Privacy Policy

EVRIZ USA, Inc. (“Company,” “we,” “us,” or “our”) operates the PhishSense platform located at www.phishsense.cloud (the “Site”). This Privacy Policy (“Policy”) explains how we collect, use, disclose, and safeguard your information when you visit the Site or use the Service.

All server infrastructure on which customer data is stored and processed is owned and operated by EVRIZ(이브리즈), a sole proprietorship located in the Republic of Korea (“EVRIZ Korea”). EVRIZ Korea is the primary data controller for all customer personal data. EVRIZ USA, Inc. operates the PhishSense brand and website under a licensing arrangement with EVRIZ Korea and does not independently access or control customer personal data.

“Service” refers to the phishing simulation and security awareness training platform accessible via the Site. “You” refers to you as a user of the Site or Service. By accessing the Site or using the Service, you accept this Policy and our Terms of Service.

We collect “Non-Personal Information” and “Personal Information.” Non-Personal Information includes data that cannot be used to personally identify you (e.g., anonymous usage data, general demographics, browser type). Personal Information includes your name, email address, company name, job title, and billing information, which you submit through registration or subscription.

1. Information Collected via Technology

To activate the Service you need to provide your email address. To use the Service thereafter, you will need to create an account and submit the following Personal Information:

• Full name and work email address
• Company / organization name
• Job title
• IP address, browser type, operating system, and access timestamps (collected automatically)
• Cookies and session data (see Section VII)

We use this information to provide, maintain, and improve the Service, process your subscription, and communicate with you.

2. Information You Provide by Registering for an Account

To become a subscriber you will create a personal profile. You may create a profile by filling in a form and providing us with information that may include your name, email address, company name, and job title. By registering, you represent that you are at least 18 years of age.

3. Billing Information

For direct (Stripe) subscribers: billing information is collected and processed by Stripe, Inc. under Stripe’s own privacy policy. EVRIZ USA, Inc. receives only confirmation of successful payment and does not store full credit card details. For customers billed by EVRIZ Korea via invoice / tax invoice (세금계산서), billing information is handled by EVRIZ Korea in accordance with Korean law.

4. Children’s Privacy

The Site and Service are not directed to anyone under the age of 13. We do not knowingly collect or solicit information from anyone under 13. If you believe a child under 13 has provided us Personal Information, please contact us at privacy@phishsense.cloud and we will delete it promptly.

Personal Information

Except as stated in this Policy, we do not sell, trade, rent, or share your Personal Information with third parties for marketing purposes without your consent. We use Personal Information to:

• Create and manage your account
• Provide, operate, and maintain the Service
• Process subscriptions and billing
• Respond to inquiries and provide customer support
• Send service-related notifications and updates
• Comply with legal obligations
• Send promotional communications (only with your consent; opt-out available at any time)

Non-Personal Information

We use Non-Personal Information to improve the Service, customize user experience, track trends, and analyze usage patterns. Non-Personal Information may be shared with third parties in aggregated, anonymous form.

Service Infrastructure & Data Controller

All customer Personal Information is stored exclusively on servers in the Republic of Korea, operated by EVRIZ Korea. EVRIZ Korea is the primary data controller and infrastructure operator. EVRIZ USA, Inc. operates the PhishSense website and brand under a licensing arrangement with EVRIZ Korea and does not independently access or control customer data. No customer data is transferred outside the Republic of Korea in connection with the Service.

Disclosure for Legal Reasons

We may disclose Personal Information if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to: (a) satisfy applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service; or (c) protect against harm to the rights, property, or safety of us, our users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your Personal Information may be among the assets transferred. We will notify you via email and/or a prominent notice on the Site at least 30 days before any such transfer and before Personal Information is subject to a different privacy policy.

We implement security measures designed to protect your information from unauthorized access. Security measures include:

• TLS encryption for all data in transit
• Access controls and least-privilege principles for personnel
• Regular security audits and vulnerability assessments
• Physical security of server infrastructure in the Republic of Korea (operated by EVRIZ Korea)

Although we take reasonable steps to secure your information, no method of transmission over the Internet or electronic storage is completely secure. We encourage you to use strong, unique passwords and to notify us immediately at privacy@phishsense.cloud of any unauthorized use of your account.

General Rights (All Users)

You have the right at any time to:

• Access the Personal Information we hold about you
• Correct or update inaccurate Personal Information
• Request deletion of your Personal Information
• Restrict or object to certain processing
• Opt out of marketing communications

To exercise these rights, contact us at privacy@phishsense.cloud. We will respond within 30 days.

Rights under Korean PIPA (Users in the Republic of Korea)

Users located in or operating from the Republic of Korea have the following additional rights under the Personal Information Protection Act (PIPA / 개인정보보호법):

• Right to access (열람권): request confirmation and access to your personal information
• Right to correction (정정권): request correction of inaccurate personal information
• Right to deletion (삭제권): request deletion of personal information
• Right to suspension of processing (처리정지권): request suspension of processing

To exercise PIPA rights, contact EVRIZ Korea, the primary data controller, at: contact@evriz.co.kr. You may also lodge a complaint with the Personal Information Protection Commission (개인정보보호위원회) at www.pipc.go.kr or the Korea Internet & Security Agency (KISA) at privacy.kisa.or.kr.

California Privacy Rights (CCPA)

California residents have the right to know what Personal Information we collect, to request deletion of that information, and to opt out of the “sale” of Personal Information. We do not sell Personal Information. To submit a CCPA request, contact us at privacy@phishsense.cloud.

As part of the Service, we may provide links to or compatibility with other websites or applications. We are not responsible for the privacy practices employed by those websites or the information or content they contain. This Policy applies solely to information collected by us through the Site and Service.

We retain Personal Information as follows:

We use cookies and similar tracking technologies to enhance your experience on the Site. Types of cookies used:

• Essential cookies: required for the Site to function (login sessions, security tokens)
• Analytics cookies: help us understand how users interact with the Site (e.g., Google Analytics)
• Functional cookies: remember your preferences and settings

You can control cookies through your browser settings. Note that disabling essential cookies may affect Site functionality. For Chrome: Settings → Privacy and Security → Cookies and other site data.

We use the following third-party services that may process your information:

EVRIZ Korea is the infrastructure operator and primary data controller. It is not a third-party service provider in the traditional sense — it is the entity that owns and controls the platform infrastructure under license to EVRIZ USA, Inc.

EVRIZ USA, Inc. reserves the right to change this Policy and our Terms of Service at any time. We will notify you of significant changes by sending a notice to the primary email address specified in your account and/or by placing a prominent notice on the Site at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

For privacy-related inquiries regarding this Policy or the Site:

For matters related to personal data stored in the Republic of Korea, or to exercise PIPA rights: