PhishingRadar

Privacy policy

Last updated: July 2026

1. Data controller

The data controller is Robin Ben Baumgärtner, sole proprietorship "PhishingRadar", Engelgasse 12, 5647 Oberrüti, Switzerland, kontakt@phishingradar.ch (hereinafter "we"). This policy explains to company customers and their employees which data we process when they use PhishingRadar.

2. Two roles: controller and processor

For the company customer's contract and billing data (e.g. company name, billing address, payment data), we are the data controller in our own right. For the data of invited employees (name, email, department, test results), however, we act on behalf of the respective company customer as a data processor under Art. 9 of the Swiss Data Protection Act (DPA). The company customer remains responsible for the lawfulness of processing towards its own employees. On request, we provide company customers with a data processing agreement (DPA contract).

3. Data processed

We process in particular: names, email addresses, and department of invited employees; test results and issued proofs; company details, billing and payment data of company customers (payment processing via Stripe, see section 5); technical log data (e.g. IP address, timestamp) to ensure operation.

4. Purpose of processing

The data is used to run the phishing-recognition test, issue time-limited proofs, provide an internal overview in the company area for company administrators, manage the subscription, and fulfil legal obligations (e.g. accounting).

5. Disclosure to third parties and processors

Data is only disclosed to third parties where necessary to provide the service or required by law. We use the following processors: Stripe (payment processing and invoicing), Resend (sending invitation, reminder, and system messages), and Cloudflare (Turnstile captcha protecting registration against abuse). Hosting is provided by a professional provider with servers located within the EU. Appropriate contracts ensuring an adequate level of data protection are in place with all processors.

6. Disclosure abroad

Stripe, Resend, and Cloudflare are companies headquartered or with group companies in the USA; your data may therefore also be processed there. We ensure that appropriate safeguards are in place in these cases, in particular standard contractual clauses or the respective provider's certification under the Swiss-U.S. Data Privacy Framework. A copy of the relevant safeguards can be requested from us.

7. Location and duration of storage

Data is only stored for as long as necessary for the stated purposes or as required by statutory retention obligations. If an employee leaves the company customer, the company admin can remove the account in the company area; proofs already issued and publicly verifiable, as well as audit-log entries, remain in place for evidentiary and compliance reasons.

8. Data security

We take appropriate technical and organizational measures to protect your data against loss, misuse, and unauthorized access, including encryption of transmission (TLS), access controls, and a log of all security-relevant company actions (audit log).

9. Cookies

We use only strictly necessary cookies, in particular to maintain your login session. No analytics, marketing, or tracking cookies are used.

10. Your rights

You have the right to access, rectify, delete, and restrict the processing of your data, as well as the right to data portability. Access requests are free of charge and answered within 30 days. Employees of company customers should primarily contact their company admin; alternatively, directly at kontakt@phishingradar.ch. You also have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC, www.edoeb.admin.ch).

11. Changes to this policy

We may amend this privacy policy to reflect changes in legal requirements or PhishingRadar's features. The version published at the time of your visit applies.