LEGAL · PRIVACY

Privacy Policy

What data PhishNet collects, why we collect it, who we share it with, and the controls you have over it.

Last updatedMay 8, 2026EffectiveMay 8, 2026

01Overview

PhishNet is an AI inbox firewall. To detect phishing, we analyze the emails you open inside Gmail and Outlook — that necessarily means we process the contents of those emails. This policy explains what we collect, why we collect it, who we share it with, how long we keep it, and the controls you have.

When this policy says "PhishNet", "we", or "us", it means PhishNet, Inc. ("the Company"). When it says "you", it means the person using PhishNet — either as an individual or as a member of an organization that has subscribed to PhishNet for its team.

02Information we collect

We collect the following categories of information:

Category	Examples	Source
Account	Email address, display name, password hash (for email/password accounts), Google OAuth subject ID, role, organization membership.	You, when you sign up.
Email content	Sender address, display name, subject, headers (including SPF/DKIM/DMARC results), text snippet of the body, list of URLs, attachment filenames and SHA-256 hashes.	The PhishNet extension, when you open an email in Gmail or Outlook.
Scan results	Risk score, label (clean / suspicious / phishing), reason codes, the AI summary and suggested reply, your override actions (mark safe, report, quarantine).	Generated by our backend.
Usage	Number of scans, feature toggles, last-active timestamps, sensitivity preferences.	Generated by our backend.
Billing	Plan tier, subscription status, billing email, invoice history. We do not store card numbers — Stripe handles that.	You and Stripe.
Security telemetry	IP address, user-agent, login timestamps, 2FA enrollment status, session identifiers.	Your browser and our backend.

We do not collect: web browsing history outside Gmail and Outlook, contacts from your address book, social-media activity, or location beyond what an IP address reveals.

03Why we process your data

We use the data above for these purposes only:

Threat detection. Email content, headers, URLs, and attachment hashes are scored against deterministic rules and sent to a large language model for analysis. This is the core service you signed up for.
Account management. Authentication, password reset, two-factor verification, organization membership, plan provisioning.
Billing. Charging your subscription, sending invoices, preventing fraud on the payment side.
Service improvement. Aggregated, de-identified metrics about detection accuracy, latency, and feature adoption. We do not train any machine-learning model on your individual emails without your explicit consent.
Security and abuse prevention. Rate-limiting, blocking known-bad senders across the platform, investigating suspicious account behavior, responding to lawful requests.
Communications. Service emails (verification, password reset, billing receipts) and — only if you opt in — product updates.

Under GDPR, our legal bases are: contract (delivering the service you subscribed to), legitimate interest (security, fraud prevention, basic analytics), and consent(optional marketing communications, optional data-sharing for model improvement).

04Who we share data with

We do not sell your data. We share it only with the service providers below, and only to the extent necessary for them to deliver their part of the service. Each is bound by a data-processing agreement that requires the same protection we provide.

Provider	What they receive	Purpose
LLM provider (Anthropic, OpenAI, or Google, depending on configuration)	Email subject, snippet, sender, URLs, headers — with personally-identifying tokens (account numbers, phone numbers, internal IDs) redacted before transmission.	Generate the threat score, summary, and suggested reply. Providers are configured to not retain the content for model training.
Google	OAuth identity, the Gmail scopes you grant when you connect your inbox.	Authentication and Gmail integration. We use the minimum scopes needed; you can revoke at any time from your Google account.
Stripe	Email, plan tier, billing address, payment method (handled directly by Stripe — we never see card numbers).	Subscription billing and invoicing.
Cloud hosting & email	All categories above, encrypted in transit and at rest.	Application hosting, database, transactional email delivery.

We may also disclose data when legally required (subpoena, court order), or when we reasonably believe disclosure is necessary to prevent imminent harm. When we do, we will notify you unless we are legally prohibited from doing so.

05How long we keep your data

Account data: kept until you delete your account, then purged within 30 days.
Scan records: retained for the duration of your subscription so that admins and SOC tools can audit history. Deleted on account deletion.
Threat-intel signals (sender reputation, domain risk scores): retained indefinitely in aggregate form to protect other users — these signals are not personally identifying once aggregated.
Billing records: retained for as long as required by tax and accounting law in our jurisdiction (typically 7 years).
Security logs: 90 days, then aggregated.

06Your rights

Depending on where you live, you have some or all of the following rights:

Access. Get a copy of the data we hold about you. Available from Account → Profile.
Correction. Update inaccurate data. Profile fields are editable from the same page.
Deletion. Delete your account and all associated personal data. Available from Account → Account.
Portability. Export your scan history in machine-readable JSON.
Object and restrict. Object to or restrict specific processing activities — contact us at the address below.
Withdraw consent. Withdraw any consent you previously gave (e.g. marketing emails). Effective immediately, but doesn't undo prior processing.
Lodge a complaint. If we get something wrong, you can complain to your local data-protection authority — for example, the Nigeria Data Protection Commission (NDPC) for Nigerian residents, or your national supervisory authority under GDPR for EEA/UK residents.

We respond to verified rights requests within 30 days. To submit a request, email us at privacy@phishnet.ai or use the in-product controls linked above.

07How we secure your data

All traffic between your browser, the extension, and our backend is encrypted with TLS 1.2+.
Data at rest is encrypted on disk; sensitive fields (refresh tokens, 2FA secrets) are encrypted at the application layer.
Access to production systems requires single sign-on, hardware-key 2FA, and is audit-logged.
We follow the principle of least privilege internally; engineers do not have routine access to customer email content.
We run automated security tests on every change, scan dependencies for known vulnerabilities, and have a responsible-disclosure policy at security@phishnet.ai.

No system is perfect. If we ever experience a breach affecting your personal data, we will notify the Nigeria Data Protection Commission (NDPC) within 72 hours as required by the NDPA 2023, and will notify affected Nigerian users within 7 days where the breach poses a high risk to their rights. We apply the same standard globally and will also notify relevant authorities (e.g. EU supervisory authorities under GDPR, US state regulators) within applicable timeframes.

08International transfers

PhishNet operates from Nigeria, and our cloud infrastructure is hosted in the United States. Personal data collected from users in Nigeria, the EEA, the UK, or Switzerland is therefore transferred to and processed in the US. We rely on Standard Contractual Clauses and other NDPC-approved safeguards (for transfers from Nigeria under the NDPA 2023) and EU/UK Standard Contractual Clauses (for EEA/UK transfers) to ensure your data receives protection equivalent to that provided by your home jurisdiction.

For Nigerian residents: cross-border transfers of your personal data are carried out in accordance with Section 43 of the Nigeria Data Protection Act 2023. You may request a copy of the applicable transfer safeguards by contacting privacy@phishnet.ai.

09Children's privacy

PhishNet is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided data to us, contact privacy@phishnet.ai and we will delete it.

10California residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights in addition to those listed above:

Know. Request disclosure of the categories and specific pieces of personal information we have collected about you, and the purposes for which we use it.
Delete. Request deletion of your personal information (subject to certain exceptions, such as information needed to complete a transaction or comply with law).
Opt out of sale. PhishNet does not sell personal information as defined by the CCPA, so there is nothing to opt out of.
Non-discrimination. We will not discriminate against you for exercising any CCPA right.
Correct. Request correction of inaccurate personal information we hold about you.
Limit use of sensitive personal information. We do not use sensitive personal information for any purpose beyond what is necessary to provide the service.

To submit a CCPA request, email privacy@phishnet.ai. We will verify your identity before processing the request and respond within 45 days (extendable by a further 45 days with notice).

For purposes of the CCPA, PhishNet acts as a "service provider" with respect to email content it processes on behalf of organizational customers, and as a "business" with respect to individual account data.

11Nigerian residents (NDPA 2023)

PhishNet operates from Nigeria and processes the personal data of Nigerian residents in compliance with the Nigeria Data Protection Act 2023 (NDPA) and regulations issued by the Nigeria Data Protection Commission (NDPC).

In addition to the general rights listed above, Nigerian residents have the following rights under the NDPA:

Access. Request confirmation that we hold your personal data and obtain a copy, including information about how it is processed.
Correction. Request correction of inaccurate or incomplete personal data without undue delay.
Erasure. Request deletion of your personal data where there is no overriding statutory or legitimate ground for continued processing.
Objection. Object at any time to processing based on legitimate interests or for direct marketing purposes.
Restriction. Request that we restrict processing while a correction or objection request is being assessed.
Portability. Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
Withdraw consent. Where we rely on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Lodge a complaint. File a complaint with the NDPC by contacting them at info@ndpc.gov.ng or through the NDPC's official channels.

Lawful bases (NDPA). We process personal data under the following NDPA lawful bases: contract (delivering the service), legitimate interest (security, fraud prevention, aggregated analytics — balanced against your rights), and consent (optional marketing and model-improvement data sharing, which you can withdraw at any time).

NDPC registration. PhishNet is registered with (or in the process of registering with) the NDPC as a data controller and data processor as required by the NDPA. Our registration reference is available upon request.

Data Protection Impact Assessment. Our AI-based email scanning constitutes large-scale processing of personal data and may qualify as high-risk processing under the NDPA. We conduct and maintain a Data Protection Impact Assessment (DPIA) for this activity and review it whenever the processing materially changes.

Data Protection Officer. We have designated a Data Protection Officer (DPO) as required by the NDPA for organisations of our scale of processing. You can reach the DPO at dpo@phishnet.ai.

To exercise any NDPA right, email privacy@phishnet.ai with your name, account email, and a description of your request. We will verify your identity and respond within 30 days (extendable by a further 30 days with notice, as permitted by the NDPA).

12Changes to this policy

We may update this policy as the product evolves or laws change. Material changes will be announced in-product and via email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13Contact us

Questions, complaints, or rights requests:

Email: privacy@phishnet.ai
Mail: PhishNet, Inc. — mailing address available upon written request to privacy@phishnet.ai.
EU/UK representative: We will designate a representative under GDPR Article 27 / UK GDPR if and when we determine that obligation applies to us. Contact privacy@phishnet.ai for current status.
Data Protection Officer: dpo@phishnet.ai

← Back to home