Privacy Policy

Last updated May 23, 2026

This policy explains what personal data Spotting The Bait ("we", "us") collects, why, and what choices you have. It covers both the people who administer an account and the staff who receive simulated phishing challenges.

Who we are

Spotting The Bait is a phishing-awareness training service operated by Impaque. For account holders we act as a data controller for your administrator account, and as a data processor acting on your instructions for the employee roster you upload and the challenge-response data we generate on your behalf.

What we collect

• Administrator account: name, email address, hashed password, and organization details you provide at sign-up.
• Employee roster: the email address, and optionally name, role, and department, of the staff you choose to enroll.
• Challenge activity:which simulated challenges were sent, whether they were opened or clicked, the answer chosen, and the time of response. We store a one-way hash of the responder's IP address for abuse detection — never the raw address.
• Billing: handled by Stripe. We store your Stripe customer and subscription identifiers and seat counts, but never your full card number.
• Email delivery events: bounce, open, and complaint signals from our email provider, Resend, used to keep deliverability healthy and honor unsubscribes.
• Website analytics: anonymous, aggregate counts of visits to our public marketing pages — see below.

Website analytics

We collect anonymous, aggregate statistics about visits to our public website — the pages viewed, the approximate country (derived from your IP address at the country level only), and the referring website. We do not use analytics cookies or any other persistent identifier, we do not track you across other websites, and we deliberately do not use third-party analytics such as Google Analytics. Visit counts are de-duplicated using a one-way fingerprint that rotates every day and cannot be reversed to identify you or to link you across days. We never apply this analytics to the free practice quiz. These records are used only for traffic reporting and are automatically deleted after 90 days.

How we use it

• To deliver weekly phishing-simulation challenges and reveal pages.
• To produce the aggregate and per-person training reports in your dashboard.
• To operate billing, send service and security notices, and provide support.
• To protect the service against abuse, fraud, and deliverability harm.

Legal basis & staff consent

Where GDPR or similar laws apply, our processing of administrator data relies on contract performance and our legitimate interest in running the service. For employee data, the account holder is responsible for having a lawful basis to enroll their staff and for informing them that they will receive simulated phishing emails as part of security training. We recommend notifying staff before the first challenge — see our staff notification template.

Sub-processors

We rely on a small number of vetted providers to run the service. Our Data Processing Agreement lists them and sets out how we handle customer personal data as a processor.

• Vercel — application hosting.
• Neon — managed Postgres database.
• Stripe — payment processing.
• Resend — transactional and challenge email delivery.

Retention

We keep account and challenge data for as long as your account is active. When you delete an employee or close your account, the associated personal data is removed or anonymized within 30 days, except where we must retain limited records to meet legal or accounting obligations.

Security

Data is encrypted in transit. Passwords are hashed, email-click links are signed and time-limited, optional two-step verification (TOTP) is available for administrator accounts, and access to production systems is restricted. No system is perfectly secure, but we work to protect your data using industry-standard measures.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to certain processing. Administrators can manage and delete roster data directly in the dashboard, and from Account settingscan download a full copy of their organization's data or permanently delete their organization and account at any time. For any other request, contact us and we'll respond within the timeframe required by law. Enrolled staff should contact their own organization's administrator first, since that organization controls the roster.

Contact

Email privacy@spottingthebait.com with any privacy question or request. See also our Terms of Service.

Spotting The Bait is operated by Impaque. Questions about this document? Email legal@spottingthebait.com.