Privacy Policy
Effective July 8, 2026
In plain English: we keep as little as possible. The raw email you upload is deleted after analysis. We never store passwords or secrets found inside an email, and we never show malicious links as live, clickable links. We don't sell your data.
This Privacy Policy explains what Noetis ("we", "us") collects when you use Noetis Phish Report (the "Service"), how we use it, and the choices you have.
1. Information we collect
- Account information — your email address and (optionally) name, managed through our identity provider when you register and verify your email.
- Uploaded email files and their extracted content — the
.eml/.msgfile you submit, and the evidence we extract from it (headers, sender and domain details, links, attachment names and hashes, authentication results, and similar). - Technical and usage data — IP address, browser/user-agent, timestamps, and security/audit events used to operate the Service, enforce rate limits, and prevent abuse.
- Payment data — if you buy credits or subscribe to a plan, our payment processor handles your card details; we receive only transaction metadata (such as amount, status, plan, and identifiers). We do not store full card numbers.
2. How we handle uploaded emails (important)
- The raw uploaded file is deleted after analysis completes.
- We store only what the report needs: extracted metadata, evidence, file hashes, defanged (neutralized) URLs, and the report output.
- We do not store passwords, one-time codes, API keys, or other secrets found inside an uploaded email.
- We never display suspicious links as live, clickable links — they are always defanged.
3. How we use information
- to provide the analysis and deliver your report;
- to operate, secure, and improve the Service, including rate limiting, abuse and fraud prevention, and quality control;
- to process payments and maintain an accurate credit ledger;
- to comply with legal obligations and enforce our Terms.
Improvements to our detection logic are human-reviewed; we do not let customer submissions silently and automatically change how the Service scores other customers' messages.
4. AI processing
To write the plain-English narrative in your report, we send a sanitized, structured summary of the already-computed evidence (with links defanged) to our AI provider. We do not send the raw email as instructions, and we do not send credentials or secrets. Our AI provider does not use this data to train its models.
5. Service providers (sub-processors)
We rely on a small number of vendors to run the Service:
- Identity/authentication — manages sign-in, email verification, and multi-factor authentication.
- Cloud hosting and storage — runs our API, isolated analysis worker, database, and private file storage.
- Frontend hosting — serves this website.
- AI narration — generates the plain-English explanation from sanitized evidence (see Section 4).
- Payments — processes purchases, if and when paid credits are offered.
These providers process data on our behalf under their own terms and security commitments.
6. Data retention
- Raw uploaded files: deleted after analysis.
- Reports: retained for a limited period (trial reports for roughly 30–90 days; paid reports up to 12 months), then deleted.
- Account, credit-ledger, and audit records: retained as long as needed to operate the Service and meet legal, security, and financial requirements.
7. Organizations and who can see your reports
You may use Noetis Phish Report on your own, or as part of an organization (for example, a team or a business an IT provider manages) that shares a pooled credit balance. Membership in an organization is set up with an administrator — having a matching email domain does not, by itself, add you to one.
- Your submissions are private to you. Within an organization, the messages you submit and the reports they produce are visible only to you — not to other members. Colleagues cannot read, export, or delete your reports.
- An organization's owner may see aggregate usage (such as how many messages were analyzed and the mix of verdicts) to manage the account, but not the content of individual members' submissions.
- Our staff do not browse your reports. Administrative access to a customer report is limited, justified, and logged, and used only to operate, secure, support, and improve the Service.
8. Your choices and rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can request these by contacting privacy@noetis.us. You can also request deletion of your reports and account; we will honor such requests subject to records we must retain by law.
9. Security
We treat every uploaded file as hostile and isolate its processing, encrypt data in transit and at rest, restrict access, and log security-sensitive actions. See our Security statement for details. No system is perfectly secure, but data minimization is central to our design.
10. International users
The Service is operated from, and data is processed in, the United States and other regions where our providers operate. By using the Service you understand your information may be processed in those locations.
11. Children
The Service is not directed to, and may not be used by, anyone under 18.
12. Changes to this policy
We may update this Policy; the "Effective" date above shows the current version. Material changes will be reflected here.
13. Contact
Privacy questions or requests: privacy@noetis.us.