Service Privacy Policy

Last updated: 13.2.2026

This Privacy Policy describes how QADS e.U. ("AutoPhish", "we", "us", or "our") collects, uses, and protects personal data when you use our phishing simulation and security awareness platform (the "Service").

We are committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Austrian data protection laws.

This policy covers the AutoPhish Service (the authenticated platform). For information about data processing on our public marketing website, please see our Website Privacy Policy.

1. Data Controller and Roles

QADS e.U. is the data controller for customer account data. When acting on behalf of our customers to process employee data for phishing simulations, we are a data processor.

2. Data We Collect

We collect the following categories of personal data in the Service:

From Customers (as Controllers):

  • Name, email address, and billing information of the person creating an account
  • Payment details (processed via Stripe)

From End Users (Employees of Customers):

  • Email addresses (required for phishing simulation)
  • Names (if provided by the customer in target lists)

Technical Data (collected automatically during simulations):

  • IP address
  • User agent (browser and device information)

This technical data is collected when end users interact with simulated phishing emails (e.g., opening an email, clicking a link, or submitting credentials on a simulated login page). It is used solely for security analytics and campaign reporting.

3. Purpose and Legal Basis of Processing

Purposes:

  • Provision of Service: Running phishing simulations and managing results for the customer
  • Account Management and Support: Managing your subscription, responding to inquiries
  • Billing and Payments: Processing payments via Stripe
  • Security Analytics: Recording IP addresses and user agents during simulations for campaign reporting

Legal bases:

  • Article 6(1)(b) GDPR – contract performance
  • Article 6(1)(f) GDPR – legitimate interest (e.g., cybersecurity awareness, platform operation)
  • Article 6(1)(c) GDPR – legal obligations (e.g., tax retention)

4. Data Retention

We retain customer and employee data only as long as necessary for the purposes stated above, or to comply with legal obligations.

Customer administrators may request deletion of employee data at any time.

5. Sub-Processors

We use the following sub-processors to operate the Service:

  • Stripe (Ireland) – payment processing
  • Contabo GmbH (Germany) – infrastructure and hosting
  • World4You Internet Services GmbH (Austria) – email delivery and notifications
  • SMTP.DK ApS (Denmark) – email sending
  • Crisp IM SAS (France) – customer support functionality

All sub-processors are located in the EU and are bound by appropriate data processing agreements (DPAs) to ensure GDPR compliance.

We do not transfer personal data outside of the European Union.

Note: The Service does not use Google Analytics or any third-party website analytics tools.

6. Data Security

We implement technical and organizational measures appropriate to the risks, including:

  • Access controls and authentication
  • Encryption of data in transit
  • Monitoring and audit logging

7. Data Subject Rights

If you are an individual whose data is processed under our Service (e.g., as an employee of a customer), you may have the following rights under the GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to object
  • Right to data portability

8. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the platform.

9. Questions

For any questions regarding this Privacy Policy, please contact:

QADS e.U.
Email: support@autophish.io