Privacy Policy

Last updated: 4/5/2024

PhishingBox, LLC and its co-branded Affiliates (together, "PhishingBox," "we," "our," or "us") care about your privacy. Thank you for taking the time to read our privacy policy ("Privacy Policy"). This Privacy Policy covers all Personal Information processed by our websites and our services (collectively, the "Service"). Our Service enables our Clients to, among other things, send and manage security awareness training campaigns to include simulated phishing emails and assign training courses. If our privacy practices for certain services differ from those explained in this Privacy Policy, we will let you know at the time we ask for or collect your information.

1. BASIC INFORMATION

In this Privacy Policy, these terms have the following meanings:

• "Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
• "Target" is a person a Client may target through our Service. In other words, a Target is anyone on a Client's Campaign List about whom a Client has given us information or is anyone who has otherwise interacted with a Client via the Service.
• "Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.
• "Campaign List" is a list of Targets a Client may upload or manage on our platform and all associated information related to those Targets (for example, email addresses).
• "Client" means any person or entity that is registered with us to use the Service.
• "Personal Information" means any information that's about an individual. Examples of Personal Information include, but are not limited to, first and last name, date of birth, email address, gender, occupation, or anything else that tells someone something about that individual. Personal Information also refers to “personal data” or “personally identifiable information” as such terms may be used in applicable data protection laws.
• "Visitor" means, depending on the context, any person who visits any of our websites, offices, or otherwise engages with us at our events or in connection with our marketing or recruitment activities.
• "you" and "your" means, depending on the context, either a Client, a Target, or a Visitor.

2. INFORMATION WE COLLECT

Through our interactions, we may collect different kinds of Personal Information about you, which we have grouped together as follows:

• Information You Provide Us
• Personal Identification Dataincludes your first name and last name, email address, your billing address, phone number, your home country, Internet Protocol (IP) address, and interests, or similar identifiers.
• Transaction Dataincludes your payment and transaction information such as your credit/debit card number, your first and last name, and billing address.
• Employment Related Dataincludes information about your Target, your business, and your title at your business.
• Communication Dataincludes your discussion with our customer support, other communications you send us, your feedback that you communicate to us via email or social media, and your contact preferences.
• Account Dataincludes your log-in credentials when you sign up for an account with us.
• Marketing Dataincludes names, mailing addresses, and email addresses.

• Information Automatically Collected by Technology

In addition to the information you provide us, we may automatically collect certain information about your equipment, software, and browser to provide you with an efficient and personalized experience. This includes:

• Device Datawhich includes the device's hardware information, operating system, platform information, browser type, language information, viewfinder size, and browser plugin types.
• Website Usage Datawhich includes information about how you use our Service, which may include the dates and times you access the Service and your browsing activities (such as what portions of the Service you used, session duration, links clicked, non-sensitive text entered, and mouse movements).
• Service Performance Datawhich includes metrics related to the deliverability of emails and other communications you send through the Service.

• Information Collected from Third Parties

We may collect personal or anonymized information about you from third party companies that provide products and services that are used together with our Service, public databases, and our joint marketing partners. For example, we may collect information from social networking sites, such as Facebook, including your name, your social network username, location, gender, birth date, email address, profile picture, and public data for contacts, if you connect with PhishingBox accounts on such social networks.

If you are a Target, we may collect personal or anonymized information about you from one of our Clients. PhishingBox may receive Campaign Lists from Clients when Clients upload the Campaign Lists to the Service or integrates the Service with another website or, when a Target contracts for services from a Client, the Client may provide us with certain Target information or other Personal Information about the Target such as name, email address, address, or telephone number. PhishingBox is not responsible for the privacy or security practices of our Clients, which may differ from those set forth in this Privacy Policy. Please check with individual Clients about the policies they have in place.

• Aggregated Data

We may also collect, use and share aggregated data such as statistical or demographic data for any purpose ("Aggregated Data"). Aggregated Data could be derived from your Personal Information, but Aggregated Data is not considered Personal Information, as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing our websites and Services. However, if we combine or connect Aggregated Data with your Personal Information so that it can directly or indirectly identify you, we treat the combined data as Personal Information which will be used in accordance with this Privacy Policy.

We do not collect any special categories of sensitive Personal Information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic and biometric data, and precise geolocation data). Nor do we collect any information about criminal convictions and offenses.

3. REASON FOR PROCESSING YOUR PERSONAL INFORMATION

Your Personal Information is used by us for the purpose it was collected, such as responding to your inquiry or completing your transaction for our Service. In some cases, Personal Information is required to perform certain functions. You voluntarily decide if you want to provide us with your information. You may be asked to provide your Personal Information to:

• To bill and collect money owed to us by you to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in accordance with our legitimate interests to operate and administer our Service. This includes sending you emails, invoices, receipts, notices of delinquency, and alerting you if we need a different credit card number. We use third parties for secure credit card transaction processing, and those third parties collect billing information to process your orders and credit card payments. To learn more about the steps we take to safeguard that data, see the Data Security section of this Privacy Policy.

• To send you system alert messages in reliance on our legitimate interests in administering the Service and providing certain features. For example, we may inform you about temporary or permanent changes to our Service, such as planned outages, or send you account, security or compliance notifications, such as new features, version updates, releases, abuse warnings, and changes to this Privacy Policy.
• To communicate with you about your account and provide customer support to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in reliance on our legitimate interests in administering and supporting our Service.
• To enforce compliance with our Terms of Use and applicable law, and to protect the rights and safety of our Clients in reliance on our legitimate interest to protect against misuse or abuse of our Service and to pursue remedies available. This may include developing tools and algorithms that help us prevent violations. For example, sometimes we review the content our Clients send or display to ensure it complies with our Terms of Use. To improve that process, we have software that helps us find content that may violate our Terms of Use. We may or our third-party service provider may also review content that our Clients send or display. This benefits all Clients who comply with our Terms of Use because it reduces abuse and helps us maintain a reliable platform. Do not use PhishingBox to send or display confidential information.
• To provide, support and improve the Service to perform our contract with you for the use of the Service or where we have not entered into a contract with you, in reliance on our legitimate interests in administering and improving the Service and providing certain features. For example, this may include improving the navigation and content of the Service and sharing your information with third parties in order to provide and support our Service or to make certain features of the Service available to you. When we share your Personal Information with third parties, we take steps to protect your information in a manner that is consistent with our obligations under applicable privacy laws.
• To provide suggestions to you and to provide tailored features within our Service that optimize and personalize your experience in reliance on our legitimate interests in administering the Service and providing certain features.
• To personalize the Service, content and advertisements we serve to you in reliance on our legitimate interests in providing certain features within the Service. We may use your Personal Information to serve you specifically, such as to deliver marketing information, product recommendations and non-transactional communications (e.g., email or push notifications) about us, in accordance with your marketing preferences and this Privacy Policy.

• To plan and manage our contractual relationships with our vendors and Clients.
• To facilitate research and perform analysis into the use and performance of the Service.
• To provide customer support.
• To offer voluntary entry to our surveys, contests, sweepstakes, or other promotions on the Service or through social media.
• To detect, prevent, and address technical issues and gather analysis or valuable information enabling us to monitor the usage of our websites.
• To address legal issues, including (i) complying with our obligations to retain certain business records; (ii) establishing, exercising, or defending legal claims; (iii) complying with laws, regulations, court orders, or other legal processes; (iv) detecting and preventing fraud or intellectual property infringement claims, violations of our contracts or agreements, violations of law, or other misuses of our websites or Services; and (v) protecting our rights or property, or yours or others' health, safety, welfare, rights, or property.
• To allow you to exercise your data privacy rights.

In addition, we may process your personal data for the following reasons:

• To carry out our obligations and enforce our rights.
• In any other way we may describe when you provide the information.
• For any other purpose with your express consent.

We may use information that is not Personal Information for any purpose. For example, we may aggregate usage data from many people in a way that does not identify any individuals to calculate the percentage of users accessing a feature on our website. Such aggregated or anonymized data will not identify you or be traced back to your Personal Information.

4. HOW WE COLLECT YOUR PERSONAL INFORMATION

We use different methods and sources to collect information from and about you including through:

• Direct Interactions

You may give us information about you by interacting with our website, by communicating with us via email or contact us page, or by interacting with us over social media.

• Third Party or Publicly Available Sources

We may receive information about you from third parties. The information we receive includes analytics information for improvement of our website and Services.

• Technical and Communication Data from the Following Parties

We may collect information from third party providers such as X (formerly Twitter), Facebook, and Google Analytics. The information we may collect includes your feedback about our Services on our Twitter account, Facebook page, and LinkedIn.

5. DISCLOSURE OF YOUR PERSONAL INFORMATION

We may disclose your contact information, communication information, usage information, and information from surveys to the following third parties:

• Our Corporate Affiliates

Our Affiliates and subsidiaries will use your information in a manner consistent with this Privacy Policy and applicable data privacy laws.

• Advertising Partners

We may partner with third-party advertising networks, exchanges, and social media platforms (like Facebook) to display advertising on the Service or to manage and serve our advertising on other sites, and we may share Personal Information of Clients and Visitors with them for this purpose. Any partners will be required to comply with applicable data privacy laws.

• Subcontractors

Any subcontractors, who may assist us to operate or perform the Service, are required to collect, use, retain, or process information in compliance with applicable data privacy laws.

• Regulatory Entities

We will disclose your information if we have a good faith belief that the disclosure is necessary to comply with any applicable law or legal process, to prevent fraud or imminent harm, to ensure the security of the websites, and to protect PhishingBox rights.

• Third Parties for Mergers

We may disclose your information in connection with mergers and reorganization. In such cases, we will take appropriate steps to protect your information.

We may also share your Personal Information with your consent or at your express request. We may share anonymized or Aggregated Data internally and with third parties for any purpose. Such information will not identify you individually.

We do not, under any circumstances, sell your Campaign Lists. If someone on your Campaign List complains or contacts us, we might then contact that person.

6. COOKIES AND AUTOMATIC DATA COLLECTION TECHNOLOGIES

Our website may use automatic data collection technologies to distinguish you from other website users. This helps us deliver a better and more personalized experience when you browse our website. It also allows us to improve our website by enabling us to:

• Estimate our audience size and usage patterns.
• Store your preferences, so we may customize our website according to your individual interests.
• Recognize you when you return to our website.

The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer.
• Flash Cookies. Certain features of our website may use Flash cookies (local stored objects) instead of browser cookies to collect and store information about your preferences and navigation to, from, and on the website.
• Web Beacons, Pixel Tags, Clear Gifs. Our website pages and emails may contain small transparent embedded images or objects known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count website page Visitors or email readers, or to compile other similar statistics such as recording website content popularity or verifying system and server integrity. For example, we use web beacons in the emails we send on your behalf, which enable us to track certain behavior, such as whether the email sent through the Service was delivered and opened and whether links within the email were clicked. Web beacons allow us to collect information such as the recipient's IP address, browser, email Client type and other similar data as further described above details. We use this information to measure the performance of your campaigns, to provide analytics information, enhance the effectiveness of our Service, and for other purposes described above.

You can block the collection and use of information related to you by advertising companies for the purpose of serving interest-based advertising by visiting the following platforms of self-regulatory programs of which those companies are members:

• The NAI's opt-out platform is available here.
• The DAA's opt-out platform is available here.

For more information about our use of cookies and other tracking technologies, please refer to our Cookie Policy.

7. THIRD PARTY LINKS

Our Service includes links to other websites whose privacy policies may differ from this Privacy Policy. If you submit Personal Information to any of those sites, such information is subject to third party privacy statements. We strongly encourage you to carefully read the privacy statement of any website you visit.

8. RETENTION

We will retain your Personal Information as reasonably necessary for the disclosed purpose. The retention periods for each category of Personal Information vary depending on compliance with relevant laws, your request for deletion, and our retention policies. For example, we may need to retrain your Personal Information to comply with our legal or reporting obligations in accordance with the laws or to defend against claims or for internal analysis purposes (such analysis purposes are generally subject to shorter retention periods, whenever possible). Consequently, it is not possible for us to provide a definitive length of time. Our retention periods are determined by using and balancing the following criteria:

• The volume, nature, and sensitivity of your information;
• The potential risk of unauthorized access, use or disclosure, or misappropriation;
• The purposes for which we process your Personal Information; and
• The retention obligations under applicable legal requirements.

9. CHILDREN

Our Service is not intended for children under 13 years of age. We will not knowingly solicit or collect Personal Information from children under 13, or the relevant minimum age under applicable local legal requirements, except as permitted under applicable law. If we learn that we have received information directly from a child under 13 without his or her parent's or legal guardian's consent, we will make commercially reasonable efforts to delete such information.

10. YOUR RIGHTS AND CHOICES

Your rights may vary depending on where you are located. We have created mechanisms to provide you with the following control over your information.

• Accessing, Updating, and Deleting your Information

You can contact us as set forth in the Contact Us section below to request access to, correction of, or deletion of Personal Information that you have provided to us. We may also ask you to verify your identity before we respond to your request. Depending on your request, we may not accommodate your request to change information if we believe the change would violate any law or legal requirement or negatively affect the information's accuracy.

• Cookies and Automatic Data Collection Technologies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. However, if you disable or refuse cookies, please note that some parts of these websites may become inaccessible or not function properly.

• EU-UK Residents

If you are in the European Economic Area, United Kingdom, or are otherwise subject to the General Data Protection Regulation, then this section of our Privacy Policy applies to you.

• Data Controller

The data controller of such processing is PhishingBox, LLC.

• Additional information about data we collect about you

We do not collect any special categories of Personal Information about you, including details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data. We also do not collect any information about criminal convictions and offenses.

• Lawful basis

We will only use your Personal Information when the law allows us to. Most commonly, we will use your Personal Information in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests, potentially including uses such as determining the internal analytics of the Service.
• Where we need to comply with a legal obligation.

Generally, we do not rely on consent as a legal basis for processing your Personal Information, although we will get your consent before sending third party direct marketing communications to you. You have the right to withdraw consent to marketing at any time by contacting us.

• Your data subject rights

Data subjects have the right, at any time, to request access to, rectification, or erasure of their Personal Information or restriction or objection to processing, as well as the right to data portability, or to withdraw the consent given by addressing a written communication to PhishingBox, LLC, Attn: Privacy Officer, 400 East Vine Street, Suite 301, Lexington, KY 40507 or by sending an email to privacy@phishingbox.com. We reserve the right to verify the truthfulness of Personal Information provided at any time. We do not use any type of automated process for profiling purposes.

• Data retention

We will only retain your Personal Information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your Personal Information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for Personal Information, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information, and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements. In any event, we do not intend to hold the data for more than five years.

• Data protection authority

You have the right to complain to a data protection authority about the collection and use of Personal Information. For more information, please contact your local data protection authority. Contact information for data protection authorities in the EEA and UK are available here.

• International Transfers
• We operate in the United States. Our primary servers and offices are located in the United States, so your information may be transferred to, stored, or processed in the United States. While the data protection, privacy, and other laws of the United States might not be as comprehensive as those in your country, we take many steps to protect your privacy. PhishingBox agrees to abide by and process data for EU and UK data subjects in compliance with the SCCs in the form set out in Annex C of our SCC document. You can request a copy of PhishingBox's SCC document by emailing  privacy@phishingbox.com.

• For Clients located in Switzerland, United Kingdom, and the EEA, PhishingBox shall process any Personal Information in compliance with the SCCs or any applicable Alternative Transfer Mechanism implemented in accordance with the SCCs, and servers for such processing are located in the EEA. Clients can request our SCC document by emailing  privacy@phishingbox.com.

• California Residents

This Privacy Notice for California Residents applies solely to all Visitors, users, and others who reside in the State of California (“ consumer” or “ you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively, the “ CCPA”), and any terms defined in the CCPA have the same meaning when used in this notice.

This notice does not apply to employment-related information of California-based employees, job applicants, contractors, or similar individuals.

• Information we collect

The information we collect and have collected about California residents in the last 12 months is described in What information we collect above. That information corresponds with the following categories of Personal Information under the CCPA:

Category	Examples	Collected
A. Identifiers:	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other contact information.	YES
B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, address, telephone number, credit card number, or debit card number. Some Personal Information included in this category may overlap with other categories.	YES
C. Protected classification characteristics under California or federal law.	Race, ethnicity, religious or philosophical beliefs, age, or sex (including gender).	NO
D. Commercial information.	Records products, services or Services purchased, obtained, or other purchasing or consuming histories or tendencies.	YES
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	NO
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer's interaction with a website, operating system and web browser information.	YES
G. Geolocation data.	Physical location or movements, such as from user IP addresses.	YES
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	YES
I. Professional or employment-related information.	Current job history or job title.	YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	NO
K. Inferences drawn from other Personal Information.	Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	NO
L. Sensitive Personal Information	Social security numbers, driver's license, state Identification card, passport number, financial account login in combination with security or access code, password, or credentials, precise geolocation.	NO

• Use of Personal Information

In the last 12 months, we have used your Personal Information for the business and commercial purposes described in the Reason for Processing your Personal Information section above.

• Disclosure of Personal Information

The business and commercial purposes that we have disclosed your Personal Information in the last 12 months are described above in the Disclosure of your Personal Information section. More specific information on that sharing is as follows:

Disclosing your Personal Information for business purposes. We have disclosed the following categories of Personal Information with our service providers and public or government (including enforcement) authorities for our business purposes:

• Category A: Identifiers
• Category B: California Customer Records Personal Information categories
• Category D: Commercial information
• Category F: Internet or other similar network activity
• Category G: Geolocation data
• Category H: Sensory Data
• Category I: Professional or employment-related information

As described above, examples of business purposes include performing transactions, registering accounts, managing our relationship with you, troubleshooting and general maintenance, and monitoring for security threats and fraud.

Disclosing your Personal Information for commercial or other purposes: We have shared the following categories of your Personal Information with business partners, co-sponsors, event organizers and other third parties in a manner that is likely to be considered to be a “sale” or “sharing” under the CCPA:

• Category A: Identifiers
• Category B: California Customer Records Personal Information categories
• Category D: Commercial information
• Category F: Internet or other similar network activity
• Category G: Geolocation data
• Category H: Sensory Data
• Category I: Professional or employment-related information

As described above, this information may be disclosed for personalization, analytics, marketing, retargeting, and sales. We do not knowingly sell or share Personal Information of consumers who are less than 16 years of age.

• Your right to know

You have the right to request that we disclose certain information to you about our collection, use, disclosure, and sale/sharing of your Personal Information over the past 12 months. Once we verify your request, we will disclose to you:

• The categories of Personal Information we collected about you.
• The categories of sources for the Personal Information we collected about you.
• Our business or commercial purpose for collecting or selling/sharing that Personal Information.
• The categories of third parties with whom we disclose that Personal Information.
• If we sold/shared or disclosed your Personal Information for a business purpose, two separate lists disclosing: sales/sharing, identifying the Personal Information categories that each category of recipient purchased; and disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.

• Your right to obtain a copy of your Personal Information

You have a right to obtain a copy of the specific pieces of Personal Information we collected about you (also called a data portability request). Once we verify your request, we will provide you a copy of your Personal Information that is responsive to your request.

• Your right to delete your Personal Information

You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we verify your request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

• Your right to correct your Personal Information

If you think some of the Personal Information we have about you is incorrect, you have the right to request that we correct the Personal Information in compliance with applicable data protection law.

• Your right to opt-out of sale/sharing of your information

We do not sell our email lists or other Personal Information we collect about you for money. However, we may share information with third parties in a way that is considered a “sale” under the CCPA. Where that is the case, we will comply with California “Do Not Sell/Share” requirements.

• How to exercise your CCPA rights

To exercise your general right to know, your right to obtain a copy of your information, or your right to delete your information contact us by completing our webform   to log your request. Alternatively, you can call us at 877-634-6847.

You may also opt out by broadcasting an Opt-Out Preference Signal, such as the Global Privacy Control (GPC) on the browsers and/or browser extensions that support such a signal.

• How we verify requests and respond to requests

Before fulfilling your request, we take steps to verify you are who you say you are or that you have authority to act upon someone else's behalf. Therefore, upon receipt of your request, we will request additional information that we need to verify you and, if you are submitting a request on behalf of someone else, to verify that you are permitted to act on that person's behalf.

When we contact you to request verification information, please respond and provide the information that we have requested. Depending on the nature of the request you make, we may require you to verify your identity to either a reasonable degree of certainty or high degree of certainty. This may mean that we need to match two or three pieces of information that we hold about you with information that you provide to us. In some cases, we may require you to sign a declaration under penalty of perjury that you are the consumer whose Personal Information is the subject of the request or that you are authorized to make the request on behalf of someone else.

In addition to providing the information we need to verify you or your authority, you must provide us with enough information so that we can understand, evaluate, and respond to your request. We cannot respond to your request or provide you with Personal Information if we cannot confirm the Personal Information relates to you.

We will only use Personal Information provided in a verifiable consumer request to verify your identity or authority to make the request and to locate relevant information. We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and to understand, evaluate, and respond to your request.

We cannot delete Personal Information in those situations where our retention is required for our own internal business purposes or otherwise permitted by the CCPA (such as fraud prevention or legal compliance). In these situations, we will retain your information in accordance with our records retention program and securely delete it at the end of the retention period.

• Who may submit requests?

Only you, or someone legally authorized to act on your behalf, may make a request related to your Personal Information. You may also make request on behalf of your minor child. To designate an authorized agent, you must provide the authorized agent with signed permission to make the request. If your authorized agent is a business entity, then the authorized agent must be registered with the California Secretary of State to conduct business in California. We may deny a request from an authorized agent that does not submit proof that it has been authorized to submit a request on your behalf. Further, before responding to a request from an authorized agent, we will still require you to (1) verify that you have provided the authorized agent permission to submit the request on your behalf; and (2) verify your identity directly with us.

• How often you can submit requests?

You may make a CCPA consumer request twice within a 12-month period.

• Response timing and format

We make every attempt to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. When you request a copy of your Personal Information, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity easily.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

• Non-discrimination

We will not discriminate against you for exercising any of your CCPA rights. You have a right not to receive discriminatory treatment by us for exercising your privacy rights.

• Other California privacy rights

California's “Shine the Light” law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To request such information, call us at 877-634-6847 or email us at privacy@phishingbox.com.

• Nevada Residents

Nevada residents have the right to opt out of the sale of certain “covered information” collected by operators of websites or online services. We currently do not sell covered information, as “sale” is defined by such law, and we do not have plans to sell this information.

• Other Resident Consumer Rights

To exercise any other state-specific or country-specific consumer rights and for the specific details of the rights and the process for submitting consumer rights requests, please submit your consumer request to us at privacy@phishingbox.com and write "Request for Privacy Data" as the subject of the message and note your state or country of residence or call us at 877-634-6847. We will not discriminate against consumers who exercise their consumer rights.

11. DATA SECURITY

The security of your Personal Information is very important to us. We use physical, electronic, and administrative safeguards designed to protect your Personal Information from loss, misuse and unauthorized access, use, alteration, or disclosure. We will only retain your Personal Information for as long as reasonably necessary to fulfill the purpose of collecting it.

We also require our service providers and business partners to whom we disclose the information to do the same. When you use certain types of information, for example, when you provide us with your credit card or debit card information on our website, we will encrypt the transmission of that information using industry standard secure socket layer technology (SSL). We will continue to improve our physical, electronic, and administrative safeguards. However, the Internet environment is not 100% secure, and we cannot guarantee that information we collect will never be accessed in an unauthorized way. You may request additional information about our certification by writing to privacy@phishingbox.com with the subject line, "Security Inquiry."

12. CHANGES TO THIS PRIVACY POLICY

Changes to this Privacy Policy will be posted on this site, along with information on any material changes. PhishingBox reserves the right to update or modify this Privacy Policy at any time and without prior notice.

13. CONTACT US

If you have any questions about this Privacy Policy or our use of your Personal Information, please contact us:

• By mail:

PhishingBox, LLC

Attn: Privacy Officer

400 East Vine Street, Suite 301

Lexington, KY 40507

• By email: privacy@phishingbox.com
• By phone: 877-634-6847
• By webform:

0148746.0757355 4863-4663-1333v3