Privacy Policy
Effective Date: June 13, 2026
Phishgrad, Inc. ("Phishgrad," "we," "our," or "us") respects your privacy and is committed to protecting the information entrusted to us. This Privacy Policy explains how we collect, use, disclose, store, and protect information when you visit our websites, use our products and services, including Haltpoint and related offerings (collectively, the "Services"), communicate with us, or otherwise interact with Phishgrad.
This Privacy Policy is designed to meet the expectations of enterprise customers, security teams, regulators, and privacy frameworks, including applicable U.S. privacy laws, GDPR, and other relevant data protection requirements.
1. Scope
This Privacy Policy applies to:
- Visitors to our websites
- Prospective customers
- Customers and authorized users of our Services
- Event attendees
- Individuals who communicate with Phishgrad
- Information processed through the Haltpoint platform
This Privacy Policy does not apply to third-party websites, services, or applications that are not owned or controlled by Phishgrad.
2. Information We Collect
The information we collect depends on how you interact with us and the Services.
Information You Provide Directly
We may collect:
- Name
- Email address
- Business contact information
- Company information
- Job title
- Demo requests
- Marketing preferences
- Communications with us
- Support requests
- Event registrations
Website and Device Information
When you visit our website, we may automatically collect:
- IP address
- Browser type
- Device information
- Operating system
- Referring URLs
- Pages visited
- Date and time of access
- Usage analytics
- Cookie and similar technology data
3. Information Processed Through Haltpoint
When customers use Haltpoint, Phishgrad may process information authorized by the customer to provide Runtime Trust services, Agent Trust Score (ATS) calculations, ownership management, trust evaluations, audit logging, security monitoring, and related functionality.
Such information may include:
Identity Information
- User identifiers
- Directory records
- Authentication events
- Identity verification records
- Group memberships
- Role assignments
- Account status information
- Single sign-on (SSO) metadata
Ownership Information
- Agent ownership assignments
- Ownership transfers
- Ownership verification records
- Ownership validation records
- Owner engagement activity
- Ownership accountability records
- Delegated ownership records
Agent Information
- Agent identifiers
- Agent registration records
- Agent metadata
- Agent classifications
- Agent lifecycle events
- Agent configuration changes
- Agent status information
- Agent deployment information
Runtime Activity Information
- Execution events
- Workflow activity
- Tool usage metadata
- Approval events
- Escalation events
- Policy evaluation events
- Runtime decisions
- Audit records
- Trust evaluation records
Enterprise Metadata
Depending on customer configuration, we may process:
- Identity provider metadata
- Directory metadata
- Human resources metadata
- Email metadata
- Collaboration metadata
- Browser telemetry
- Security event metadata
- Workflow metadata
- Agent execution metadata
4. AI Agent and Runtime Trust Data
Phishgrad provides Runtime Trust services designed to evaluate whether AI agents should be trusted to perform actions in enterprise environments.
To provide these Services, Phishgrad may collect, process, analyze, and store information relating to:
- Human ownership relationships
- Agent identity validation
- Agent lifecycle events
- Workflow context
- Runtime execution activity
- Behavioral baselines
- Trust events
- Approval workflows
- Governance events
- Security events
- Audit records
These categories of information are used to generate:
- Ownership Trust assessments
- Execution Trust assessments
- Agent Trust Scores (ATS)
- Organizational trust metrics
- Runtime Trust decisions
- Audit and compliance records
- Security alerts
- Operational recommendations
Phishgrad may use automated systems, machine learning models, statistical analysis, behavioral baselining, anomaly detection, and trust evaluation methodologies to support these capabilities. Proprietary scoring methodologies, algorithms, weighting models, thresholds, and trust calculations constitute confidential intellectual property and trade secrets of Phishgrad.
5. Content Minimization
Phishgrad is designed to minimize the collection and storage of customer content whenever possible.
Where technically feasible and appropriate for the Services:
- We process metadata rather than message content.
- We minimize data collection to what is necessary to provide the Services.
- We limit access to customer information.
- We support customer-controlled configurations and integrations.
Customers remain responsible for determining what information is connected to the Services.
6. How We Use Information
We use information to:
- Provide the Services
- Operate Haltpoint
- Calculate Agent Trust Scores
- Evaluate Runtime Trust
- Verify ownership relationships
- Detect anomalies and security risks
- Generate runtime decisions
- Support workflow approvals
- Maintain audit records
- Provide customer support
- Improve functionality
- Conduct research and development
- Monitor platform performance
- Secure the Services
- Prevent fraud and abuse
- Comply with legal obligations
- Enforce agreements
7. Legal Bases for Processing
Where required by law, we process information based on one or more of the following legal grounds:
- Performance of a contract
- Legitimate business interests
- Customer instructions
- Compliance with legal obligations
- Protection of vital interests
- Consent where required
8. Sharing and Disclosure
We do not sell personal information.
We may share information with:
Service Providers
Vendors who assist with:
- Hosting
- Cloud infrastructure
- Customer support
- Analytics
- Security monitoring
- Communication services
- Professional services
These providers are contractually required to protect information.
Customer-Directed Integrations
Information may be shared with systems and services connected by customers, including identity providers, cloud platforms, enterprise software platforms, workflow systems, and AI platforms.
Corporate Transactions
Information may be disclosed in connection with:
- Mergers
- Acquisitions
- Financing transactions
- Asset sales
- Corporate reorganizations
Legal Requirements
We may disclose information when required to:
- Comply with law
- Respond to lawful requests
- Protect rights and safety
- Investigate security incidents
- Prevent fraud or abuse
9. Cookies and Similar Technologies
We use cookies and related technologies to:
- Operate our website
- Improve user experience
- Analyze usage
- Measure marketing effectiveness
- Secure our services
Users may manage cookie preferences through browser settings.
10. Data Retention
We retain information only as long as necessary to:
- Provide the Services
- Maintain security records
- Support audits
- Resolve disputes
- Enforce agreements
- Meet legal obligations
Retention periods vary depending on the type of information and customer requirements.
Audit, security, and trust-related records may be retained longer where necessary for compliance, security, or operational purposes.
11. Security
Phishgrad maintains administrative, technical, and physical safeguards designed to protect information.
Security measures may include:
- Encryption in transit
- Encryption at rest
- Role-based access controls
- Multi-factor authentication
- Audit logging
- Tenant isolation
- Security monitoring
- Vulnerability management
- Change management controls
- Incident response procedures
No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
12. International Data Transfers
Phishgrad may process information in countries where we or our service providers operate.
Where required, we implement appropriate safeguards for international transfers, including contractual protections and other legally recognized mechanisms.
13. Customer Data Processing
When Phishgrad processes information on behalf of a customer, the customer acts as the data controller (or equivalent legal role), and Phishgrad acts as a service provider, processor, or similar role under applicable law.
Customers control:
- What data is connected
- Which integrations are enabled
- User permissions
- Retention settings where available
- Configuration choices
14. Your Privacy Rights
Depending on your location, you may have rights regarding your personal information, including:
- Access
- Correction
- Deletion
- Restriction
- Objection
- Portability
- Withdrawal of consent
Requests may be submitted using the contact information below.
15. California Privacy Rights
Residents of California may have rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including rights to:
- Know
- Access
- Correct
- Delete
- Limit certain processing activities
Phishgrad does not sell personal information.
Phishgrad does not share personal information for cross-context behavioral advertising.
16. European Privacy Rights
Individuals located in the European Economic Area, United Kingdom, and Switzerland may have rights under applicable data protection laws, including:
- Access
- Rectification
- Erasure
- Restriction
- Portability
- Objection
- Complaint to a supervisory authority
17. Children's Privacy
The Services are intended for business and enterprise use.
Phishgrad does not knowingly collect personal information from children under the age of 13, or any higher minimum age required by applicable law.
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time.
When changes are made, we will update the Effective Date above and take additional steps where required by law.
19. Contact Us
Phishgrad, Inc.
Email: technology@phishgrad.com
Website: https://phishgrad.com
If you have questions regarding this Privacy Policy, our privacy practices, or your rights, please contact us using the information above.