Privacy Policy
This policy applies to all services at phishoutai.com and app.phishoutai.com. It complies with the EU GDPR and the Portuguese Lei n.º 58/2019. Questions? Contact us.
Who We Are
PhishOut AI ("we", "us", "our") operates phishoutai.com and the associated analysis application at app.phishoutai.com. We are the data controller for personal data processed through our services.
- Contact: phishoutai.com/contact-us
- Website: https://phishoutai.com
Data We Collect
2.1 Account Data
When you register, we collect your name, email address, and hashed password (managed via WordPress/WooCommerce). We never store plaintext passwords.
2.2 Content Submitted for Analysis
Content you submit (email text, URLs, uploaded files, screenshots) is processed exclusively to generate a threat analysis report.
Free plan: submitted content is processed in real-time and permanently discarded after the report is returned — nothing is stored. Pro users (active credit balance): analysis results (not raw content) are stored in your encrypted history for your exclusive access, while your credit balance remains positive.
2.3 Credit & Purchase Data
When you purchase a credit pack, we store your credit balance, the number of credits purchased, the pack size, and the transaction date. Credits never expire and accumulate across purchases. Payment processing is handled exclusively by Stripe — we do not store card numbers or full payment details.
2.4 Usage & Technical Data
| Data Point | Purpose | Retention |
|---|---|---|
| IP address | Rate limiting, abuse prevention | 24 hours |
| Browser / OS (User-Agent) | Session management (Pro) | Session duration |
| Credit balance & usage log | Quota enforcement, billing dispute resolution | Account lifetime + 30 days |
| Analysis result (Pro — active credits) | History feature | While credit balance > 0; 30 days after depletion |
2.5 Cookies
See our Cookie Policy for full details.
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide analysis service | Submitted content, account ID | Contract performance |
| Authentication & sessions | Email, session token, IP | Contract performance |
| Credit management & billing | Credit balance, Stripe customer ID | Contract performance |
| Rate limiting & abuse prevention | IP address, usage count | Legitimate interest |
| Service improvement | Aggregated, anonymised stats | Legitimate interest |
| Transactional emails | Email address | Contract performance |
| Legal compliance | As required by law | Legal obligation |
We never sell, rent, or share your personal data with third parties for marketing purposes. We do not use your submitted content to train AI models.
Legal Basis (GDPR Art. 6)
- Art. 6(1)(b) — Contract: Processing necessary to provide the service you signed up for (analysis, credit management, billing, account management).
- Art. 6(1)(c) — Legal obligation: Compliance with EU / Portuguese law, tax obligations, anti-fraud regulation.
- Art. 6(1)(f) — Legitimate interest: Security monitoring, abuse prevention, aggregate service analytics.
- Art. 6(1)(a) — Consent: Where we use non-essential cookies or send non-transactional communications.
Data Retention
| Category | Retention Period |
|---|---|
| Free plan — submitted content | Deleted immediately after analysis |
| Pro — analysis history | While credit balance > 0, then +30 days |
| Credit balance & purchase log | Account lifetime + 30 days after deletion |
| Account data | Until account deletion + 30 days |
| IP / rate-limit logs | 24 hours |
| Payment records | 7 years (tax / legal obligation) |
| Session tokens | 2 hours inactivity or logout |
You may request deletion of your account at any time via our contact page. Deletion will be completed within 30 days, except where retention is required by law. Note: unused credit balances are forfeited upon account deletion.
Third-Party Sub-Processors
We use a limited set of sub-processors, each bound by GDPR-compliant Data Processing Agreements (DPAs):
| Sub-processor | Role | Data Shared | Location |
|---|---|---|---|
| Google (Gemini API) | AI threat analysis engine | Submitted content (transient) | EU / US (SCCs) |
| Stripe | Payment processing for credit packs | Email, billing metadata | US (SCCs) |
| Hostinger | Web hosting & database | All service data | EU (Lithuania) |
| VirusTotal (Pro) | URL reputation lookup | Submitted URLs only | US (SCCs) |
| URLScan.io (Pro) | URL visual inspection | Submitted URLs only | EU (Germany) |
We do not use advertising networks, social media trackers, or analytics services that process personal data without your consent.
International Data Transfers
Some sub-processors (Google, Stripe) are located outside the EU/EEA. All transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary technical measures (encryption in transit and at rest), and adequacy decisions where applicable. You may request a copy of the applicable transfer mechanisms by contacting us.
Your Rights
Under GDPR (Chapter III) you have the following rights. Contact us via our contact page. We will respond within 30 days.
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you, including your credit balance and purchase history. |
| Rectification | Correct inaccurate or incomplete data. |
| Erasure | Request deletion of your account and data. Note that unused credits are forfeited upon erasure. |
| Restriction | Request that we limit processing of your data in certain circumstances. |
| Portability | Receive your data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interest. |
| Withdraw consent | Withdraw consent at any time for consent-based processing (e.g. cookies). |
You also have the right to lodge a complaint with the Comissão Nacional de Proteção de Dados (CNPD).
Children
PhishOut AI is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
Security
- TLS 1.2+ encryption for all data in transit (HTTPS enforced).
- AES-256 encryption for data at rest.
- Bcrypt password hashing (cost factor 12) for all credentials.
- CSRF double-submit tokens on all authenticated endpoints.
- IP-based rate limiting and brute-force lockout protection.
- Atomic credit decrement to prevent race conditions on concurrent analysis requests.
- Role-based access control for administrative functions.
- Complete audit log of all administrative actions.
If you discover a security vulnerability, please report it responsibly via our contact page.
Changes to This Policy
When we make material changes, we will update the "Last updated" date, notify registered users by email at least 14 days in advance, and where required by law, ask for renewed consent. Continued use of the service after the effective date constitutes acceptance.