Privacy Policy

empowsec Corporation ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our security awareness training platform, visit empowsec.com, or interact with us.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service.

• Account Information: name, email address, company name, job title, phone number, billing address, and account profile details.
• Payment Information: billing details and payment metadata processed through Stripe. We do not store full payment card details on our servers.
• Employee Data: names, email addresses, department assignments, and user records uploaded or provisioned through the Service.
• Usage and Simulation Data: training progress, quiz scores, certificates, phishing simulation opens, clicks, submissions, reports, and learning activity logs.
• Device and Log Data: IP address, browser, operating system, device identifiers, language preferences, access times, pages viewed, referring URLs, cookies, and similar technologies.
• Third-Party Data: profile data from SSO, OIDC, SAML, Google, Microsoft, referral links, affiliates, or reseller attribution.

• Provide, operate, maintain, and secure the Service.
• Deliver training content, run phishing simulations, generate analytics and reports, issue certificates, and manage accounts.
• Process subscriptions, invoices, payments, support requests, service announcements, password resets, billing notices, and security alerts.
• Improve the Service, develop new features, analyze usage patterns, prevent fraud and abuse, respond to security incidents, and comply with legal obligations.
• Send marketing communications where permitted by law and your consent settings.

• Contract Performance: processing needed to provide the Service, manage your account, and process payments.
• Legitimate Interests: processing needed for security, fraud prevention, service improvement, and business operations where your rights do not override those interests.
• Consent: processing based on your consent, such as optional cookies or marketing communications.
• Legal Obligation: processing needed to comply with applicable law or enforceable governmental requests.

We do not sell your personal information. We may share information with trusted service providers, your organization administrators, resellers or white-label partners where applicable, legal authorities when required, transaction counterparties in a merger or sale, and other parties with your consent.

We retain personal information while your account is active or as needed to provide the Service. After termination, data is retained for a reasonable period, typically 30 days, for reactivation or export before deletion or anonymization, unless longer retention is required for legal, dispute, security, or legitimate business purposes.

• Essential Cookies: authentication, session management, CSRF protection, and required platform functions.
• Analytics and Preference Cookies: usage measurement, product improvement, language, theme, and display settings.
• Phishing Simulation Tracking: tracking pixels and unique links used only to measure simulated campaign effectiveness for authorized administrators.

Most browsers allow cookie controls through settings. Disabling certain cookies may impair Service functionality.

• Encryption in transit and at rest.
• Role-based access controls and least-privilege principles.
• Security assessments, secure development practices, code review, incident response, employee training, and access auditing.

No method of transmission or storage is completely secure, but we are committed to promptly addressing security incidents.

Your information may be transferred to and processed in countries other than your country of residence, including the United States. For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses or other legally recognized transfer mechanisms.

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, port, or object to processing of your personal data, and to withdraw consent where processing is based on consent.

EEA, UK, Switzerland, and California residents may have additional rights under GDPR, equivalent laws, or CCPA. You may also lodge a complaint with your supervisory authority.

To exercise these rights, contact [email protected]. We respond within 30 days or sooner when required by law and may verify your identity before processing a request.

Customer as Data Controller. When you process employee data through the Service, you act as controller and we act as processor, processing personal data only under documented instructions.

DPA Availability. We offer a Data Processing Agreement that meets GDPR Article 28 requirements. Request it at [email protected].

Sub-processors. We use a limited number of sub-processors to deliver the Service and will notify you before material changes affecting personal data processing.

• Scope: we track opens, clicks, simulated credential submission events, and reports through the Outlook add-in.
• No Real Credentials Stored: credentials entered into simulated landing pages are discarded immediately; only the event is recorded.
• Data Access: results are available only to authorized administrators and applicable reseller or white-label partners.
• Purpose Limitation: simulation data is used for security awareness assessment and training.

The Service is not directed to individuals under 16. If we learn that we collected personal information from a child under 16 without parental consent, we will delete it promptly. Contact [email protected] if you believe this occurred.

The Service may link to or integrate with third-party services. We are not responsible for their privacy practices and encourage you to review their policies.

We may update this Privacy Policy to reflect changes in practices, the Service, or applicable law. Material changes will be posted with an updated date, and changes materially affecting processing will receive additional notice where appropriate.

Continued use of the Service after the effective date constitutes acceptance of the revised Privacy Policy.

For questions, concerns, or requests about this Privacy Policy or our data practices, contact us:

If you are in the EEA and believe your data protection rights have not been addressed, you may lodge a complaint with your local data protection supervisory authority.