Privacy Policy

Effective July 8, 2026

In plain English: we keep as little as possible. The raw email you upload is deleted after analysis. We never store passwords or secrets found inside an email, and we never show malicious links as live, clickable links. We don't sell your data.

This Privacy Policy explains what Noetis ("we", "us") collects when you use Noetis Phish Report (the "Service"), how we use it, and the choices you have.

1. Information we collect

2. How we handle uploaded emails (important)

3. How we use information

Improvements to our detection logic are human-reviewed; we do not let customer submissions silently and automatically change how the Service scores other customers' messages.

4. AI processing

To write the plain-English narrative in your report, we send a sanitized, structured summary of the already-computed evidence (with links defanged) to our AI provider. We do not send the raw email as instructions, and we do not send credentials or secrets. Our AI provider does not use this data to train its models.

5. Service providers (sub-processors)

We rely on a small number of vendors to run the Service:

These providers process data on our behalf under their own terms and security commitments.

6. Data retention

7. Organizations and who can see your reports

You may use Noetis Phish Report on your own, or as part of an organization (for example, a team or a business an IT provider manages) that shares a pooled credit balance. Membership in an organization is set up with an administrator — having a matching email domain does not, by itself, add you to one.

8. Your choices and rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can request these by contacting privacy@noetis.us. You can also request deletion of your reports and account; we will honor such requests subject to records we must retain by law.

9. Security

We treat every uploaded file as hostile and isolate its processing, encrypt data in transit and at rest, restrict access, and log security-sensitive actions. See our Security statement for details. No system is perfectly secure, but data minimization is central to our design.

10. International users

The Service is operated from, and data is processed in, the United States and other regions where our providers operate. By using the Service you understand your information may be processed in those locations.

11. Children

The Service is not directed to, and may not be used by, anyone under 18.

12. Changes to this policy

We may update this Policy; the "Effective" date above shows the current version. Material changes will be reflected here.

13. Contact

Privacy questions or requests: privacy@noetis.us.