Privacy Policy

Last updated: April 25, 2026

This Privacy Notice for Decoy4U ("we," "us," or "our") describes how and why we might access, collect, store, use, and share your personal information when you use our services, including when you visit decoy4u.com, use the Decoy4U platform, or engage with us in any related way.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies, please do not use our Services. For questions, contact us at privacy@decoy4u.com.

Summary of Key Points

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the features you use.

Do we process sensitive information? We do not process sensitive personal information.

Do we collect from third parties? We may collect information from public databases, marketing partners, and other outside sources.

How do we process your information? To provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

How do we keep your information safe? We have organizational and technical processes in place to protect your information, though no transmission over the internet can be 100% guaranteed secure.

What are your rights? Depending on your location, you may have certain rights regarding your personal information. Contact us at privacy@decoy4u.com to exercise them.

1. What Information Do We Collect?

Personal information you disclose to us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products, when you participate in activities on the Services, or otherwise when you contact us.

The personal information we collect may include: names, email addresses, usernames, passwords, billing addresses, debit/credit card numbers, and payment information.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate the Services. This includes IP addresses, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, and information about how and when you use our Services. This information is primarily used to maintain the security and operation of our Services.

Employee data (uploaded by you)

When you use Decoy4U to conduct phishing simulations, you upload information about your employees (names and email addresses). This data is processed solely on your behalf and is used only to deliver the phishing simulation campaigns you configure. See Section 14 for full details.

2. How Do We Process Your Information?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • To facilitate account creation and authentication.
  • To deliver and facilitate delivery of services to the user.
  • To respond to user inquiries and offer support.
  • To send administrative information, such as changes to our terms and policies.
  • To fulfill and manage your orders, payments, returns, and exchanges.
  • To send marketing and promotional communications (you may opt out at any time).
  • To protect our Services and investigate fraud or security issues.
  • To comply with our legal obligations.
  • To evaluate and improve our Services, products, and your experience.

3. What Legal Bases Do We Rely On to Process Your Information?

If you are located in the EU or UK, we rely on the following legal bases: Consent — where you have given us permission; Performance of a Contract — where processing is necessary to fulfill our contract with you; Legal Obligations — where processing is required by law; and Legitimate Interests — where processing is in our legitimate interests and not overridden by your rights.

If you are located in Canada, we may process your information based on express or implied consent, or where permitted by law.

4. When and With Whom Do We Share Your Personal Information?

We may need to share your personal information in the following situations:

  • Business Transfers. We may share or transfer your information in connection with a merger, acquisition, or sale of assets.
  • Service Providers. We may share your data with third-party vendors who provide services such as payment processing (Stripe), email delivery (Resend), database hosting (Supabase), and analytics (Vercel).
  • Legal Requirements. We may disclose your information where required to do so by law or in response to valid requests by public authorities.

5. Do We Use Cookies and Other Tracking Technologies?

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. We use Vercel Analytics to collect anonymous page-view data. You can control cookie settings through your browser. Refusing cookies may affect some features of the Services.

6. Do We Offer Artificial Intelligence-Based Products?

We offer features that use artificial intelligence, including AI-powered campaign generation (available on the Pro plan). This feature uses the Anthropic Claude API to analyze your organization and recommend phishing simulation templates and targeting strategies. Prompts sent to this feature may include your organization name, employee department data, and campaign preferences. We do not use your data to train third-party AI models.

7. Is Your Information Transferred Internationally?

Our servers are located in the United States and European Union (Ireland). If you access our Services from outside these regions, your information may be transferred to, stored, and processed in the US or EU. By using our Services, you consent to such transfer. We implement appropriate safeguards for cross-border transfers, including Standard Contractual Clauses where required by EU law.

8. How Long Do We Keep Your Information?

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it.

Campaign data and employee tracking data are retained for the life of your account and deleted within 30 days of account termination upon request.

9. How Do We Keep Your Information Safe?

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. These include encrypted data transmission (HTTPS/TLS), access controls, and regular security reviews.

However, despite our safeguards, no electronic transmission over the internet or information storage technology can be guaranteed 100% secure. Transmission of personal information to and from our Services is at your own risk. Access our Services only within a secure environment.

10. Do We Collect Information From Minors?

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of a minor and consent to such minor's use. If we learn that personal information from users under 18 has been collected, we will deactivate the account and delete the data. Contact us at privacy@decoy4u.com if you become aware of any such data collection.

11. What Are Your Privacy Rights?

Depending on your location, you may have the following rights regarding your personal data:

  • Right to access and obtain a copy of your personal information.
  • Right to rectification of inaccurate data.
  • Right to erasure ("right to be forgotten").
  • Right to restrict processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time (where processing is consent-based).

To exercise any of these rights, please contact us at privacy@decoy4u.com. We will respond within 30 days.

If you are in the EEA or UK and believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority.

12. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature or setting. At this time, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. We will update this practice if a standard is adopted in the future.

13. Do United States Residents Have Specific Privacy Rights?

California

California Civil Code Section 1798.83 permits users who are California residents to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, contact us at privacy@decoy4u.com.

Virginia, Colorado, Connecticut, Texas, and other states

Residents of these states may have additional rights including the right to opt out of the sale or sharing of personal data, the right to correct inaccuracies, and the right to appeal a decision we make regarding your privacy rights request. Contact us to exercise these rights.

14. Employee Data in Phishing Simulations

Important — Read Carefully

When you use Decoy4U to conduct phishing simulations, you upload the names and email addresses of your employees ("Employee Data"). By uploading Employee Data, you represent and warrant that:

  • You are authorized to upload and process the Employee Data on behalf of your organization.
  • You have obtained all necessary organizational permissions and, where required by law, have notified or obtained consent from affected employees in accordance with applicable employment and data protection laws.
  • You will not use Employee Data to target individuals outside of your own organization's workforce.

Decoy4U processes Employee Data solely as a data processor acting on your instructions. We do not use Employee Data for our own purposes, sell it, or share it with third parties except as necessary to deliver the Services (e.g., routing emails through Resend). Employee Data is retained for the duration of your account and deleted upon request or account termination.

15. Do We Make Updates to This Notice?

Yes, we may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this page. If we make material changes, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to stay informed about how we protect your information.

16. How Can You Contact Us About This Notice?

If you have questions or comments about this notice, you may contact us at:

Decoy4U

8 The Green, Suite A

Dover, DE 19901

United States

privacy@decoy4u.com

17. How Can You Review, Update, or Delete the Data We Collect From You?

Based on the applicable laws of your country or state, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information.

To request to review, update, or delete your personal information, please send an email to privacy@decoy4u.com with the subject line "Data Request." We will respond to your request within 30 days.