Privacy Policy

Last updated: June 2026

1. Who We Are

PhishStats ("we", "us", or "our") operates the website at phishstats.info and related services, including the PhishStats API. This Privacy Policy explains how we collect, use, and protect personal data when you use the Service.

If PhishStats is incorporated, acquired, or assigns the Service to another legal entity, this policy will continue to apply. We will notify you of any change in data controller or contracting party through the website or the email address associated with your account, and we will publish updated contact details on this page when a registered business address becomes available.

For privacy requests, PhishStats is the data controller. Contact: [email protected]

2. Data We Collect

Account data

When you create an account, we collect information through our authentication provider (Supabase), which may include your email address and, if you sign in with Google or GitHub, profile information such as your name and avatar URL provided by that provider.

Usage and technical data

When you use the Service, we may collect your IP address, browser or client type, request timestamps, API usage counts, rate-limit counters, and security or audit log entries. This data helps us operate the Service, enforce tier quotas, and detect abuse.

User content

If you use account features, we may store data you provide, including:

Phishing URL submissions and optional notes
False-positive reports
Saved collection items
API key metadata (keys themselves are stored in hashed form; the secret is shown only once at creation)
Monitoring rule configurations and webhook destination URLs

Analytics

We use self-hosted Plausible Analytics on analytics.phishstats.info to understand how the website is used. Plausible is designed to be privacy-friendly and does not use third-party advertising cookies. We may record aggregated page views and custom events (such as search actions or sign-in attempts) without building individual advertising profiles.

Session storage

When you sign in, our authentication provider stores session information in your browser (for example, in local storage) so you remain logged in. This is necessary for the Service to function and is not used for advertising.

Payment data (paid plans)

If you purchase a paid subscription, payment and billing information is processed by Stripe. We receive limited billing data from Stripe (such as subscription status and customer ID) but do not store full payment card numbers on our servers.

3. How We Use Data

We use personal data to:

Provide, maintain, and improve the Service
Authenticate you and manage your account
Enforce usage limits, API quotas, and acceptable use policies
Process submissions, false-positive reports, and monitoring alerts
Detect, prevent, and respond to abuse, fraud, and security incidents
Communicate with you about your account, support requests, or billing
Understand aggregate usage patterns to improve the product
Comply with legal obligations

We do not sell your personal data.

4. Legal Bases

Where applicable data-protection law requires a legal basis, we rely on one or more of the following:

Contract — to provide the Service you request, including account features and paid subscriptions
Legitimate interests — to secure the Service, prevent abuse, and improve our product, balanced against your rights
Consent — where you choose optional features or communications that require consent
Legal obligation — where we must retain or disclose data to comply with law

6. Retention

We retain account and usage data for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our policies.

Security and audit logs may be kept for a limited period necessary for abuse investigation and infrastructure protection.

Threat intelligence data (phishing URLs and related indicators submitted to or collected by PhishStats) may be retained indefinitely as part of our threat intelligence corpus, even if you delete your account. This supports long-term security research and community protection. Account-specific data (such as your email) is handled separately and can be deleted on request subject to legal retention requirements.

7. Security

We implement reasonable technical and organizational measures to protect personal data, including hashing API key secrets and access controls on account features. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

If you believe your account has been compromised, contact us immediately at [email protected].

8. Your Rights

Depending on where you live, you may have rights regarding your personal data, including the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your account data
Request a copy of your data in a portable format
Object to or restrict certain processing
Withdraw consent where processing is based on consent

To exercise these rights, email [email protected]. We may need to verify your identity before responding. You may also have the right to lodge a complaint with a data protection authority in your jurisdiction.

9. International Transfers

Your data may be processed in countries other than your own, including where our service providers operate. Where required by applicable law, we take appropriate safeguards for cross-border transfers.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will take steps to delete it.

11. Changes

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically.

12. Contact

Privacy questions or requests? Contact us at [email protected].