Service Privacy Policy

Last updated: 26.05.2026

This Privacy Policy describes how QADS e.U. ("AutoPhish", "we", "us", or "our") collects, uses, and protects personal data when you use our phishing simulation and security awareness platform (the "Service").

We are committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Austrian data protection laws.

This policy covers the AutoPhish Service (the authenticated platform). For information about data processing on our public marketing website, please see our Website Privacy Policy.

1. Data Controller and Roles

QADS e.U. is the data controller for customer account data. When acting on behalf of our customers to process employee data for phishing simulations, we are a data processor.

2. Data We Collect

We collect the following categories of personal data in the Service:

From Customers (as Controllers):

  • Name, email address, billing company name, and billing address details of the person creating an account or managing billing
  • Payment, invoice, and subscription data (processed via Stripe), including data needed to calculate and apply taxes where required

From End Users (Employees of Customers):

  • Email addresses (required for phishing simulation)
  • Names and other target-list attributes provided by the customer (e.g., department, role, or language)
  • Campaign, training, and reporting data (e.g., send, open, click, and report events, simulated login interactions, training status, and security scores)
  • If enabled: reported email content and metadata, domain/DNS/security scan data, and company context data

Technical Data (collected automatically during simulations):

  • IP address
  • User agent (browser and device information)
  • Timestamps, technical request/header data, and log data

This technical data is collected when end users interact with simulated phishing emails (e.g., opening an email, clicking a link, reporting an email, or entering a username/login identifier on a simulated login page). It is used solely for security analytics and campaign reporting.

3. Purpose and Legal Basis of Processing

Purposes:

  • Provision of Service: Running phishing simulations and managing results for the customer
  • Account Management and Support: Managing your subscription, responding to inquiries
  • Billing and Payments: Processing payments via Stripe, issuing invoices, and calculating or applying taxes where required
  • Security Analytics and Reporting: Recording interactions, technical data, training progress, security scores, and, where enabled, domain/DNS/security checks for reporting

Legal bases:

  • Article 6(1)(b) GDPR – contract performance
  • Article 6(1)(f) GDPR – legitimate interest (e.g., cybersecurity awareness, platform operation)
  • Article 6(1)(c) GDPR – legal obligations (e.g., tax retention)

4. Data Retention

We retain customer and employee data only as long as necessary for the purposes stated above, or to comply with legal obligations.

By default, campaign data (including execution results, email content, interaction data, training records, security scan results, security scores, and DNS monitoring logs) is automatically deleted or anonymized after three (3) years. This retention period can be adjusted on a per-organization basis upon request — please contact us if you require a shorter or longer retention period.

Raw reported email content in "Report Phish" or comparable reporting workflows is retained only as long as required for review, analysis, support, or security analysis; where technically provided, the default retention period is 90 days. Billing data relevant for tax and corporate-law retention obligations is retained in accordance with applicable legal requirements.

Customer administrators may request deletion of employee data at any time.

5. Sub-Processors

We use the following sub-processors to operate the Service:

  • Stripe (Ireland) – payment processing, invoicing, subscription management, and tax calculation support
  • Contabo GmbH (Germany) – infrastructure and hosting
  • World4You Internet Services GmbH (Austria) – email delivery and notifications
  • SMTP.DK ApS (Denmark) – email sending
  • Crisp IM SAS (France) – customer support functionality

For the standard Service, the regularly used sub-processors are located in the EU/EEA and are bound by appropriate data processing agreements (DPAs) to ensure GDPR compliance.

For separately ordered add-on services, additional sub-processors named in the applicable offer or DPA may be used. Third-country transfers take place only where expressly agreed or required for the ordered service and where appropriate safeguards under the GDPR are in place.

Note: The Service does not use Google Analytics or any third-party website analytics tools.

6. Data Security

We implement technical and organizational measures appropriate to the risks, including:

  • Access controls and authentication
  • Encryption of data in transit
  • Monitoring and audit logging

7. Data Subject Rights

If you are an individual whose data is processed under our Service (e.g., as an employee of a customer), you may have the following rights under the GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to object
  • Right to data portability

8. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the platform.

9. Questions

For any questions regarding this Privacy Policy, please contact:

QADS e.U.
Email: support@autophish.io