Privacy Policy

Who we are

RedPhish LLC

8401 Mayland Dr STE A

Richmond, VA 23294, USA

Contact: support@redphish.app

Scope

This Policy applies to information we collect through the Service, including our web app, APIs, and RedPhish browser extensions. It does not apply to third-party services that integrate with the Service; those are governed by their own privacy practices.

Definitions (aligned with our Terms)

• Account Data: contact, billing, and profile information used to manage your account.
• Customer Data: data submitted to or collected by the Service from or on behalf of a customer (e.g., URLs/links you submit for analysis, allow/deny lists, configuration data). For Customer Data, we act as a processor/service provider.
• School (Education Customer): an educational institution, district, or administrative body purchasing or enabling the Service for use by its students and staff.
• Student: an individual enrolled with a School whose access to the Service is provisioned and managed by that School.
• Student Data: personally identifiable information about Students that is provided to or collected by the Service in the course of providing the Service to a School for an educational purpose. Student Data is a subset of Customer Data.
• Support Data: information you provide when you contact support.
• Operational/Telemetry Data: usage, diagnostics, performance, and security logs related to operation of the Service.
• Scan: a request you initiate to analyze a URL, domain, or link.
• Results: the response returned by the Service for a Scan.

Information we collect

We collect the following categories of information. The precise data depends on how you use the Service and the features you enable.

1) Account Data (controller/business)

• Name, email, organization, role.
• Billing and subscription details (plan, invoices, payment status). Payments are processed by our payment processor; we do not store full payment card numbers.

2) Customer Data (processor/service provider)

• URLs/links, domains, or content you submit for Scans, allow/deny lists, and configuration settings.
• Optional labels/notes you attach to Scans or Results.

Note: Do not submit unnecessary personal data. Avoid special categories of personal data. See our Terms.

2A) Student Data (when a School uses the Service with Students)

• Account/roster data provided by the School (e.g., name, school-issued email/ID, class/role) solely as needed to provision and manage Student access.
• Limited usage data necessary to operate the Service in the School's environment (e.g., timestamps, policy decisions related to allowed/blocked URLs, audit logs). We do not collect more personal information than reasonably necessary for Students to participate in the Service.

3) Operational/Telemetry Data (controller/business)

• Device and usage data: IP address, browser/OS, timestamps, feature usage, API metrics, performance and error logs.
• Security and audit logs related to authentication, rate-limits, and abuse prevention.
• Aggregated analytics about Service usage (without directly identifying an individual where feasible).

4) Support Data (controller/business)

• Contact details, ticket contents, attachments you provide, and related diagnostics.

5) Cookies and similar technologies (controller/business)

• We use necessary cookies for authentication, session management, and security.
• We may use limited first-party analytics to understand product usage and improve the Service. You can control cookies via your browser settings.

6) Browser extension data (controller/business for extension telemetry; processor for Customer Data)

• The RedPhish extension may request permission to read the active tab's URL solely to perform user-initiated Scans or enforce your organization's configured policies. The extension does not read page content beyond what is strictly necessary for the Service.
• The extension may record limited telemetry (e.g., extension version, errors) for support and security.

How we use information (purposes)

• Provide, operate, maintain, and secure the Service.
• Process Scans and return Results; maintain allow/deny lists and policies.
• Authenticate and manage users and organizations; provide support.
• Bill and collect fees; prevent fraud, abuse, and security incidents.
• Analyze and improve the Service, including developing new features.
• Comply with legal obligations and enforce our Terms and policies.

Additional limits for Student Data (Schools): We use Student Data only to provide the Service to the School for educational purposes, to maintain and secure the Service, to comply with law, and as otherwise instructed in writing by the School. We do not use Student Data to build profiles for advertising, nor do we serve third-party behavioral advertising to Students in the Service.

Legal bases for processing (EEA/UK/Switzerland)

• Contract performance (Art. 6(1)(b)) to provide the Service and support.
• Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, product improvement, and limited analytics (balanced against your rights and expectations).
• Consent (Art. 6(1)(a)) where required (e.g., certain cookies/marketing communications).
• Legal obligations (Art. 6(1)(c)).

For Customer Data, we process as a processor/service provider under our DPA with your organization.

Sharing and disclosures

• Subprocessors/service providers who assist in hosting, storage, authentication, support, analytics, logging, and payment processing. We contractually require confidentiality and appropriate security.
• Third-party threat intelligence sources and blocklists that inform Results (we generally request/receive data from these sources; we do not disclose your personal data to them unless necessary to provide the Service or mandated by law).
• Professional advisors (legal, accounting), and as required by law or lawful requests.
• In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality obligations.

We do not sell or share personal information for cross-context behavioral advertising as defined by U.S. state privacy laws. Specifically, we do not sell Student Data or share it for targeted advertising.

International transfers

We may transfer information to the United States and other countries where we and our subprocessors operate. Where required, we use appropriate safeguards, such as Standard Contractual Clauses (SCCs) and, if applicable, UK addenda. Details are available in our DPA.

Data retention

We retain Account Data for as long as you maintain an account and as necessary for billing, compliance, and dispute resolution. We retain Customer Data according to your organization's configuration and our agreement; after termination, we provide a retrieval window (typically 30 days) and then delete within 60 days, subject to legal retention and backups. Operational/Telemetry and Support Data are retained for the shortest period necessary for security, diagnostics, and compliance purposes. For Student Data, we retain only for the active period of the School's use and delete or de-identify upon the School's request or at termination/expiration, subject to legal retention and backups.

Security

We employ industry-standard measures, including encryption in transit and at rest, access controls, and periodic vulnerability assessments. No method of transmission or storage is 100% secure; your use of the Service is at your own risk. You are responsible for maintaining the security of your credentials and configurations.

Your rights and choices

Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. To exercise rights, contact us at support@redphish.app. We may request information to verify your identity. If your data is processed under a contract with your organization (including a School), please direct your request to your organization; we will support them in responding. For Students, parent/guardian requests should be made through the School; we will not respond directly to parents/guardians except at the School's documented direction or where legally required.

California (CPRA)

• We disclose the categories of personal information we collect, sources, purposes, and recipients as described in this Policy.
• We do not sell or share personal information for cross-context behavioral advertising.
• You may exercise rights to know, delete, correct, and limit certain uses of sensitive personal information (not applicable, as we do not request SPI).

Virginia and other U.S. state laws (e.g., VCDPA, CPA, CTDPA, UCPA)

• You may have rights to access, correct, delete, portability, and opt out of targeted advertising or profiling producing legal effects (we do not engage in such profiling).
• You may appeal a rights request decision by emailing support@redphish.app with "Appeal" in the subject.

EEA/UK/Switzerland (GDPR/UK GDPR)

• You may have rights to access, rectification, erasure, restriction, portability, and objection, and to lodge a complaint with your supervisory authority. Our lead contact is available upon request.

Children's privacy; Education use (COPPA/FERPA)

Except for School-managed accounts described here, the Service is not directed to children under 13 and we do not knowingly collect personal data from them. Where a U.S. School uses the Service with Students (including Students under 13), we rely on the School to provide consent on behalf of parents/guardians under COPPA solely for the educational use of the Service. We act as a School Official under FERPA for Student Data and process such data only for educational purposes at the direction of the School. We do not require Students to provide more personal information than is reasonably necessary to participate, we do not sell Student Data, and we do not use Student Data for targeted advertising. Parents/guardians should direct any requests to review, correct, or delete Student Data to their School; we will assist the School in responding. If we learn we have collected personal data from a child under 13 outside of a School context, we will delete it.

Cookies and tracking

You can control cookies through your browser settings. Some features require strictly necessary cookies and may not function without them. We do not respond to Do Not Track signals; you may use browser or OS privacy controls and extension permissions to limit data collection.

Third-party links and services

The Service may contain links to third-party websites or services. Their privacy practices are governed by their own policies.

Law enforcement and legal requests

We may preserve and disclose information if we believe it is reasonably necessary to comply with law, regulation, legal process, or governmental request; to protect the safety, rights, or property of the public, any person, or RedPhish; or to detect, prevent, or address fraud, security, or technical issues.

Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide notice (e.g., via the Service or email) and update the "Effective date" above. Your continued use of the Service after the effective date constitutes acceptance.

Contact us

For questions or to exercise privacy rights:

RedPhish LLC

8401 Mayland Dr STE A, Richmond, VA 23294, USA

Email: support@redphish.app

Student Privacy Contact (Education Customers): support@redphish.app. Parents/guardians should contact their School directly for Student Data requests.