Privacy Policy
Provider / Controller: Wolfcore Ltd, a company registered in England and Wales (company no. 16308559), registered office at 72 Newbiggin, Malton, North Yorkshire, YO17 7JF (“Wolfcore”, “we”, “us”, “our”). Product: Phishy (the “Platform”). Contact: info@wolfcore.co.uk. ICO registration: ZB977950.
This Privacy Policy explains how Wolfcore handles personal data in connection with the Platform and our websites.
1. Our two roles
1.1 Controller. For personal data relating to our customers’ account holders, website visitors, billing contacts and prospects, Wolfcore is the controller and this Policy applies in full.
1.2 Processor. For the personal data that a customer organisation uploads to, or generates within, the Platform about its Target Recipients (as defined in the Terms & Conditions), Wolfcore acts as a processor on the customer’s documented instructions. In that case the customer is the controller, and that processing is governed by our Data Processing Agreement. Target Recipients with questions about that data should contact the relevant customer organisation; we will assist that organisation as required.
2. Personal data we collect
2.1 Account and customer data (as controller): name, work email address, organisation, role, account login credentials (stored in hashed form), and support correspondence.
2.2 Billing data (as controller): billing contact details and subscription records. Card payments are processed by our payment provider, Stripe; we do not store full payment-card numbers.
2.3 Usage and technical data (as controller): log-in records, IP address, device and browser information, and platform usage logs, used for security, troubleshooting and service improvement.
2.4 Target Recipient data (as processor, on the customer’s behalf): contact and identity details provided by the customer (name, email address, phone number and department); simulation interaction events (message opens, link clicks with IP address and timestamp, and credential-submission events). Where a Target Recipient submits a password into a simulated page, the submitted password is discarded and is not stored — we record only that a submission event occurred, together with the associated email address, IP address and timestamp. Breach-exposure indicators: we may query a third-party breach-intelligence service (XposedOrNot) using a Target Recipient’s email address to indicate whether that address appears in known data breaches, for awareness and reporting purposes. This breach-exposure lookup is an optional feature and can be disabled at the customer’s request.
3. How we use personal data and our lawful bases
3.1 As controller, we use account, billing, usage and technical data to: provide and administer the Platform (performance of a contract); secure and improve the Platform and prevent misuse (legitimate interests); process payments and meet accounting obligations (legal obligation and contract); and, where you have not opted out, send service and limited marketing communications (legitimate interests / consent, as applicable).
3.2 As processor, we process Target Recipient data only on the customer’s documented instructions to deliver the simulation, tracking, reporting and training functionality, as set out in the Data Processing Agreement.
4. Sharing and sub-processors
4.1 We do not sell personal data, and we do not allow advertisers to pay to influence what the Platform shows. We share personal data only with the service providers that help us run the Platform, under contracts that require them to protect it:
| Provider | Purpose | Location / safeguard |
|---|---|---|
| Supabase | Database and storage | AWS eu-west-1 (Ireland, EU) |
| SendGrid (Twilio) | Email delivery | US — SCCs / UK IDTA |
| Twilio | SMS delivery | US — SCCs / UK IDTA |
| Stripe | Payment processing | US/EU — SCCs / UK IDTA |
| Anthropic | AI-assisted message personalisation | US — SCCs / UK IDTA |
| XposedOrNot | Breach-exposure lookup by email | Google Cloud / Cloudflare — outside UK |
| Hetzner | Cloud hosting / infrastructure | EU (Germany) |
4.2 We may also disclose personal data where required by law, to enforce our terms, or in connection with a business reorganisation or sale (subject to confidentiality).
5. International transfers
5.1 Some of our providers are located outside the UK. Where personal data is transferred internationally, we rely on appropriate safeguards such as UK adequacy regulations, the UK International Data Transfer Agreement or Addendum, or Standard Contractual Clauses.
6. Security
6.1 We use technical and organisational measures appropriate to the risk, including: encryption of data in transit (TLS) and encryption of sensitive data at rest; access controls and the principle of least privilege; audit logging; and a design that does not store submitted simulation passwords. We engage in independent security testing of the Platform.
7. Retention and deletion
7.1 We retain account and billing data for the duration of the relationship and for as long as necessary to meet legal, accounting and regulatory obligations.
7.2 Target Recipient data and simulation results are retained on the customer’s instructions and are deleted in accordance with the Data Processing Agreement. The Platform runs an automated deletion process; once data is eligible for deletion it is removed following a short cooling-off period of 30 days.
8. Your rights
8.1 Subject to applicable law, you have rights to access, rectify, erase, restrict or object to the processing of your personal data, to data portability, and to withdraw consent where processing is based on consent.
8.2 Where we act as controller, you may exercise these rights by contacting info@wolfcore.co.uk. Where we act as processor (Target Recipient data), please contact the relevant customer organisation, which is the controller of that data.
9. Cookies
9.1 Our websites use cookies that are strictly necessary for the Platform to function and, where applicable, optional cookies subject to your consent. See our Cookie Notice at www.wolfcore.co.uk/cookie-notice for details.
10. Children
10.1 The Platform is a business-to-business service and is not directed at, or intended for use by, individuals under 18.
11. Changes to this Policy
11.1 We may update this Policy from time to time. Material changes will be notified as appropriate and the “last updated” date below will change.
12. Contact and complaints
12.1 For any privacy question, contact info@wolfcore.co.uk. If you are not satisfied, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk, though we would appreciate the chance to address your concern first.
← Back to the app