Privacy Policy

Last updated: 5.5.2025

This Privacy Policy describes how Lorenz Peter Lösch e.U. (“AutoPhish”, “we”, “us”, or “our”) collects, uses, and protects personal data when you use our phishing simulation and security awareness platform (the “Service”).

We are committed to complying with the General Data Protection Regulation (EU) 2016/679 (\"GDPR\") and applicable Austrian data protection laws.

1. Data Controller and Contact

Lorenz Peter Lösch e.U. is the data controller for customer account data. When acting on behalf of our customers to process employee data for phishing simulations, we are a data processor.

Contact: hello@lorenz-loesch.at

2. Data We Collect

From Customers (as Controllers):

• Name, email address, and billing information of the person creating an account
• Payment details (processed via Stripe)

From End Users (Employees of Customers):

• Email addresses (required for phishing simulation)
• Email addresses may contain names (implicitly), but we do not require or process full names at this time

In the future, we may collect additional personal data (e.g., names, departments) upon explicit request by customers.

3. Purpose and Legal Basis of Processing

We process personal data for the following purposes:

• Provision of Service: Running phishing simulations and managing results for the customer
• Account Management and Support: Managing your subscription, responding to inquiries
• Billing and Payments: Processing payments via Stripe

Legal bases for processing:

• Article 6(1)(b) GDPR – contract performance
• Article 6(1)(f) GDPR – legitimate interest (e.g., cybersecurity awareness, platform operation)
• Article 6(1)(c) GDPR – legal obligations (e.g., tax retention)

4. Data Retention

We retain customer and employee data only as long as necessary for the purposes stated above, or to comply with legal obligations.

Customer administrators may request deletion of employee data at any time.

5. Sub-Processors

We use the following sub-processors to operate the Service:

• Stripe (Ireland) – payment processing
• Contabo GmbH (Germany) – infrastructure and hosting
• World4You Internet Services GmbH (Austria) – email delivery and notifications

All sub-processors are located in the EU and are bound by appropriate data processing agreements (DPAs) to ensure GDPR compliance.

We do not transfer personal data outside of the European Union.

6. Data Security

We implement technical and organizational measures appropriate to the risks, including:

• Access controls and authentication
• Encryption of data in transit
• Monitoring and audit logging

7. Data Subject Rights

If you are an individual whose data is processed under our Service (e.g., as an employee of a customer), you may have the following rights under the GDPR:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to object
• Right to data portability

Requests can be directed to your employer (the data controller) or to us at hello@lorenz-loesch.at.

8. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the platform.

9. Questions

For any questions regarding this Privacy Policy, please contact: