Privacy Policy

Controller for account, website, contract, billing, security, communication, and legal compliance data: UAB Opsinel.

Privacy contact: info@opsinel.com

Website: https://opsinel.com

"Platform" means the Opsinel service provided to Clients - companies, institutions, or other organisations using authorised phishing simulations, employee training, campaign statistics, and related security functions.

If this Privacy Policy and the Terms of Service differ regarding Platform use restrictions, the stricter provisions protecting Client accountability and abuse prevention apply.

2.1. Opsinel as controller:

Opsinel is controller when processing Client account data, administrator data, contracts, payments, website visitor data, security data, audit logs, legal claims, abuse prevention data, and service administration data.

2.2. Opsinel as processor:

When the Client uploads employee or other lawfully controlled recipient data and instructs Opsinel to run simulations or training, Opsinel generally acts as processor and the Client acts as controller.

2.3. Client responsibility:

The Client determines employee processing purposes, recipient lists, campaign content, sending time, employee notice, and legal basis. The Client is responsible for ensuring that its instructions are lawful, proportionate, transparent, and compliant with GDPR, employment law, internal policies, and the Terms of Service.

2.4. Unlawful instructions:

If a Client instruction, campaign, recipient list, or content appears unlawful, unauthorised, excessive, or harmful, Opsinel may refuse to carry it out, suspend processing, request evidence, and take action under the Terms of Service.

3.1. Client and administrator data:

• name, job title, email, phone number, company name, domain, country, timezone, plan, and organisation settings;

• login data, authentication records, account roles, legal consent records, IP address, User-Agent, consent version, and consent text snapshot;

• payment, invoice, subscription, cancellation, 7-day refund-window, refund status, order, and support information;

• communications with us, support requests, incident reports, and administrative notices.

3.2. End user / employee data processed on behalf of the Client:

• name, work email, department, group, job title, or other minimum necessary work-context data provided by the Client;

• campaign recipient status, unique token, email send, delivery, open, click, training start, and completion data;

• the fact that data was attempted to be entered on a simulated page, where this feature is used for training. Opsinel must not be used to collect real passwords, OTP codes, payment card data, or other secrets;

• IP address, browser, device, time, and security metadata as necessary for campaign statistics, security, audit trail, and abuse investigation.

3.3. Technical, security, and audit data:

• login, session, API, error, SMTP, email sending, system operation, and security logs;

• IP addresses, device and browser type, User-Agent, approximate location based on IP, request time, action history, administrator actions, and change history;

• evidence needed to determine lawful Platform use: domain control, campaign authorisation, recipient lawfulness, consent, and abuse investigation records.

3.4. Website and cookie data:

• necessary cookies, language preference, session, and security cookies;

• analytics or marketing cookies only where the required consent has been obtained or where permitted by law.

The Client must not upload, collect, or attempt to collect the following data unless Opsinel has agreed in writing in advance and additional safeguards have been agreed:

• real passwords, one-time codes, API keys, private keys, bank card data, payment data, identity document data, or other secrets;

• special category data under GDPR Article 9, including health, biometric, genetic, political opinion, religion, trade union membership, or sexual life data;

• children's data, patient data, state secrets, confidential investigations, employee disciplinary files, or other high-risk data;

• data of third parties, customers, suppliers, competitors, or the public where the Client has no clear legal basis and authority to include them in a campaign.

If the Client breaches this prohibition, the Client is treated as independently responsible as controller for that unlawful processing. Opsinel may immediately suspend processing, isolate data, delete data, retain evidence, and notify relevant parties or authorities where necessary or required.

5.1. Contract conclusion and performance - GDPR Art. 6(1)(b):

Account creation, authentication, plan administration, feature delivery, customer support, billing, paid 7-day trial, cancellation, refund handling, and service performance.

5.2. Legitimate interests - GDPR Art. 6(1)(f):

Platform security, abuse prevention, incident detection, audit trails, fraud prevention, network and information system security, service improvement, dispute and claim administration.

5.3. The Client's legitimate interest or other Client legal basis - GDPR Art. 6(1)(f), 6(1)(b), 6(1)(c), or other applicable grounds:

Employee phishing simulations and training are conducted on Client instructions. The Client must complete its own legal basis, proportionality, employee notice, and, where required, legitimate interest assessment.

5.4. Legal obligation - GDPR Art. 6(1)(c):

Accounting, tax, responses to lawful authority requests, personal data breach handling, and compliance with legal requirements.

5.5. Consent - GDPR Art. 6(1)(a):

Optional cookies, marketing communications, or other features where consent is required by law. Consent may be withdrawn at any time, without affecting processing lawfully carried out before withdrawal.

Opsinel provides only authorised simulations. This Privacy Policy does not grant the Client any right to use the Platform for real attacks, deception, employee intimidation, spying, discrimination, or data collection without a legal basis.

To protect Opsinel, recipients, Clients, and third parties, we may process security and audit data to:

• verify whether the Client may use a specific domain, sender, recipient list, or campaign;

• detect spam, malicious content, unauthorised recipients, false identity, excessive sending, or plan bypassing;

• suspend campaigns, SMTP sending, accounts, or specific features where there is a reasonable suspicion of breach;

• preserve evidence of consents, administrator actions, campaign metadata, IP addresses, and technical logs in case of a dispute, investigation, or security incident;

• notify the Client, hosting, email, or security providers, VDAI, law enforcement, or other competent authorities where required by law or necessary to stop harm.

If the Platform is used unlawfully, Opsinel may continue to process strictly necessary data not for service delivery, but for legitimate interests, legal claims, evidence preservation, security, and harm reduction.

Personal data may be transferred or made available only as necessary to:

• Opsinel personnel and authorised service providers who need access for service delivery, security, support, or administration;

• hosting, database, email delivery, SMTP, analytics, payment, support, error monitoring, and security providers;

• Client administrators according to their roles and permissions;

• authorities, courts, law enforcement, supervisory authorities, auditors, insurers, or legal advisers where required by law or necessary to defend rights;

• affected parties, email service providers, domain owners, or security teams where necessary to stop abuse, reduce reputational or technical harm, or investigate an incident.

We do not sell employee or campaign recipient personal data. Individual employee results are not provided to third parties except to the Client as controller, lawful service providers, or where required by law.

Opsinel may use subprocessors necessary for Platform operation, such as Supabase or other hosting, database, email delivery, payment, analytics, security, and support providers.

Where Opsinel acts as processor, subprocessors are engaged under the DPA and GDPR Article 28 requirements. The Client agrees that such subprocessors may be used to provide the service if they are bound by appropriate confidentiality and data protection obligations.

Data is primarily processed in the EU/EEA or using EU/EEA regions where supported by the service architecture. If data is transferred outside the EU/EEA, GDPR Chapter V safeguards apply, including European Commission Standard Contractual Clauses, adequacy decisions, or other permitted safeguards.

Current information about key processor categories is provided in this Policy, the DPA, order documents, or made available to the Client upon request where needed for lawful assessment.

We retain data no longer than necessary for the purposes for which it is processed, or as required by law, contract, DPA, limitation periods, accounting, security, or abuse investigation.

Indicative periods:

• Client account and contract data - during the agreement and up to 2 years after termination unless longer retention is needed for accounting or disputes;

• invoices, payments, cancellation, and refund data - for statutory retention periods or as needed for disputes and accounting;

• campaign, simulation, training, and recipient data - under the Client plan, DPA, or up to 3 years from campaign end unless the Client requests earlier deletion and no lawful retention ground applies;

• login, security, audit, and administrator action logs - up to 24 months, and in case of incident, abuse, dispute, or investigation, as long as necessary;

• legal consent snapshot, IP, User-Agent, and signing evidence - during the agreement and as long as necessary for disputes, audit, and legal requirements;

• cookies - according to the period stated in the cookie policy or consent tool.

After expiry, data is deleted, anonymised, or isolated if continued retention is necessary only for legal claims or security purposes.

Opsinel applies technical and organisational measures that may include:

• TLS/HTTPS encryption in transit;

• password hashing, access controls, least-privilege principle, and administrator action audit;

• protection of SMTP and other sensitive configurations where stored in the Platform;

• database and application access restrictions, log monitoring, backups, and incident handling procedures;

• confidentiality obligations for personnel and service providers.

No system is completely risk-free. The Client must also protect its accounts, use strong passwords, limit administrators, remove unused access, and report suspicious activity.

If a personal data breach occurs, Opsinel acts according to its role in the specific processing.

Where Opsinel acts as processor, we notify the Client of a Client data breach without undue delay so the Client can fulfil its controller obligations.

Where Opsinel acts as controller and the breach is likely to result in a risk to individuals' rights and freedoms, we notify the competent supervisory authority, where feasible, no later than 72 hours after becoming aware. If there is a high risk to individuals, we also notify the data subjects unless an exception applies.

The Client must immediately notify Opsinel of any suspected account, recipient list, SMTP, campaign, or employee data security incident.

Under GDPR, you may have the right of access, rectification, erasure, restriction, data portability, objection to legitimate-interest processing, and withdrawal of consent where processing is based on consent.

If you are a Client employee or campaign recipient, your employer or another Client organisation is often the controller. We may forward such requests to the Client or act on Client instructions unless Opsinel itself acts as controller for the specific processing.

We respond within GDPR time limits - usually within 1 month, with a possible extension of up to 2 additional months for complex cases, with notice to the requester.

Rights may be limited where fulfilling the request would infringe others' rights, law, trade secrets, security investigations, evidence retention, or legal claims.

To exercise rights, contact: info@opsinel.com

Before using the Platform, the Client must ensure that employees are properly informed about possible security simulations, their purpose, data categories, rights, retention periods, and Client contacts.

Specific campaign dates, templates, or exact scenarios may be withheld where necessary for training effectiveness, but general notice about such testing must be provided.

The Client must have and, upon request, provide evidence of legal basis, management or responsible department approval, employee notice, domain control, and recipient lawfulness.

If the Client uses the Platform for prohibited purposes or fails to comply with these duties, the Client is responsible for resulting claims by data subjects, employees, authorities, or third parties.

Opsinel may provide risk, click, training completion, or other statistical indicators to help the Client assess training effectiveness and security risk.

Opsinel does not itself make automated decisions that produce legal or similarly significant effects for employees. The Client must not use Platform results as the sole basis for disciplinary sanctions, employment termination, or another significant employee decision.

The Platform is intended for B2B use and is not directed to children or minors. The Client must not upload minors' data unless this is lawfully necessary and agreed with Opsinel in writing in advance, including additional safeguards.

Opsinel may update this Privacy Policy when the Platform, law, service providers, security practices, or processing processes change.

Material changes will be communicated on the website, in the Platform, or by email where reasonably possible. If changes relate to legal consents or Client duties, we may require acceptance of a new version before campaigns continue.

Last reviewed: May 10, 2026

For questions about this Privacy Policy, processing, or rights requests, contact:

Email: info@opsinel.com

Website: https://opsinel.com/contact

You also have the right to lodge a complaint with the supervisory authority:

State Data Protection Inspectorate (VDAI), Lithuania

Website: https://vdai.lrv.lt

Email: ada@vdai.lrv.lt