Privacy Policy

Account and company information, such as administrator names, work email addresses, company profile details, authentication records, and configuration settings.

Employee records uploaded or entered by authorized administrators, including work email, name, role, department, status, and campaign assignment details.

Campaign and simulation data, including draft campaigns, selected targets, approved or excluded simulations, generated email metadata, review decisions, launch status, and delivery state.

Security awareness events generated through Horus-i tracking routes, such as opens, clicks, submissions, awareness redirects, timestamps, campaign identifiers, and related audit metadata.

Operational records needed to run the service, including delivery attempts, Resend webhook events, generation validation results, retry metadata, and redacted audit events.

To authenticate administrators, maintain sessions with httpOnly cookies, and protect dashboard access.

To prepare safe phishing simulation campaigns, resolve campaign targets, generate reviewable simulation drafts, and send only administrator-approved content.

To provide dashboards, reports, CSV exports, employee feedback, coaching workflow states, and campaign performance metrics.

To troubleshoot delivery, webhook, generation, and enrichment workflows while avoiding raw prompts, raw provider payloads, secrets, and email body content in operational audit logs.

To enforce product safeguards, prevent duplicate sends, validate generated content, apply retry rules, and maintain tenant isolation.

Horus-i may use a configured enrichment provider, currently People Data Labs, to help prepare professional context for simulations. Raw enrichment provider payloads are restricted and are not shown in normal admin UI, exports, reporting, prompts, or delivery payloads.

Only sanitized, explicitly allowed professional fields may be used for generation context, such as role, department, seniority, company/domain, professional profile summary, confidence, and source status.

Denied categories include home address, family data, religion, politics, health, private social posts, personal phones, personal emails, leaked passwords, and unknown provider fields.

LLM-generated simulation emails are validated before review, are not approved by default, and must pass safety checks before they can be approved or sent.

We use service providers to operate Horus-i, including Supabase for authentication and application data storage, a configured LLM provider for safe simulation draft generation, People Data Labs for enrichment when enabled, and Resend for email delivery and delivery webhooks.

Providers receive only the information needed for their specific service boundary. Raw enrichment data is not sent to the LLM or Resend, and Resend payloads contain only approved content, recipient and sender metadata, safe tags/headers, idempotency keys, and Horus-i tracking links.

We do not sell personal information.

We retain account, company, employee, campaign, simulation, reporting, delivery, webhook, and audit records for as long as needed to provide the service, support customer review, comply with legal obligations, and maintain security and integrity.

Restricted raw enrichment payloads and diagnostic webhook data should be retained only for a limited operational period according to the customer environment's retention policy.

Customers may delete employees, campaigns, and related records through available product controls where supported.

Customers are responsible for having appropriate authority and notices when uploading employee data and running internal awareness campaigns.

Administrators can review generated simulations before sending, edit or exclude simulations, approve only safe content, and export reportable campaign results after accepted delivery.

Employees who receive simulations may interact with training and awareness pages as part of an authorized customer campaign.

For privacy questions or data requests, contact the Horus-i team through your organization administrator or the support channel provided with your Horus-i account.