Privacy Policy

1. Who We Are

SimShield ("we", "us", "our") operates simshield.tech, a phishing simulation and security awareness training platform for businesses. For the purposes of data protection law, SimShield is the data controller for account-level data and a data processor for employee simulation data managed by our customers (organizations).

2. Data We Collect

2.1 Organization Administrators

When you create an account or manage SimShield, we collect:

• Name and email address (via Google OAuth)
• Organization name and billing contact details
• Subscription and payment information (invoice records)
• Usage data (campaigns created, templates used, login activity)

2.2 Employee Data (Processed on behalf of your organization)

When your organization adds employees to SimShield for training, we collect and process:

• Employee name and email address
• Phishing simulation interaction data (email opens, link clicks, training completions)
• Behavioral risk scores and campaign participation history
• Device and browser metadata at the time of interaction (IP address, user agent)

2.3 Automatically Collected Data

• Server logs and access timestamps
• Error and performance monitoring data

3. How We Use Your Data

We use collected data to:

• Provide and operate the SimShield platform
• Authenticate users and manage session security
• Track phishing simulation results and generate analytics for your organization
• Send campaign emails and training notifications to enrolled employees
• Process subscription billing and send invoices
• Respond to support requests
• Improve the platform through aggregated, anonymized usage analysis

We do not use employee simulation data for any purpose other than providing the Service to your organization.

4. Data Sharing

We do not sell your data. We share data only with trusted third-party service providers necessary to operate the platform:

• Resend — Email delivery (campaign emails and notifications)
• Hetzner — Cloud infrastructure and data hosting
• Vercel — Frontend hosting
• Anthropic (Claude API) — AI-powered phishing template generation
• Google — OAuth authentication

All providers are required to handle your data in compliance with applicable data protection laws and are bound by data processing agreements.

We may disclose data if required by law or to protect the rights, property, or safety of SimShield, our customers, or the public.

5. Data Retention

• Account data is retained for the duration of your subscription plus 90 days after termination
• Campaign and employee interaction data is retained for 12 months from the campaign end date, unless you request earlier deletion
• You may request deletion of your organization's data at any time by contacting us

6. Security

We protect your data using:

• TLS encryption for all data in transit
• Bcrypt hashing for passwords; JWT with refresh token rotation for sessions
• Multi-tenant data isolation — your organization's data is strictly separated from others
• Role-based access controls (SUPER_ADMIN, ORG_ADMIN, EMPLOYEE)
• Regular security reviews

7. Your Rights

As a customer or employee whose data we process, you have the right to:

• Access the data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to or restrict processing of your data
• Data portability (receive your data in a machine-readable format)

To exercise your rights, contact us at support@simshield.tech. We will respond within 30 days.

Note for employees: If you are an employee added to SimShield by your organization, please contact your organization administrator first. We will coordinate with them on any data requests relating to your employment context.

8. Cookies

SimShield uses minimal cookies for authentication session management only. We do not use tracking cookies or advertising cookies. Phishing simulation tracking links use server-side logging and do not set cookies on employee devices.

9. International Data Transfers

SimShield is operated from Nepal. Our infrastructure (Hetzner) may be hosted in the EU. If you are based in a region with specific data transfer regulations (e.g., GDPR), please contact us to discuss data processing arrangements.

10. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes via email or in-app notification. Continued use of SimShield after changes constitutes your acceptance of the updated policy.