top of page

PRIVACY NOTICE / TERMS OF PARTICIPATION (PHISHING SIMULATION) — ART. 13 GDPR

​

1. Controller

Webguardiola FlexCo (Austria)
Email: hello@webguardiola.com
Further contact/address details are available in the Legal Notice / Imprint on webguardiola.com.

​​

2. What you are signing up for (Purpose / Scope)

You are registering for a cybersecurity awareness simulation (“phishing simulation”) for training and educational purposes. You will receive unannounced simulated phishing emails that mimic real-world attacks (e.g., fake login prompts, delivery notifications, malware warnings). The simulation is harmless.

Important: Webguardiola will never ask for your real password.

​​

3. Legal basis

We process your personal data based on your explicit consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time (see section 10).

​​

4. Processor / Tools used

To send simulation emails and measure interactions, we use eworx Marketing Suite (Austria/EU) as a processor (service provider acting on our behalf).

​​

5. What data we process​

A) Registration / profile data

  • Email address

  • Your self-assessment regarding phishing (if provided)

B) Simulation interaction data

  • Email delivery status (delivered/bounced)

  • Email opens via tracking pixel (only if you consented / tracking is enabled)

  • Link clicks

  • Timestamps of interactions

  • IP address (or roughly derived region/location if provided by the tool)

  • Device type, operating system (if provided), browser/email client information

​

6. Purposes of processing

We process your data solely to:

  • run the phishing simulation,

  • evaluate interactions and provide learning feedback,

  • improve the training experience and evaluate simulation effectiveness,

  • produce an anonymous benchmark summary (percentages only, no names).

Benchmark note: The benchmark report contains aggregated results only. Your personal score is not shown publicly and not linked to your name.

​

7. Automated evaluation / profiling

A score may be calculated automatically based on your interaction data (e.g., clicks/reports). This is used only for learning feedback and does not produce legal effects or similarly significant effects on you.

​​

8. Scientific research (optional)

If you additionally consent, your interaction data may be used for scientific research and statistical analysis. Results will be published only in aggregated form. For research purposes, data will be anonymised or aggregated so that individuals are not identifiable.

​​

9. Corporate email addresses & liability

This offer is intended for private individuals. If you use a corporate email address (e.g., your employer’s domain), you confirm that your participation does not violate your employer’s policies and that you are authorised to receive these simulation emails. Webguardiola accepts no liability for internal security alerts, IT reactions, or any internal consequences resulting from your participation using a corporate email address.

​​

10. Storage (retention) & withdrawal

Your personal data is stored for as long as you participate in the simulation.
If you withdraw consent / unsubscribe, the simulation ends and your personal data will be deleted or irreversibly anonymised within 30 days, unless legal obligations require longer retention (in which case processing will be restricted).

You can withdraw consent at any time via the Unsubscribe link included in every simulation email.

​​

11. Data location / transfers

Processing takes place within the EU (eworx environment with server location in Austria/EU). No transfer to third countries outside the EU/EEA is intended.

​

12. Your rights (GDPR)

You have the right to request access, rectification, erasure, restriction of processing, data portability, and—where applicable—objection. You may also withdraw consent at any time (Art. 7(3) GDPR) without affecting the lawfulness of processing before withdrawal.

​​

13. Supervisory authority (complaints)

Austrian Data Protection Authority (Österreichische Datenschutzbehörde)
Barichgasse 40–42, 1030 Vienna, Austria
Email: dsb@dsb.gv.at

​​

14. Is providing data mandatory?

  • Email address: required to participate (otherwise we cannot send simulation emails).

  • Self-assessment: optional.
    If required information is not provided, participation is not possible.

​

Age confirmation: By registering, you confirm that you are at least 18 years old and legally capable.

bottom of page