Privacy Policy

1. Who we are

The TROY platform is operated by Lancelot Technologies Ltd., an Israeli company. Contact: privacy@lancelotech.com.

2. What data we process

We process two categories of personal data through the Platform:

• Operator data. Names, work email addresses, hashed passwords, and audit logs of the operators who use the Platform. Lancelot is the data controller for this data.
• Target data. Names, work email addresses, departments, language preferences, and external identifiers of the employees being targeted in simulations imported by Customer. Lancelot is the data processor; the Customer is the data controller.

We also process limited campaign telemetry: open events (timestamp, IP address, user agent), click events, form submissions (encrypted at rest), and "reported as phishing" events.

3. How we use it

• To operate the Platform: deliver email, render landing pages, capture campaign events, and present operator dashboards.
• To produce risk scores and reports for the Customer.
• To monitor for abuse and operate Platform security.
• To meet legal obligations.

We do not sell personal data. We do not use Target data for any purpose other than operating the campaigns the Customer instructs.

4. Retention

Raw event logs and submitted credential data are retained for one hundred days, after which raw events are aggregated and the underlying records are purged. Operator audit logs are retained for one year. Tenant configuration data is retained for the duration of the contract plus thirty days, then purged unless the Customer requests immediate deletion.

5. Sub-processors

We operate the mail server and application infrastructure ourselves. The current sub-processors are limited to our hosting provider (for the underlying compute and IP address) and our domain registrar / DNS provider. A current list is available on request.

6. Security

The Platform uses TLS 1.2+ for all transport, encryption at rest for the application database, and additional column-level encryption for sensitive fields. Access controls follow least-privilege principles. See our Security page for technical detail.

7. Your rights

Subjects whose personal data is processed in the Platform may exercise applicable rights of access, rectification, erasure, and restriction by contacting their employer (the Customer / data controller). Operator subjects may contact Lancelot directly at privacy@lancelotech.com.

8. International transfers

The Platform infrastructure is operated outside the European Economic Area. Where personal data of EEA residents is processed, transfers rely on Standard Contractual Clauses or equivalent safeguards.

9. Changes

Material changes will be communicated to operators by email at least thirty days before they take effect.

10. Contact

Questions about this policy: privacy@lancelotech.com.