Plain-language summary: PhishNet processes phishing emails on behalf of MSPs. We do not sell data, we do not use end-user data for any purpose other than delivering the service, and we offer a Privacy Mode that automatically purges personally identifiable information after each case is closed. The sections below contain the full legal detail.
1. Who we are
PhishNet is a software-as-a-service platform operated in Canada. References to "PhishNet", "we", "us", or "our" in this policy refer to the PhishNet platform and its operator.
PhishNet provides automated phishing email analysis services to Managed Service Providers ("MSPs"). MSPs use PhishNet to analyse emails reported by their own clients ("End Users").
2. Data we collect and why
2.1 MSP account data
When an MSP registers for PhishNet, we collect:
- Contact name and business email address
- Company name
- Billing information (processed by our payment provider — we do not store card numbers)
- Security tool API credentials (encrypted at rest using AES-256)
- Azure Active Directory connector credentials (encrypted at rest)
2.2 Phishing email data
To perform analysis, PhishNet processes the content of emails forwarded to us by the MSP's reporting workflow. This includes:
- Email headers (sender, recipient, timestamps, routing)
- Email body (HTML and plain text)
- Attachments (scanned for indicators of compromise and indicators of attack)
- URLs extracted from the email body
- The identity of the End User who reported the email (the "reporter")
This data is processed for the sole purpose of generating a phishing analysis report for the MSP.
2.3 Azure Active Directory data
If the MSP configures an Azure AD connector, PhishNet makes live, read-only API calls to Azure AD to check employee display names for impersonation detection. No employee data is written to disk or retained — the lookup result is used within the analysis and discarded immediately afterward.
2.4 Usage and technical data
We collect standard service usage logs (analysis counts, API response times, error rates) for billing, capacity planning, and service reliability purposes. These logs do not contain email content.
3. Privacy Mode
MSPs may enable Privacy Mode in their settings. When enabled, after a case is closed PhishNet will automatically purge:
- Reporter identity (the End User's email address)
- Email body content
- Recipient data
Malicious indicators of compromise (IOCs) — sender addresses, domains, URLs — are always retained as they are required for ongoing threat intelligence and are not considered personal data.
MSPs should consult their own data processing agreements and applicable law to determine appropriate retention periods for their circumstances.
4. Threat intelligence sharing
MSPs may opt in to PhishNet's anonymous threat intelligence sharing network. When opted in:
- Confirmed malicious sender addresses and domains may be shared with other participating MSPs
- No MSP identity is ever revealed — the source of shared intelligence is always anonymous
- No End User data is ever shared — only IOCs (domains and sender addresses)
- Sharing is opt-in per tenant and can be disabled at any time
5. How we share data
PhishNet does not sell, rent, or trade personal data. We may share data with:
- AI processing: Email content is sent to our AI processing provider for analysis. Their data processing terms apply. Email data is not used to train AI models.
- Threat reputation services: URLs and domains extracted from emails may be submitted to VirusTotal and urlscan.io for reputation checking.
- Infrastructure providers: cloud infrastructure and database hosting providers. All providers operate under data processing agreements.
- Legal requirements: We will disclose data if required by applicable Canadian law or a valid legal order.
6. Data retention
Unless earlier deletion is triggered by Privacy Mode:
- Case data (email content, reporter identity): Retained for the duration of the MSP's subscription plus 30 days after termination, then deleted.
- IOCs: Retained indefinitely for threat intelligence purposes.
- Billing records: Retained for 7 years as required by Canadian tax law.
- Audit logs: Retained for 12 months.
7. Security
PhishNet implements appropriate technical and organisational measures to protect data, including:
- TLS encryption in transit for all data transfers
- AES-256 encryption at rest for API credentials and sensitive configuration
- SSO-based authentication for technician accounts
- Signed, time-limited links for case access (48-hour expiry)
8. Your rights
MSPs and, where applicable, End Users have the following rights regarding personal data PhishNet holds:
- Access: Request a copy of all personal data we hold associated with your email address. We will provide this in plain text within 30 days of a verified request. Logged-in MSP users can retrieve their own account record immediately via the MSP portal under Settings → My Data.
- Correction: Request correction of inaccurate data by contacting us with the specific field and correct value.
- Deletion: Request deletion of personal data (subject to mandatory retention requirements such as audit logs). We will anonymise your account and queue it for hard deletion within 30 days.
- Portability: Request a machine-readable (JSON) export of all data we hold about you. Submit a Subject Access Request and specify that you want a portable export. We will provide the JSON file within 30 days.
To exercise these rights, submit a Subject Access Request to: [enable JavaScript to view email]
9. Cookies and tracking
The PhishNet marketing website (phishnet.ca) uses only essential session cookies. We do not use advertising trackers, third-party analytics, or any cross-site tracking technology.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to MSPs by email at least 30 days before they take effect. Continued use of the service after that date constitutes acceptance of the revised policy.
11. Privacy Officer
PhishNet has designated a Privacy Officer responsible for compliance with PIPEDA and BC PIPA:
- Name: Jim Sher
- Title: Privacy Officer & CEO
- Email: [enable JavaScript]
- Subject line: Privacy Inquiry or Subject Access Request
We will acknowledge your inquiry within 5 business days and respond fully within 30 days.
12. Data Retention
We retain personal information only as long as necessary:
- Inbound emails: deleted 30 days after receipt
- Case records: deleted 12 months after creation
- User accounts: deleted within 30 days of account termination
- Audit logs: retained for 24 months as required by law
- Threat intelligence (malicious sender addresses and domains): retained indefinitely in their original form. Confirmed malicious actors are kept so that every MSP on the platform immediately benefits from existing known-bad intelligence, including MSPs who join after the initial detection.
- Email body content: a non-reversible cryptographic hash of the email body (excluding any personalised salutation containing a recipient name) is retained indefinitely for duplicate detection. The original body content is deleted after 30 days. The hash cannot be used to reconstruct the original email.
Email content is processed to generate a non-reversible cryptographic hash for future duplicate detection. The original content is not retained beyond 30 days.
13. Subject Access and Deletion Requests
You have the right to request access to, correction of, or deletion of your personal information held by PhishNet. To submit a request, email [enable JavaScript] with the subject line "Subject Access Request". We will verify your identity and respond within 30 days.
14. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated to MSPs by email at least 30 days before they take effect. Continued use of the service after that date constitutes acceptance of the revised policy. The current version and effective date are always shown at the top of this page.
© 2026 PhishNet. Built in Canada. · Privacy · Terms