral care. When seeking this consent, it should be made clear that special category data may be used in Phishr.

It should be noted that in some circumstances this legal basis may vary, however, we always operate in full compliance with Data Protection Law and will only process data with a fair and reasonable legal basis for doing so.

What personal information we process

To carry out these services, we obtain (either from the Customer and/or from you directly) and process the following information:

Data Data Item Purpose
Prospective Customer Name To correctly address a prospective customer.
Prospective customer Email address To send information and discuss Phishr with a prospective customer.
Prospective customer Phone number To discuss Phishr with a prospective customer.
Prospective customer Organisation name, type and address To provide accurate information regarding Phishr to a prospective customer.
Prospective customer Size of organisation To provide accurate information regarding Phishr to a prospective customer.
Prospective customer Job title To understand your role in a prospective customer organisation.
Prospective customer Mailing opt-in To permit us to keep you up to date on a service you have expressed an interest in.
Prospective customer Presales activity To help us understand how prospective customers select our product.
To ensure we provide accurate information at appropriate times.
User Email address To provide a unique username for Phishr
To send phishing simulations to
To send cyber awareness training videos to
To enable self service password reset
To enable self-service password reset.
Technical Multi-factor authentication token (if enabled) To increase the protections applied to the personal data stored within Phishr that is accessible by the data subject.
Technical A single sign-on token (Microsoft, Google) To integrate with existing organisational identity lifecycle practices.
To increase the protections applied to the personal data stored within Phishr that is accessible by the data subject.
To simplify and expedite access for an authorised data subject to Phishr.
Technical One-way strong hashed password (When using single sign-on Phishr does not store any password) To facilitate secure access to Phishr.
Technical Login session tokens To facilitate secure access to Phishr and enable revocation of existing access.

How we process your personal information

We use your personal information in Phishr, and it should be acknowledged that some of our employees have access to such information, only to the extent required to carry out the services for you.

We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity, and availability of your personal information during storage, processing, and transit.


For our core product platform, we avoid using cloud services that operate outside of the UK or EEA, defined in GDPR as “Third Countries”.

The app notification delivery services provided by Apple, Google, Microsoft, and your own email providers are subject to the terms of those providers.

Some of our business systems (for example our CRM) might use cloud services that operate from Third Countries outside the UK and the EEA. Where we must use cloud services that operate from Third Countries, we ensure that adequate safeguards are established to protect your data.

Your rights under Data Protection Law

Right to Access

You have the right of access to your personal information that we process and details about that processing. You can usually access that information directly within the Phishr application. However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format. Please direct your request to the organisation which manages our application.

Right to Rectification

You have the right to request that information is corrected if it’s inaccurate. You can usually update your own information using the Phishr app. However, should this not be possible, you can contact us to make the changes on your behalf. In the first instance, you should contact your organisation, to correct the data held by them and provided to us for processing.

Right to Erasure (Right to be Forgotten)

You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request. Please direct your request to the organisation which manages our application.

Right to Object

You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request. Please direct your request to the organisation which manages our application.

Right to Restriction of Processing

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request. Please direct your request to the organisation which manages our application.

Right to Data Portability

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine-readable format suitable for transferring to another controller. Please make enquiries with your organisation.

Right to lodge a complaint with a supervisory authority

If you have any concerns or complaints regarding the processing of your personal data, or our compliance with the GDPR and DPA 2018, you should contact your organisation initially. Please state clearly in the subject that your request concerns a privacy matter and provide a clear description of your requirements.
Note: We may need to request additional information to verify your identity before they action your request.

The law allows you to contact us directly. However, as data processors we must seek permission from the data controller (your organisation) before we are able to release any information to you, which will include disclosing the request made and the identity verification undertaken. We recommend that you always contact your organisation to regarding any data we process.

You also have the right to lodge a complaint with the Supervisory Authority. Their contact details in the UK are:

Website: www.ico.org.uk
Telephone: 0303 123 1113
Postal address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Sharing personal information with third parties

We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law.

When you visit or log in to our website, cookies  and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or home address.  We (or service providers on our behalf) may then send communications and marketing to these email or home addresses.  You may opt out of receiving this advertising by visiting https://app.retention.com/optout

Sub-processor Purpose
Amazon AWS Phishr cloud hosting platform
Microsoft Office 365 Data management and communications
Hubspot Email communication to users and prospective customers
Facebook Pixel Allows us to anonymously analyse how visitors interact with the content on our website when they visit from Facebook
LinkedIn Pixel Allows us to anonymously analyse how visitors interact with the content on our website when they visit from LinkedIn
Twilio SMS notification to mobile devices

How long we may keep your personal information

We will only retain information for as long as is necessary to deliver the service safely and securely. We may need to retain some records to maintain compliance with other applicable legislation.

Your organisation controls the retention of data in the Phishr platform and you should refer to their policies and practices in the first instance.

However, in Phishr:

Security credentials, such as salted hashed password, for a deleted user account are purged immediately on deletion.

If we cease service to a customer then all content and user data is fully deleted from the underlying Phishr platform within 30 days.

Changes to our Privacy Notice

This policy will be reviewed regularly, and updated versions will be posted on our websites.

Help undertaking a Data Privacy Impact Assessment (DPIA)

If you are undertaking a DPIA on behalf of your organisation then we can provide additional information to you that answers common questions and shows how we consider and address risks.

If you would like access to this information or any other help completing your DPIA then please contact our Data Protection Lead.

Contact details for our Data Protection Lead

We have appointed a Data Protection Lead (DPL); their contact details are as follows:

E-mail: harvey@phishr.co.uk

By post: Data Protection Lead at Phishr Limited registered company address.

Contacting us

If you can’t find what you’re looking for here, or have a concern about our use of your personal data, please get in touch by emailing hello@phishr.co.uk