Terms and Conditions

1. Agreement to Terms

By creating an account, clicking "I agree," or using the Service, you agree to these Terms and Conditions ("Terms"). If you are entering into these Terms on behalf of an organization, you represent that you have authority to bind that organization and "Customer" will refer to that organization. If you do not agree, do not use the Service.

2. Definitions

• Affiliate: any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
• Agreement: these Terms and any Order Form(s), SOW(s), DPA, SLA, AUP, and other referenced policies.
• Customer Data: data submitted to or collected by the Service from or on behalf of Customer, including personal data and content uploaded by users, but excluding Account Data, Support Data, and Operational/Telemetry Data.
• Account Data: contact, billing, and profile information we collect to manage your account.
• Support Data: information provided to us to obtain support.
• Operational/Telemetry Data: usage, diagnostics, and performance data related to operation of the Service.
• Order Form: an ordering document, online checkout, or similar specifying Service(s), quantities, and pricing.
• Service: our hosted software-as-a-service products and websites identified in an Order Form or on https://redphish.app. The Service includes URL/link reputation checks, threat-intelligence lookups, and related automation provided via web application, browser extensions, and APIs.
• Scan: a request you initiate to analyze a URL, domain, or link using the Service.
• Result(s): the response returned by the Service for a Scan (e.g., safe/unsafe flags, categories, metadata, confidence indicators).
• Extension: any RedPhish-provided browser extension used to submit URLs for Scans or to display Results.
• SLA: the Service Level Agreement in Section 12.
• AUP: the Acceptable Use Policy in Section 8.
• Administrator: a user designated by Customer with permissions to configure the Service for Customer's organization, including inviting and managing end users.
• Minor: an individual who has not reached the age of majority in their jurisdiction (e.g., under 18 in many jurisdictions).
• School (Education Customer): an educational institution, district, or administrative body purchasing or enabling the Service for use by its students and staff.
• Student: an individual enrolled with a School whose access to the Service is provisioned and managed by that School.
• Student Data: personally identifiable information about Students that is provided to or collected by the Service in the course of providing the Service to a School for an educational purpose. Student Data is a subset of Customer Data.
• School Official (FERPA): For U.S. Schools, RedPhish acts as a "school official" with a "legitimate educational interest" as those terms are used under FERPA, subject to these Terms.

3. Eligibility; Accounts

• Minimum Age. You may use the Service only if you are (a) at least the age of majority in your jurisdiction, or (b) at least 13 years old and have the consent and supervision of a parent or legal guardian, or you are invited and managed by your organization's authorized Administrator. Except for School-managed accounts described below, the Service is not directed to children under 13, and we do not knowingly collect information from them.
• Organization/Administrator Responsibilities. If you create or administer an organization account or invite users (including Minors), you represent and warrant that you have the authority to do so and that you have obtained and will maintain all required consents and notices (e.g., parental/guardian consent where legally required). You are responsible for ensuring your users' compliance with these Terms and all applicable laws (including child privacy and student data laws, where applicable).
• Account Accuracy and Security. You must provide accurate registration and billing information and keep it current. You are responsible for all activities under your account and for safeguarding credentials.

3A. About the Service; Customer Responsibilities

• The Service analyzes links you submit (or that your organization submits) and returns Results based on internal logic and third-party threat intelligence. Results are probabilistic and may include false positives/negatives. You remain solely responsible for your security posture and decisions you make based on Results.
• You must have the rights and consents necessary to submit any URLs/links for Scans (including on behalf of your organization's users). Do not submit content containing personal data unless strictly necessary; do not submit special categories of personal data.
• You are responsible for configuring allow/deny lists, thresholds, automations, and for reviewing Results before taking action.

3B. Education Accounts; Students Under 13 (COPPA/FERPA)

• The Service may be used by Schools for educational purposes with Students, including Students under 13. For U.S. Schools, where applicable, the School may provide consent in lieu of a parent under COPPA solely for the educational use of the Service. We rely on the School to obtain and document any required notices and consents and to inform parents/guardians about the School's use of the Service.
• We provision Student access only through a School-managed organization account. We do not allow self-serve Student sign-ups. Schools are responsible for configuring access, permissions, and retention consistent with their policies and applicable law.
• We act as a School Official under FERPA and will use Student Data only for and at the direction of the School for the limited educational purpose of providing the Service and related support, as further detailed in Section 10 (Customer Data; Privacy; Data Processing).

4. Orders; Term; Renewal

• Subscription Term. Subscriptions are monthly or annual as specified in the Order Form and renew automatically for successive terms unless canceled before the current term ends.
• Ordering. Self-serve online checkout or executed Order Forms are binding when accepted by us.
• Cancellation. You may cancel effective at the end of the current term. We do not prorate refunds unless required by law.

5. Fees; Payment; Late Charges

• Fees. You agree to pay fees listed at checkout or in an Order Form. Fees are non-refundable once a billing period begins, except where legally required or expressly stated otherwise.
• Billing. Self-serve plans are charged by credit card via our payment processor. Enterprise plans may be invoiced Net-30.
• Taxes. Fees exclude taxes. You are responsible for all sales, use, VAT/GST, and similar taxes, excluding taxes on our income.
• Late Payment. Overdue amounts may accrue interest at 1.5% per month or the maximum permitted by law, whichever is lower, plus reasonable collection costs. We may suspend the Service for non-payment with prior notice.
• Chargebacks/Disputes. If you initiate a payment dispute or chargeback without first providing us a reasonable opportunity to address the issue, we may suspend the Service and pursue recovery of fees and costs permitted by law.

6. Price Changes

We may change prices with at least 30 days' prior notice, effective at your next renewal. If you do not agree, you may cancel before the change takes effect.

7. Trials; Free Plans

• Trials. Free trials typically last 7 days and may auto-convert to a paid plan unless you cancel before the trial ends. Trial details are displayed at signup.
• Free Plans. If offered, free plans may have feature limits and can be modified or discontinued at any time.

8. Acceptable Use Policy (AUP)

You must not, and must not permit others to:

• Violate laws or rights of others; post, upload, or share illegal, infringing, or harmful content.
• Transmit malware, spyware, or perform denial-of-service attacks.
• Send unsolicited or bulk communications in violation of anti-spam laws.
• Scrape, crawl, or harvest data outside published API endpoints or beyond permitted rate limits.
• Attempt to gain unauthorized access or circumvent authentication, security, or usage limits.
• Use the Service to build or improve a competing product, conduct competitive benchmarking without our prior written consent, resell, sublicense, or share access except as agreed.
• Conduct penetration tests or security scans without our prior written permission. We may suspend accounts for AUP violations.

8.1 RedPhish-Specific AUP

• Do not use the Service to phish, defraud, stalk, harass, dox, or otherwise harm individuals or organizations.
• Do not submit URLs that you do not have rights to analyze (e.g., confidential internal links of third parties, stolen content).
• Do not intentionally submit malware samples or live credentials to the Service. If you must submit test artifacts, use clearly marked, safe test data.
• Do not attempt to scrape, mirror, or bulk export third-party threat intelligence beyond what the Service provides under its normal operation.
• Respect per-account rate limits and fair-use thresholds; automated high-volume use requires our written approval and may incur additional fees.

9. High-Risk Activities

The Service is not designed for high-risk uses such as medical, aviation, nuclear, life support, or critical infrastructure where failure could result in death, personal injury, or severe environmental/financial damage. You must not use the Service in these settings.

10. Customer Data; Privacy; Data Processing

10.1 Roles

For Customer Data in the Service, we act as a processor/service provider to you. For Account Data, Support Data, and Operational/Telemetry Data, we act as an independent controller/business.

10.2 DPA

Our Data Processing Addendum (including EU Standard Contractual Clauses and, if applicable, UK addendum (IDTA)) is incorporated by reference and available upon request. If there is a conflict, the DPA governs data processing matters.

10.3 Hosting; Transfers

We host in the US and/or EU. Where Customer Data is transferred internationally, we use appropriate safeguards (e.g., SCCs) and will provide further details in the DPA.

10.4 Data Restrictions

Do not submit PHI subject to HIPAA or payment card data requiring PCI-DSS compliance. You must not submit children's data under 13 or other protected children's data unless (i) you are a School using the Service for an educational purpose and have provided required notices and obtained (or can provide) appropriate consent under COPPA or other applicable law, or (ii) another lawful basis applies and you have obtained all required consents and provided required notices. Do not submit special categories of personal data under applicable law (e.g., racial/ethnic origin, health, biometric, or precise geolocation) unless we agree in writing. Do not submit browsing histories or other unnecessary personal data; the Service is intended to analyze URLs/links you explicitly submit.

10.5 Retention; Deletion

During the term, you may export Customer Data using available tools. After termination, we retain Customer Data for 30 days for export upon request and then delete within 60 days, subject to legal retention requirements and backups per our standard cycles.

10.6 Privacy Policy

Our Privacy Policy is available at: https://redphish.app/privacy-policy.

10.7 Student Data (Education Customers – US COPPA/FERPA)

• Scope. This Section applies when a School uses the Service for Students and Student Data is processed.
• Roles. As between the parties, Student Data is Customer Data for which the School is the controller/educational agency. RedPhish processes Student Data solely as a processor/service provider and as a School Official under FERPA.
• Permitted Use. We will use Student Data only to provide the Service to the School, to maintain and secure the Service, to comply with law, and as otherwise permitted in writing by the School. We will not use Student Data to build individual profiles for advertising, to market to Students, or for purposes unrelated to the educational use of the Service.
• No Sale/Sharing for Ads. We do not sell Student Data or share it for targeted advertising or cross-context behavioral advertising.
• Advertising. We will not serve third-party behavioral advertising to Students in the Service and will not use Student Data to target ads.
• Subprocessors. We will impose written data protection obligations on subprocessors handling Student Data comparable to those in this Agreement and will remain responsible for their performance.

10.8 Parental Rights and Requests (COPPA/FERPA)

• We will reasonably assist the School in responding to parent/guardian requests to review, correct, delete, or restrict Student Data. We will not respond directly to parents/guardians except at the School's documented direction or where legally required, in which case we will notify the School if lawful.
• We will not require Students to provide more personal information than is reasonably necessary to participate in the Service.

10.9 Student Data Security; Incidents

We apply the security controls described in Section 11 to Student Data. In the event of a confirmed breach of Student Data in our possession, we will notify the School without undue delay and provide information reasonably requested for the School to meet its notification obligations.

10.10 Student Data Retention and Deletion

We retain Student Data only for the period the School's account is active and as instructed by the School. Upon the School's request or upon termination/expiration, we will delete or de-identify Student Data within commercially reasonable timeframes, subject to legal retention obligations and standard backup cycles.

10.11 De-identified/Aggregated Data

We may use de-identified data derived from Student Data to maintain, develop, and improve the Service, provided that the data cannot reasonably be used to identify a Student or School and we do not attempt to re-identify it. Any such use will exclude any sharing for targeted advertising or marketing to Students.

11. Security; Subprocessors; Incidents

11.1 Security

We use industry-standard security, including encryption in transit and at rest. We conduct periodic vulnerability assessments.

11.2 Subprocessors

We use vetted subprocessors to deliver the Service. A current list is available upon request. We will provide notice of material changes and allow reasonable objections; if unresolved, you may terminate the affected Service and receive a pro-rata refund of prepaid fees for the remaining term.

11.3 Incident Response

We will notify you without undue delay, and within 72 hours for incidents likely to result in a risk to individuals' rights and freedoms, upon confirming a personal data breach of Customer Data in our possession.

11.4 No Forensic or Legal Advice; No Guarantee of Detection

Results are advisory and do not constitute legal, compliance, or professional advice. We do not guarantee detection or prevention of threats. You acknowledge that threat intelligence is probabilistic, incomplete, and may change rapidly. You remain responsible for your own security controls, user training, and incident response.

12. Service Levels (SLA) and Support

12.1 Uptime

We target 99.9% monthly uptime, excluding: scheduled maintenance (with at least 48 hours' prior notice), force majeure events, and outages of third-party services outside our reasonable control.

12.2 Service Credits

If monthly uptime falls below 99.9%, you may request credits within 30 days of month-end: 5% of the monthly fee for each 0.1% below 99.9%, capped at 50% of the monthly fee. Credits are your exclusive remedy for SLA failures.

12.3 Support

Standard support is available Mon–Fri during business hours (Eastern Time, ET) via email at support@redphish.app. Target initial response times: Severity 1 (Service down): 2 business hours; Severity 2 (major impact): 4 business hours; Severity 3 (minor): 1 business day.

12.4 Scheduled Maintenance; Data Sources

We may perform scheduled maintenance with at least 48 hours' notice where practical. Some features depend on third-party data sources (e.g., open-source threat intelligence feeds); their availability and freshness are outside our control and excluded from uptime calculations.

13. Intellectual Property; License

13.1 Our IP

We and our licensors own all rights in the Service, software, documentation, and related materials. No rights are granted except as expressly stated.

13.2 Customer IP

You own Customer Data and any content you upload.

13.3 License to You

Subject to these Terms and payment of fees, we grant you a limited, non-exclusive, non-transferable, non-sublicensable license to access and use the Service during the Subscription Term, solely for your internal business purposes.

13.4 License to Us

You grant us a worldwide, limited license to host, process, transmit, and display Customer Data as necessary to provide the Service and support.

13.5 Third-Party Threat Intelligence and Data Sources

The Service may use third-party or open-source threat intelligence and blocklists (e.g., community phishing/malware feeds). Such data is provided "as is," may include errors or omissions, and may be subject to the licensors' terms. We do not grant rights to such third-party data beyond what is necessary to use the Service, and we are not liable for inaccuracies or unavailability of those sources.

14. Feedback

If you provide feedback, ideas, or suggestions, you grant us a perpetual, irrevocable, worldwide, royalty-free license to use and exploit them without restriction or attribution.

15. Third-Party Services; Open Source

15.1 Third-Party Services

The Service may interoperate with third-party products and services. We are not responsible for third-party services, and your use of them is governed by their terms and privacy policies.

15.2 Open Source

The Service may include open-source components governed by their licenses. An OSS notice (if applicable) is available upon request.

16. API Terms

If we provide APIs, you must use assigned keys, comply with published documentation and rate limits, and not remove attributions. We may revoke keys for misuse, security concerns, or AUP violations.

16.1 Rate Limits; Caching; Attribution

• You must comply with per-key and per-account rate limits. We may throttle or suspend requests exceeding limits.
• You may cache Results solely for your internal use for up to 30 days unless otherwise permitted; you must refresh or purge stale data thereafter.
• You must preserve any attributions or notices included in Results where displayed.

16.2 Extension-Specific Terms

• The Extension may request permissions to read the active tab's URL for the sole purpose of performing user-initiated Scans or enforcing your organization's policies. It does not access content beyond what is strictly necessary to provide the Service.
• You are responsible for distributing and configuring the Extension within your organization, including allow/deny lists and update policies.

17. Confidentiality

Each party will protect the other party's Confidential Information using reasonable care and will use it only to perform under this Agreement. "Confidential Information" excludes information that is public without breach, independently developed, or rightfully received without confidentiality obligations. If legally required to disclose, the recipient will provide notice (if lawful) and cooperate to seek protection.

18. Publicity

We may use your name and logo in our customer lists, website, and marketing materials, consistent with your brand guidelines, unless you opt out by notifying us at [publicity opt-out email]. For Education Customers, we will not use Student names, images, or Student Data for publicity, and we will use School names/logos only in accordance with School policy or with consent.

19. Compliance; Export; Sanctions; Anti-Corruption

You must comply with applicable laws, including data protection, anti-spam, export control, and sanctions laws (e.g., U.S. EAR and OFAC). You represent you are not located in, organized under the laws of, or ordinarily resident in embargoed countries or on restricted party lists. You will not use the Service for prohibited end uses. You will comply with anti-bribery and anti-corruption laws (e.g., FCPA, UK Bribery Act).

20. Beta and Experimental Features

We may offer Beta or pre-release features, including experimental detection models or threat-intelligence feeds. Betas are optional, provided "as is," not subject to the SLA or support commitments, and may be modified or discontinued at any time. You assume all risks of Beta use.

21. Suspension

We may suspend the Service (a) for non-payment after notice, (b) to address a security threat, (c) if you violate the AUP or law, or (d) if required by a court or regulator. We will limit suspension to the affected portion and restore service promptly once the issue is resolved.

22. Termination

22.1 For Cause

Either party may terminate for material breach if the breach remains uncured 30 days after written notice (10 days for payment breaches).

22.2 Convenience

You may terminate for convenience at any time, effective at the end of the current term.

22.3 Effect

Upon termination, all rights and licenses terminate, and unpaid fees for the remainder of the then-current term (if committed term) become due unless otherwise stated in the Order Form or required by law.

23. Post-Termination Data Handling

Upon termination or expiration, you may export Customer Data for 30 days. Thereafter, we will delete Customer Data within 60 days, subject to legal holds and backup retention cycles. We may retain and use Operational/Telemetry Data in aggregated or de-identified form.

24. Warranties; Disclaimers

24.1 Mutual

Each party represents it has the authority to enter this Agreement.

24.2 Service

We will provide the Service using reasonable care and skill. EXCEPT AS EXPRESSLY STATED, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. We do not warrant uninterrupted or error-free operation.

ADDITIONAL DISCLAIMER SPECIFIC TO SECURITY/THREAT DETECTION: WE DO NOT GUARANTEE THAT THE SERVICE WILL DETECT, BLOCK, OR PREVENT ALL MALICIOUS, PHISHING, OR UNWANTED CONTENT, OR THAT FALSE POSITIVES/NEGATIVES WILL NOT OCCUR. YOU ARE SOLELY RESPONSIBLE FOR DECISIONS MADE OR ACTIONS TAKEN BASED ON RESULTS AND FOR MAINTAINING APPROPRIATE SECURITY CONTROLS.

25. Indemnification

25.1 Our IP Indemnity

We will defend and indemnify you against third-party claims alleging that your authorized use of the Service infringes a patent, copyright, or trademark, or misappropriates a trade secret, and pay damages and reasonable legal fees finally awarded, provided you promptly notify us, allow us control of the defense, and cooperate. We may (at our option) procure rights, modify the Service, or terminate the affected Service with a pro-rata refund.

25.2 Exclusions

We have no obligation for claims arising from (a) combinations with items not provided by us, (b) modifications not made by us, (c) use in breach of these Terms, or (d) Customer Data or third-party services.

25.3 Your Indemnity

You will defend and indemnify us against claims arising from Customer Data, your use of the Service in violation of law or the AUP, or your third-party relationships.

25.4 Customer Security Configuration

You acknowledge that misconfiguration of allow/deny lists, policies, or automations can lead to blocking legitimate content or allowing unsafe content. You will defend and indemnify us from claims arising out of your configurations or decisions made based on Results.

26. Limitation of Liability

26.1 Cap

TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE FEES PAID OR PAYABLE BY YOU TO US FOR THE SERVICE IN THE 12 MONTHS BEFORE THE EVENT GIVING RISE TO LIABILITY.

26.2 Excluded Damages

NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, COVER, OR PUNITIVE DAMAGES, OR LOSS OF PROFITS, REVENUE, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY.

26.3 Carve-Outs

The above limitations do not apply to (a) IP infringement indemnity obligations, or (b) breach of confidentiality/data security obligations to the extent directly caused by a party.

26.4 Aggregate Liability for Free/Beta Use

For free plans, trials, or Beta features, our aggregate liability is limited to USD $100.

27. Changes to the Service and to these Terms

We may update features, functions, or components of the Service. We will not materially reduce core functionality during a paid term without providing substantially equivalent functionality. We may modify these Terms; material changes will be notified at least 30 days before taking effect. Continued use after the effective date constitutes acceptance. If you object to material changes, you may cancel before they take effect.

28. Copyright Complaints

If you believe content available through the Service infringes your copyright, please email a notice to: support@redphish.app. Your notice should include:

1. A description of the copyrighted work you claim has been infringed;
2. Identification of the material you claim is infringing (including URL or other specific location within the Service);
3. Your contact information (name, mailing address, telephone number, and email address);
4. A statement that you have a good faith belief that use of the material is not authorized by the copyright owner, its agent, or the law; and
5. A statement that the information in your notice is accurate and, under penalty of perjury, that you are the copyright owner or authorized to act on the owner's behalf.

We may remove or disable access to the reported material and may terminate accounts of repeat infringers.

28A. No Professional Advice

Information in the Service (including Results) is for informational purposes only and does not constitute legal, security, compliance, or other professional advice.

29. Government Users

If you are a U.S. Government end user, the Service and documentation are "Commercial Computer Software" and "Commercial Computer Software Documentation" provided with only the rights set forth in these Terms, per FAR 12.212 and DFARS 227.7202.