OFFphish

Privacy Notice

OFFphish OÜ  
Registration number: № № 17327202.
Effective Date: September 15, 2025

Introduction

This Privacy Notice ( Privacy Notice) applies to the OFFphish website, accessible at https://www.offphish.com, and the cloud-based learning platform also accessible through that website, the video players used to view OFFphish courses, (collectively, the ”Platform”), all of which are owned and operated by OFFphish OÜ, a private limited company registered in Tallinn (“OFFphish,” “we,” or “us”). Capitalized terms not defined in this Privacy Notice have the meanings assigned to them in the Business or Individual Terms of Use. This Privacy Notice describes how OFFphish collects and uses personal data collected through the Platform. It also describes the choices available to you regarding our use of your personal data, as well as how you can access, update, and correct your personal data.

1. Personal Data We Collect

OFFphish collects personal data from you, through our interactions with you and through our Platform. You provide some of this data directly, and we get some of it by collecting data about your interactions, use, and experiences with our Platform. The data we collect depends on the context of your interactions with us and the choices you make, including your privacy settings and the services and features you use. We also obtain data about you from third parties.

You have choices when it comes to the technology you use and the data you share. When we ask you to provide personal data, you may decline under certain circumstances. Many of our Services (as defined in the Enterprise and Individual Terms of Use) require some personal data to provide you with that service. If you choose not to provide data required to provide you with a service or particular feature, you cannot use that service or feature. Where providing the data is optional, and you choose not to share personal data, features like personalization that use such data will not work for you.

• Personal data you provide to us: This is personal data about you that you give us directly when you interact with us. You may give it to us by filling out a form on our Platform, engaging with us on our Platform, corresponding with us by phone, e-mail. It includes contact information, such as your name, email address, company, telephone number, country, occupation, and information related to your inquiries and requests. We strictly prohibit you from providing any sensitive personal data to us.

Personal data also includes information necessary to register or pay for a subscription or event, to complete your profile, or to place an order for other services we provide. They also include information transmitted when participating in forums, exchanging information on social networks through our Platform, participating in contests or promotions, sending requests, reviews, or reports about problems on our Platform, as well as when using any other Services. When you create an account on our Platform, we ask you to provide your first name, last name, and email address.

• Payment processing: When purchasing a subscription, you must provide payment and billing information, often including your address and credit card details. The payment details you provide on the dedicated order page on our Platform will be encrypted using Transport Layer Security (TLS) before being sent to us over the Internet. This data is then transmitted directly to our third-party payment and subscription systems and is not under the control of OFFphish. In such cases, this Privacy Notice does not apply, and the terms of use and privacy policies of the third-party payment and subscription systems apply.
• Personal data we collect about you when you use our Platform: We will automatically collect information about you each time you visit our Platform, regardless of whether you are a registered user. This includes technical information, information about your visit, and information about your activity on our Platform, such as courses searched for and viewed, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), how you navigate to and from the page, and how you interact with our sales and support services. Technical information may also include the IP address used to connect your device to the Internet, unique device identifiers, your login details, browser type and version, time zone settings, browser plug-in types and versions, operating systems, and device platform.

• Personal data is processed through social media plugins embedded in the OFFphish website: We process your personal data through the OFFphish fan page on Facebook and social media plugins embedded in our Platform. OFFphish and Facebook are joint controllers with respect to analytical data (e.g., data about how often you visit the OFFphish fan page on Facebook, whether you recommend the OFFphish fan page on Facebook, etc.) (“Insight Data”). However, OFFphish and Facebook have agreed that Facebook Ireland is primarily responsible under the GDPR for the processing of Insight Data. This means that Facebook is primarily responsible for providing you with information about the joint processing of Insight Data 2 and for enabling you to exercise your rights under the GDPR with respect to Insight Data.
• Personal data we receive from other sources: this is information about you that we receive from third parties with whom we work closely to provide, promote, and improve our services. These third parties include business partners, suppliers providing technical and payment services, advertising networks, analytics providers, and search information providers.

2. How We Use Your Personal Data

OFFphish uses the personal data you provide in accordance with this Privacy Notice as follows:

• Provision of Services: We use your personal data to provide you with services through our Platform, as this processing is necessary for the performance of the contract between you and us. Services may include providing access to our course library, administering your account, billing you, and notifying you about changes to our services or your account. This personal data will also be used to enable you to use the interactive features of our Platform or to provide you with information you may have requested from us, including, but not limited to, access to technical documents and webinars.
• Improving services and features: We use your personal data to continuously improve our Platform, including by adding new content, features, or capabilities. We process your personal data on the basis that it is necessary for the purposes of our legitimate interests and to provide you with improved services.
• Personalization: We use your personal data to improve your user experience based on your previous interactions with our Platform, to the extent that you have consented to this.
• Account activation and maintenance: Data such as device, network, and subscription identifiers are used to activate and maintain user accounts. We process your personal data on the basis that it is necessary for the performance of a contract between you and us.
• Support: We use your personal data to respond to your requests for assistance, including password resets and general troubleshooting. We process your personal data based on the necessity to perform the contract between you and us.
• Social media analytics: We use your personal data to obtain analytics related to social media based on our legitimate interests in developing our business and improving our products and services.
• Security: We use your personal data to ensure the security of our users and our Platform. This includes using data to detect malware and malicious activity, as well as to track violations of our terms of use. We process your personal data based on the necessity of its use to ensure the security of OFFphish in our legitimate interests.
• Communications: We will use your personal data to communicate with you about your account and your use of our Platform. We process your personal data because it is necessary for the performance of the contract between you and us.
• Marketing: We will use your personal data to provide you with information about our services that may be of interest to you and to improve your interaction with our Platform, to the extent that you have consented to this. We will communicate with you about these products and services by email, post, telephone, or through our Platform. These communications may include newsletters, promotional emails, or invitations to participate in marketing research. We will only use your information for this purpose if you have consented to receiving such marketing materials from us prior to our collection of your information, or if you have otherwise agreed to receive such marketing materials, including by selecting marketing preferences in your personal profile, and in accordance with local law.
• User research and engagement: We may use your contact information and relevant usage data to invite you to participate in user research, such as unmoderated usability tests, surveys, interviews, or prototype testing. These efforts help OFFphish validate design decisions and ensure that we are creating solutions that truly meet the needs of our users, rather than developing them in isolation. Our research initiatives contribute to the development of a better user experience by allowing us to test and improve the organization of the workspace and collaboration features; improve the usability and customizability of test creation tools; explore new survey and test formats, including conditional logic and advanced methodologies; gather more valuable user insights through Maze Clips and think-aloud protocols; optimize the process of sharing and distributing research findings to participants; and leverage research findings through AI analytics, heat maps, and reporting tools.

  Participation in the study is voluntary, and we are committed to treating all data with the utmost care and respect for your privacy. When we ask you to participate, we always provide clear context and consent mechanisms. We will also clearly communicate the nature of the data being collected and how it will be used, and we will offer options to opt out. All data collected during research will be anonymized and aggregated for analysis where possible, and personal data will only be stored for as long as necessary to achieve the research objective and will be deleted or anonymized upon completion.

• Promotions and prize draws: We will use your data to administer promotions and prize draws that you have agreed to participate in. For example, we may provide your contact information to a third party that will issue a gift card or other prize.
• Reporting and business operations: We will use your personal data to administer our Platform and for internal operations, including troubleshooting, data analysis, testing, research, statistical surveys, and reporting on our performance, based on our legitimate interests in the smooth operation and improvement of our services (in cases where we determine that such interests do not override your individual rights).

   We will also use this data to measure the effectiveness of content delivery and evaluate the effectiveness of the content itself. We use IP addresses and non-personally identifiable information from our logs to analyze trends, administer our Platform, track user movements within and around our Platform, and gather demographic information about our user base as a whole, based on our legitimate interests in ensuring the smooth operation of our business and improving our services. We also use unstructured machine learning technologies to understand user behavior, provide personalized recommendations, and otherwise personalize interactions with our Platform, based on our legitimate interests in ensuring the smooth operation of our business and improving our services.

• Compliance with legislation: We process personal data for the purpose of complying with legal obligations. For example, we may process your personal data to notify the relevant tax authority of any prizes or awards.

3. Reasons We Share Personal Data

We guarantee that we only disclose personal data that is relevant to the purposes for which it is used. Furthermore, we will not process your personal data in a manner that is incompatible with those purposes.

• Use of personal data by OFFphish partners: OFFphish partners process your personal data to provide you with support and other services. You can find out more about OFFphish partners on our Platform.
• Interaction with OFFphish suppliers: We sometimes engage third parties to perform certain business functions, such as sending emails on our behalf, processing payments, or conducting marketing research. We also share your email address with third parties such as Facebook, LinkedIn, and Instagram to provide you with personalized marketing materials on their platforms. When we hire another company to perform such a function, we provide them with only the information necessary to perform their specific function. These third parties are not permitted to use your personal data that we share with them for any purpose other than those necessary to provide services to us. OFFphish subcontractors can be found on our Platform.
• Interaction with technology providers: We also share information about user interactions obtained through our Platform with third parties. For example, when you view a course associated with a specific technology provider, we share information such as the number of minutes viewed, role and skill intelligence (IQ) levels, completion of practical exercises, and other related data with that technology provider. We share this information and receive feedback from these third parties to improve the content available on our platform and to interact more effectively with our partners to jointly help companies and individuals meet their skill development needs. The data we provide to technology providers does not contain personal data unless we request it and you give your consent.
• Business plans and subscriptions to the company’s affiliate programs: If your subscription was provided by your employer or group sponsor, any information you provide or information otherwise collected through your registration and use of our services, including course viewing history, course viewing time, course completion or ratings, course quality ratings and reviews, certificates, performance metrics, and other personal data belong to your employer or group sponsor. Your employer or group sponsor controls and administers your OFFphish subscription. Please note: if you lose access to your employer-sponsored account, sponsored by your employer, you will no longer be able to access the services or data associated with your account, including any data you may have obtained through your individual user account. If you registered or logged in using your employer’s or group’s account or email address, we may facilitate this transfer. Please note that this transfer is subject to our policies and procedures and may not always be possible depending on the specific circumstances.
• Corporate mergers and acquisitions: In the event of the acquisition or merger of OFFphish or its affiliates by another company, as well as in the event of a reorganization, merger, or other similar event, your personal data will be transferred to the acquiring, acquired, or newly formed companies and their affiliates, including for the purposes of managing your account and providing you with additional products and services offered by the acquiring, acquired, or newly formed companies.
• Legal requirements: In certain situations, OFFphish may be required to disclose personal data in response to lawful requests by public authorities and regulatory bodies, including for security or law enforcement purposes. We reserve the right to disclose your personal data in accordance with applicable law and in cases where we believe that disclosure is necessary to protect our rights or to comply with a legal proceeding, court order, or similar legal process served on us or our Platform. However, OFFphish values users’ rights to due process and transparency and therefore does not provide government agencies with direct or unlimited access to user data. Our privacy and risk team reviews each request received to determine the legitimacy of the legal process, assess the proportionality of the request, and ensure compliance with OFFphish’s international data protection obligations. We take our responsibility to protect user data seriously and strive to strike a balance between complying with legal obligations and our commitment to protecting user privacy and security.

4. How to Access and Control Your Personal Data

Product Communications Consent: By agreeing to these terms and conditions, the Customer consents to OFFphish and its affiliates using the contact information provided by the Customer to send product information to end users.

In accordance with the General Data Protection Regulation (GDPR) and other applicable privacy laws, OFFphish guarantees the following:

1. Consent: The Customer has the right to withdraw consent to receive Product Communications at any time by following the instructions contained in the communication or by changing the settings in the Customer’s account settings.
2. Data Protection: The Customer’s personal data is processed in accordance with OFFphish’s Privacy Policy, which details how data is collected, used, and securely stored. OFFphish will not share the Customer’s personal data with third parties for marketing purposes without explicit consent. For more information about the processing of Customer’s personal data, see Section 7 above (Data Protection) and, if applicable, the Additional Data Protection Agreement between the parties.
3. Legitimate Interest: OFFphish may also send Product Communications to end users based on legitimate interest. These communications are necessary to inform the Customer of material changes affecting the Customer’s use of OFFphish Products and Services.

You can also choose how OFFphish collects and uses your data. You can control the personal data we receive and exercise your data protection rights by contacting us or using the features we provide. In some cases, your ability to access or control your personal data will be limited in accordance with the requirements or permissions of applicable law, your employer, or group sponsor (where applicable).

Control the use of your data for interest-based advertising in the following ways:

• Select the types of marketing communications you wish to receive in the “Communication Settings” section of your profile.
• Use the “Unsubscribe” link found in the emails we may send you.
• Contact us at offphish@proton.me. Before responding to your request, we may ask you to verify your identity or the identity of your authorized agent.

Not all personal data processed by OFFphish is accessible or controllable through the methods listed above. Please note that you will not be able to opt out of our communications related to the ongoing service and support of your account. Such communications are not considered marketing communications. In addition, any personal data that you provide directly to third parties, such as our third-party payment and subscription service providers, can only be controlled by contacting those parties directly.

5. Cookies and Similar Technologies

OFFphish and its affiliates use cookies or similar technologies to collect and store certain information. These are typically pieces of information or code that a website transfers to your computer or mobile device’s hard drive or accesses to store and sometimes track information about you. Cookies allow us to create a unique device identifier, remember you when you use that computer or device to interact with websites and online services, and can be used to manage various features and content, including saving search queries and displaying personalized content. The Platform uses cookies to distinguish you from other users of our Platform. This helps us to provide you with a functional and personalized user experience when you interact with our Platform and also allows us to improve it.

Most web browsers automatically accept cookies, but you can configure your browser to disable this if you wish. The table below provides information on how to disable cookies. However, if you do so, you will not be able to take full advantage of our Platform.

Some of the cookies we use are only stored during your visit to our Platform and are deleted when you close your browser or log out of the Platform. Others are used to remembering you when you return to our Platform and will remain there for a longer period of time.

We use the following types of cookies:

• Necessary. These cookies are necessary for our website to function and to comply with our terms and conditions with you. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart, or use e-billing services.
• Performance. These cookies allow us to recognize and count the number of visitors and to monitor how visitors move around our website. This helps us in our legitimate interests to improve the performance of our website, for example, by ensuring that users are finding what they are looking for easily.
• Analytical. These cookies are used to recognize you when you return to our website. This allows us, depending on your choices and preferences, to personalize our content, greet you by name, and remember your preferences (such as your chosen language or region).
• Advertising. These cookies record your visits to our website, the pages you have visited, and the links you have clicked on. We will use this information in accordance with your preferences and choices to make our Platform and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

We may also cooperate with advertising networks that collect information about the content of our Platform that you visit, as well as other websites and services that you visit. This may result in you seeing advertisements on our Platform or our advertisements when you visit other third-party websites and services.

Disabling Cookies

The effect of disabling cookies depends on which cookies you disable, but generally, our Platform may not function properly if all cookies are disabled. If you disable only third-party cookies, you will still be able to make purchases on our Platform. If you disable all cookies, you will not be able to make purchases on our Platform.

If you want to disable cookies on our Platform, you need to change your browser settings to refuse cookies. The method for disabling cookies depends on the browser you are using. More detailed information on disabling cookies for the most popular browsers is provided below:

• For Google Chrome:

1. Choose Settings> Advanced
2. Under “Privacy and security,” click “Content settings”
3. Click “Cookies”

• For Safari:

1. Choose Preferences > Privacy
2. Click on “Remove all Website Data”

• For Mozilla Firefox:

1. Choose the menu “Tools” then “Options”
2. Click on the icon “Privacy”
3. Find the menu “Cookie” and select the relevant options

Where you have not set your permissions, we may also separately prompt you regarding our use of cookies on our Platform.

Except for essential cookies, all cookies used on our Platform will expire after two years or sooner.

6. Security of Personal Data

OFFphish is committed to ensuring the security of your personal data. We use a variety of security measures and procedures to protect your personal data from unauthorized access, use, or disclosure. Our controls include the security measures described in Appendix A to our Customer Data Processing Agreement.

7. Access to Third Party Services

This Privacy Notice applies only to our Platform. The Platform may contain links to other websites that are not operated or controlled by us. The policies and procedures described in this Privacy Notice do not apply to websites or other services that OFFphish does not operate or control. The presence of links on our Platform does not imply that we endorse or review these websites, including their privacy policies. When you leave our Platform and go to a third-party website, you will be subject to the terms of use and privacy policy associated with that third-party website.

8. Individuals Subject to the GDPR

If your personal data is subject to the GDPR, the following provisions apply.

OFFphish acts as the controller of your personal data when you access our Platform and view information about us and our technologies, communicate with us, download official documents, register for events, and consent to receive marketing communications from us and our affiliates.

If your access to the Platform is provided by your employer in accordance with the OFFphish is Enterprise Terms of Use or the General Service Agreement, then your employer is the data controller with respect to any information provided by you or your employer, or information otherwise collected during your registration and use of our services. This information typically includes your first name, last name, work email address, and any other information you provide. We strictly prohibit you from providing any confidential personal data. In cases where your employer is the data controller, we act as a data processor in accordance with data protection laws, i.e., we use the information as directed by your employer to provide services to your employer. 

If you are registered as a user of the Platform in accordance with the OFFphish Individual Terms of Use, OFFphish is the controller of all personal data provided by that user and collected by the Platform when accessing and using it. We strictly prohibit you from providing any confidential personal data.

9. Individuals’ Rights under GDPR

We remind you that you can exercise the following rights at any time:

• The right to request access to your personal data;
• The right to correct or delete your personal data;
• The right to restrict the processing of your personal data;
• The right to object to the processing of your personal data;
• The right to data portability;
• If the processing is based on your consent, the right to withdraw your consent at any time;
• The right to lodge a complaint with a supervisory authority.

OFFphish will delete a user’s personal data upon reasonable request. All data deletions are final and cannot be recovered.

10. Enforcement and Dispute Resolution

Any questions or concerns regarding our use or disclosure of personal data should be directed to our customer support team at offphish@proton.me. We will investigate and attempt to resolve any complaints and disputes regarding the use and disclosure of personal data in accordance with the provisions of this Privacy Notice.

OFFphish undertakes to refer unresolved complaints related to privacy issues to an alternative dispute resolution provider in Estonia. If you do not receive timely acknowledgment of your complaint, or if we have not resolved your complaint, please contact our third-party dispute resolution provider.

11. Retention of Personal Data

As a general rule, we retain your personal data for the duration of our relationship with you. After the end of our relationship, we will retain your personal data for the period of time necessary to achieve the following purposes: to retain records in accordance with applicable law; to use in legal proceedings; or to consider any complaints regarding our services or the Platform.

12. Trial or Free Accounts

This Privacy Notice applies to the processing of your personal data in connection with any type of user account, including an account offered for free or on a trial basis, as well as an account with new or limited features.

13. International Data Transfers

The personal data we collect will be transferred and stored outside the European Economic Area (“EEA”). It will also be processed by staff operating outside the EEA who work for us or for other parties acting as data processors and processing data on our behalf. This includes staff engaged in, among other things, fulfilling your request or order and providing support services.

OFFphish guarantees that it will implement appropriate security measures to ensure the security of such data transfers in accordance with applicable data protection laws. We have entered into international data transfer agreements based on the EU Standard Contractual Clauses, which govern our international data transfers. A copy of these clauses can be obtained by contacting us at offphish@proton.me.

14. EU-US Data Privacy Framework

OFFphish PLC is responsible for the processing of personal data it receives in accordance with EU data protection provisions. OFFphish PLC complies with EU data protection principles and the principles for onward transfers of personal data from the EU, including the onward transfer liability provisions.

OFFphish does not rely solely on the EU Data Privacy Framework as the sole legal basis for the transfer of personal data in light of the EU Court’s decision in Case C-311/18. OFFphish PLC also complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Privacy Shield, and the Swiss-U.S. Privacy Shield.  

In certain situations, OFFphish PLC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

For complaints regarding the EU Privacy Shield Agreement that have not been resolved through any other data protection mechanism, you have the option, under certain conditions, to seek binding arbitration.

15. Changes to this Privacy Notice

We update this Privacy Notice as necessary to provide greater transparency or in response to:

• Feedback from customers, regulators, the industry, or other stakeholders;
• Changes to our products; or
• Changes to our business or data processing practices.

When we publish changes to this Policy, we will indicate the version and effective date of the most recent provisions. In the event of material changes to the Policy, such as a change in the purposes of processing personal data that are not consistent with the purpose for which it was originally collected, we will notify you by posting a notice of such changes in a prominent place on our Platform prior to their effective date or by sending an email notification to all registered users of the Platform. We encourage you to periodically review this Policy for the latest updates.

16. How to Contact Us

Questions or comments regarding this Privacy Notice should be submitted to OFFphish by email or phone as follows:

Email: offphish@proton.me

Physical Address: Harju County, Tallinn, City Center District, Ahtri Street 12, 15551, Estonia