Privacy Policy

The data controller responsible for the processing of your personal data is:

• Service: DelPhish
• Website: https://delphish.app
• Privacy contact: privacy@delphish.app
• Data Protection enquiries: dpo@delphish.app

Depending on how you use the service, we may process the following categories of personal data:

• Account data: email address, hashed password, organization name, role, language preference, and (if enabled) TOTP two-factor authentication secret.
• Analysis content: email or SMS content (sender, subject, body, headers, URLs) submitted for analysis. This content may incidentally contain personal data of third parties; you are responsible for having a lawful basis to submit it.
• Usage data: analysis counts, timestamps, risk scores, classifications and verdicts.
• Phishing simulation data: recipient email addresses, click/submit/report timestamps and aggregated awareness statistics (only when an administrator of your organization launches simulations).
• Technical data: IP address, browser user-agent, access logs, session identifiers and rate-limit counters.
• Billing data: if you subscribe to a paid plan, billing identifiers issued by our payment processor (Stripe). We do not store full card numbers on our servers.

We process your personal data for the following purposes and on the following legal bases:

• Provision of the service (account creation, analysis, dashboard, history) — performance of a contract (Art. 6.1.b GDPR).
• Billing and subscription management — performance of a contract and compliance with tax obligations (Art. 6.1.b and 6.1.c GDPR).
• Account security, fraud prevention, abuse mitigation and rate limiting — legitimate interest in protecting the service and its users (Art. 6.1.f GDPR).
• Service-related transactional emails (verification, password reset, security alerts) — performance of a contract (Art. 6.1.b GDPR).
• Improvement of detection algorithms using aggregated and de-identified data — legitimate interest (Art. 6.1.f GDPR).
• Compliance with legal obligations when required by law — legal obligation (Art. 6.1.c GDPR).

We do not sell your personal data. We share data only with the following categories of recipients, all of which act as data processors under Art. 28 GDPR and are bound by appropriate contractual safeguards:

• Cloud hosting: DigitalOcean (EU region) — server infrastructure.
• Transactional email delivery: Resend — sending verification, password reset and simulation emails.
• Payment processing: Stripe — billing for paid subscriptions.
• Domain and DNS: Name.com — domain registration and DNS records.

AI inference (Heuristic engine, Random Forest ML model, BERT and the Ollama LLM) runs on our own infrastructure. We do not send your analysis content to third-party AI providers such as OpenAI, Anthropic, Google or Microsoft.

Our infrastructure is located within the European Economic Area (EEA). Some of our processors (e.g., Stripe, Resend) may process data outside the EEA. In such cases, we rely on the appropriate safeguards established by Art. 46 GDPR, including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, adequacy decisions under Art. 45 GDPR.

We retain personal data only for as long as necessary for the purposes described:

• Account data: for the duration of the contract; deleted within 30 days of account closure (except where retention is required by law).
• Analysis history: according to your subscription plan; you may delete individual analyses at any time from your dashboard.
• Phishing simulation results: retained for the duration of the campaign and up to 12 months thereafter for awareness reporting, unless you delete them earlier.
• Access and security logs: up to 12 months for security and abuse-prevention purposes.
• Billing records: retained for the period required by tax and accounting law (generally 6 years in Spain).

In accordance with Art. 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Password hashing using bcrypt with per-user salts.
• Optional two-factor authentication (TOTP).
• Stateless authentication via short-lived JWT tokens.
• HTTPS/TLS encryption in transit (HSTS enforced).
• Security headers: Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
• Rate limiting and abuse detection at the API layer.
• Principle of least privilege on infrastructure access.
• Regular dependency and vulnerability scanning.
• Encrypted backups and access logs.

Under the GDPR, you have the following rights with respect to your personal data:

• Right of access (Art. 15) — to obtain a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten", Art. 17) — to request deletion of your data.
• Right to restriction of processing (Art. 18).
• Right to data portability (Art. 20) — to receive your data in a structured, commonly used and machine-readable format (CSV/JSON export).
• Right to object (Art. 21) — to processing based on our legitimate interest.
• Right not to be subject to automated decision-making producing legal effects (Art. 22).
• Right to withdraw consent at any time, where processing is based on consent (Art. 7.3).

You can exercise most of these rights directly from your account settings (export, deletion). For any other request, write to privacy@delphish.app. We will respond within one month, as required by Art. 12 GDPR.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) at www.aepd.es, or with the supervisory authority of your country of residence.

DelPhish uses automated processing (heuristic rules, machine learning and large language models) to score and classify the messages you submit. These outputs are advisory and do not produce legal effects on you or any data subject within the meaning of Art. 22 GDPR. A human reviewer is always able to override or disregard them.

DelPhish uses only strictly necessary cookies and local storage required to operate the service (authentication session, language preference, CSRF protection). These do not require prior consent under Art. 22 of Spanish Law 34/2002 (LSSI-CE). We do not use advertising or third-party tracking cookies.

We may update this Privacy Policy to reflect changes in our processing activities or in applicable law. The "Last updated" date at the top of this page indicates the latest revision. Material changes will be notified by email or via a prominent notice in the application before they take effect.