Legal

Privacy Policy

How GetPhishCheck collects, uses, stores, and protects your information. Written in plain language. Aligned with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Last updated: January 2026  ·  Effective date: January 2026

1. Who we are

GetPhishCheck ("we", "us", "our") is a Canadian cybersecurity service that analyzes suspicious email submissions and delivers expert verdicts to businesses. Our service is operated from Canada, and all infrastructure used to process your submissions is hosted in Canada (AWS ca-central-1 region, Montréal).

This policy explains what information we collect when you use getphishcheck.com, our analysis service, or contact us directly — and what we do with it.

2. What we collect

Information you provide directly

  • Contact information: your email address, and optionally your name, company, and a brief description of the email you're submitting.
  • Email submissions: the .eml or .msg file you upload for analysis. These files contain message headers, body text, and any attachments present in the original email.
  • Payment information: if you purchase an analysis, payment is processed by Stripe. We never see or store your card details — we only receive a transaction reference.
  • Support communications: messages you send to us by email or through our contact form.

Information collected automatically

  • Technical data: your IP address, browser type, device type, and referring URL, logged by our infrastructure for security and anti-abuse purposes.
  • Usage data: basic, privacy-respecting analytics about which pages are visited (no cross-site tracking, no advertising cookies).
Automatic PII redaction Before any analyst reviews your submission, our pipeline automatically redacts common sensitive data patterns — credit card numbers, social insurance numbers, phone numbers, IBAN codes, postal codes, and street addresses — and replaces them with placeholder tokens. We recommend you also avoid uploading emails that contain personal health information or other highly sensitive data where practical.

3. How we use your information

We use your information only for the purposes we describe here:

  • Delivering the service: analyzing the email you submit and emailing you a written verdict with next steps.
  • Communicating with you: responding to your inquiries, sending transactional emails (receipts, verdicts), and occasional service notices.
  • Service improvement: identifying common phishing patterns in aggregate, in a form that does not identify you or your organization.
  • Legal & security obligations: detecting and preventing fraud, abuse, and unauthorized access; complying with applicable Canadian law.

We do not sell your data. We do not share it with advertisers. We do not use it to train third-party AI models.

4. Data residency

All customer-submitted email files and associated metadata are stored exclusively on AWS infrastructure in the ca-central-1 region (Montréal, Canada). Our application servers, object storage, and logs all reside in Canada.

Limited exceptions apply to specific integrations that are essential to operating the service:

  • Payment processing (Stripe): may involve processing outside Canada in accordance with Stripe's own global infrastructure and PIPEDA-aligned safeguards.
  • Transactional email delivery: the mail server sending your verdict email may route messages through providers with global infrastructure.

Where data transits outside Canada for these operational reasons, it remains protected by contractual safeguards and the receiving party's own compliance program.

5. Retention & deletion

  • Email submission files: retained for up to 90 days after verdict delivery, then automatically and permanently deleted. Files uploaded but never paid for are purged within 24 hours.
  • Verdict reports: retained for up to 12 months so you can request copies if needed.
  • Account / contact data: retained for as long as you remain a customer, plus up to 7 years where required for tax and accounting purposes.
  • Security logs: retained up to 13 months for incident investigation.

You can request earlier deletion at any time — see Your rights below.

6. Sharing & processors

We use a small number of trusted service providers ("processors") to operate the service. Each is bound by contract to protect your data and use it only on our instructions:

  • Amazon Web Services (AWS): infrastructure hosting, in the Canada Central region.
  • Stripe: payment processing.
  • Transactional email provider: delivering receipts and verdicts.

We will disclose information to law enforcement only when compelled by a valid Canadian legal process (e.g., a court order or production order), and only to the extent required. Where permitted, we will notify you before disclosure.

7. Security

We protect your information with a layered approach:

  • Encryption in transit: TLS 1.2+ across all endpoints.
  • Encryption at rest: AES-256 on all stored objects and databases.
  • Access controls: least-privilege IAM, MFA for administrative access, audit logging.
  • PII redaction: automated pre-processing before any human review.
  • Short-lived presigned URLs: direct-to-storage upload links expire within minutes.

No system is perfectly secure. If a vulnerability ever affects your data, we will notify you as described in Breach notification.

8. Your rights

Under PIPEDA, and in addition to our own commitments, you have the right to:

  • Access: request a copy of the personal information we hold about you.
  • Correction: ask us to correct inaccurate information.
  • Deletion: request deletion of your personal information, subject to legal retention requirements.
  • Withdraw consent: withdraw your consent to our processing at any time (this may prevent us from delivering the service).
  • Complain: file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

To exercise any of these rights, email support@getphishcheck.com from the address associated with your submission. We will respond within 30 days.

9. Cookies & tracking

We use a minimal set of first-party cookies strictly necessary to operate the website (for example, a CSRF token during form submission). We do not use third-party advertising cookies, cross-site trackers, or social media pixels.

Fonts are served from Google Fonts, which may log basic request information on Google's servers. You can disable web fonts in your browser if you prefer.

10. Breach notification

If a breach of security safeguards creates a real risk of significant harm to you, we will notify you without undue delay, and report to the Office of the Privacy Commissioner of Canada as required by PIPEDA. Notification will include what happened, what information was involved, and what steps we have taken and recommend you take.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page with an updated "Last updated" date. For significant changes affecting existing submissions, we will also email registered customers where feasible.

12. Contact us

Privacy questions or requests

Email: support@getphishcheck.com

Subject line: "Privacy Request"

We acknowledge requests within 5 business days and respond substantively within 30 days.

This policy is provided in English. Une version française est disponible sur demande.