Privacy Policy

1. Overview

Phishivox ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your information. Security and data minimization are core design principles of our service.

2. Data We Collect

Account Data

When you create an account, we collect your email address and a hashed version of your password. We never store your password in plain text.

Email Scan Data

When you submit an email for scanning, we process the sender address, subject line, email body, and headers in real-time. Email content is not permanently stored. We retain only the scan result: verdict (safe/suspicious/phishing), score, detection reasons, and metadata (sender, subject) for your scan history dashboard.

Mailbox Connection Data

If you connect a Gmail or Microsoft 365 mailbox, we store an encrypted OAuth token to access your inbox with read-only permissions. We request the minimum scopes necessary. You can disconnect your mailbox at any time, which immediately revokes our access and deletes the stored token.

Usage and Analytics

We collect anonymous usage metrics (page views, feature usage, scan counts) to improve the service. We do not use third-party tracking cookies. We do not sell or share your data with advertisers.

3. How We Use Your Data

• To provide phishing detection and scan results
• To display your scan history and dashboard statistics
• To enforce scan quotas and tier-based access
• To process payments through Razorpay (we do not store card details)
• To send critical account notifications (security alerts, billing confirmations)
• To improve detection accuracy through aggregate, anonymized analysis

4. AI Processing

Professional and Enterprise tier scans may use Azure OpenAI for enhanced analysis. When this occurs, a truncated portion of the email (up to 2,000 characters) is sent to Azure OpenAI for classification. Azure OpenAI does not use your data to train its models. The AI response is used solely to generate your scan result and is not stored separately.

5. Data Retention

6. Data Security

• All data is encrypted in transit (TLS 1.2+) and at rest
• Passwords are hashed using bcrypt with per-user salts
• OAuth tokens are encrypted before storage
• Database access is restricted to application services only
• Secrets are stored in Azure Key Vault, not in code or config files
• We follow the principle of least privilege for all system access

7. Third-Party Services

We use the following third-party services to operate Phishivox:

• Microsoft Azure — infrastructure hosting and AI processing
• Razorpay — payment processing
• Google APIs — Gmail mailbox connection (when enabled by user)
• Microsoft Graph API — M365 mailbox connection (when enabled by user)

Each third party processes data in accordance with their own privacy policies. We do not share your data with any parties beyond what is necessary to provide the Service.

8. Your Rights

You have the right to:

• Access your account data and scan history
• Delete your account and all associated data
• Disconnect any connected mailboxes at any time
• Export your scan history data
• Object to data processing (by discontinuing use)

To exercise any of these rights, contact us at privacy@phishivox.com.

9. Children's Privacy

Phishivox is not intended for use by individuals under the age of 16. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related questions or requests, contact us at privacy@phishivox.com.