Privacy Policy

1. Who We Are

PhishFence is a domain monitoring and brand protection service operated by Majuvo LLC, a California limited liability company. This Privacy Policy describes how we collect, use, store, and share information when you use PhishFence at phishfence.io.

2. Information We Collect

Account information. When you register, we collect your name, email address, organization name (optional), and a password. Passwords are hashed with bcrypt before storage. We never store or log plaintext passwords.

Monitored domains. We store the domain names you add for monitoring, along with scan results, detected variants, risk scores, alert history, and any notes you add during investigation.

Payment information. Subscription payments are processed by Stripe. We do not receive, process, or store your credit card number, expiration date, or CVC. Stripe provides us with a customer identifier and your subscription status so we can manage your plan.

Notification settings. If you configure alert delivery, we store your alert email address, Slack webhook URL, and/or outbound webhook URL.

API tokens. If you create API tokens, we store a hashed version of the token and metadata (name, creation date, last used date).

Server logs. Our infrastructure logs HTTP requests for operational and security purposes. Logs include IP addresses, request paths, timestamps, and HTTP status codes. Logs are retained for up to 30 days.

3. How We Use Your Information

We use the information we collect to:

• Operate the domain monitoring service, including running scans, scoring threats, and generating alerts
• Send you notifications about detected threats via email, Slack, or webhook, based on your configured preferences
• Process subscription payments and manage your billing through Stripe
• Pre-fill registrar abuse reports with your name, organization, and email to save you time when filing complaints
• Submit phishing reports to third-party databases on your behalf, when you choose to do so
• Diagnose technical issues, monitor service health, and improve reliability
• Send you service-related communications such as security notices, billing confirmations, and material changes to these policies

We do not use your data for advertising, profiling, or any purpose unrelated to operating PhishFence.

4. Information We Share

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

• Stripe receives your email address and payment details to process subscriptions
• Netcraft, Google Safe Browsing, PhishTank, and Cloudflare receive domain names and your email address when you submit a phishing report through PhishFence. Reports are submitted only when you initiate them (or opt in to automatic reporting)
• RDAP and WHOIS services receive domain name queries when we look up registrar abuse contacts. No personal data is included in these queries
• Certificate Transparency logs (crt.sh) are queried with your monitored domain names to detect newly issued certificates. No personal data is included
• Sentry receives anonymized error reports for debugging purposes. Error reports may include request paths and stack traces but do not include passwords, tokens, or domain scan results
• Google Cloud Platform hosts our infrastructure. Data is stored in GCP's us-central1 region
• Law enforcement or legal process if we are required by law, subpoena, or court order to disclose information, or if disclosure is necessary to protect the rights, safety, or property of Majuvo, our users, or the public

5. Data Security

We take the following measures to protect your data:

• All connections to PhishFence are encrypted with TLS (HTTPS)
• Passwords are hashed using bcrypt with a per-user salt
• Authentication uses signed JWT tokens with expiration
• All forms are protected against cross-site request forgery (CSRF)
• Authentication endpoints are rate-limited to prevent brute-force attacks
• HTTP security headers are applied, including HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options
• Database access is restricted to the application service account via Cloud SQL IAM
• Secrets (API keys, database credentials) are stored in GCP Secret Manager, not in code or environment files

No system is completely secure. If you become aware of a security vulnerability in PhishFence, please report it to support@phishfence.io.

6. Data Retention

We retain your account data, monitored domains, scan results, and alert history for as long as your account is active. If you delete your account, we will permanently remove all associated data within 30 days. Server logs are retained for up to 30 days regardless of account status.

Stripe retains payment records according to their own retention policies and legal obligations.

7. Your Rights

You can exercise the following rights at any time:

• Access and update your personal information from the Settings page
• Export your alert and scan data through the REST API (available on paid plans)
• Delete your account and all associated data from the Settings page
• Request a copy of all data we hold about you by emailing support@phishfence.io

If you are located in the European Economic Area, you may also have rights under the GDPR including the right to data portability, the right to restrict processing, and the right to lodge a complaint with a supervisory authority. Contact us if you wish to exercise any of these rights.

8. Cookies

PhishFence uses two cookies, both of which are strictly necessary for the service to function:

• access_token — stores your authenticated session. Attributes: HttpOnly, Secure, SameSite=Strict.
• _csrf — stores a CSRF protection token used to validate form submissions. Attributes: HttpOnly, Secure, SameSite=Strict.

We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookies.

9. Children

PhishFence is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.

10. International Users

PhishFence is hosted in the United States (Google Cloud Platform, us-central1 region). If you access the service from outside the United States, your information will be transferred to and processed in the United States. By using PhishFence, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy when our practices change or when required by law. When we make material changes, we will update the effective date at the top of this page and notify you by email. We encourage you to review this policy periodically.

12. Contact

For privacy questions, data requests, or to report a concern, contact us at:

support@phishfence.io
Majuvo LLC
California, United States