Privacy Policy

Last updated: March 2026

PhishClub is operated by Mark Matthews, based in Manchester, UK. This policy explains what data we collect, why we collect it, and what your rights are.

What data we hold

We hold the minimum data needed to run the platform:

  • Email address — used to identify your account and send transactional emails (login links, invitations, weekly summaries).
  • First name — used to personalise communications. Optional.
  • Organisation name — used to identify your team within the platform.
  • Game activity — records of link clicks and score events. This is the core data the platform generates.
  • Browser user agent — used to register trusted browsers as part of the onboarding flow. We do not store IP addresses.
  • Audit log events — admin actions within your organisation (user invites, promotions, login link sends). Kept for security and accountability.

We do not collect passwords from users who log in via magic link. Admin accounts that use password authentication have their passwords stored as a secure one-way hash — we cannot read them.

We do not collect IP addresses, location data, Active Directory groups, device identifiers, or any other personal data beyond what is listed above.

Why we hold it

The lawful basis for processing your data is contract — we need it to provide the service you have signed up for. Specifically:

  • Email addresses are needed to authenticate users and deliver the service.
  • Game activity data is the core output of the platform — without it there is no leaderboard or scoring.
  • Browser user agents are needed to maintain the session model that the platform is built around.

Who we share it with

We do not sell your data. We share it only with the third-party services needed to operate the platform:

  • Render — our hosting provider. Your data is stored on Render's infrastructure.
  • Resend — used to send transactional emails. Email addresses are passed to Resend for delivery purposes only.
  • Stripe — used to process subscription payments. We pass only what Stripe needs for billing. We do not store card details.

How long we keep it

We retain your data for as long as your account is active. If your account is cancelled or suspended and not reactivated, we will delete your organisation's data within 30 days.

You can request earlier deletion at any time — see your rights below.

Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data. We will do so within 30 days, subject to any legal obligation to retain it.
  • Restriction — ask us to limit how we use your data while a dispute is resolved.
  • Portability — request your data in a machine-readable format.
  • Objection — object to processing in certain circumstances.

To exercise any of these rights, email support@phishclub.co.uk. We will respond within 30 days.

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Cookies

PhishClub uses a single session cookie to keep you logged in. We do not use tracking cookies, advertising cookies, or analytics cookies.

Changes to this policy

If we make material changes to this policy, we will notify account admins by email before the changes take effect.

Questions about your data? Email us at support@phishclub.co.uk.