Terms of Service
Last updated: March 2026
OutPhish is operated by BCBP Holdings Pty Ltd (“we”, “us”, “our”).
By accessing or using OutPhish (“the Service”), you agree to these Terms. If you do not agree, do not use the Service.
1. The Service OutPhish is a cybersecurity awareness platform that sends simulated phishing emails to your nominated employees. You authorise us to send these emails on your behalf when you create a campaign.
2. Eligibility You must be an authorised representative of your organisation with the authority to enrol employees in security awareness training. You must not use the Service to target individuals outside your organisation or without appropriate organisational authority.
3. Your Responsibilities You are responsible for ensuring that your use of the Service complies with all applicable laws, including the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), and any applicable employment laws. You must only upload contact details of employees for whom you have appropriate authority to conduct security awareness testing. You must inform employees that security awareness training, including simulated phishing, forms part of your organisation’s security program, either through employment agreements, workplace policies, or staff communications.
4. Acceptable Use You must not use the Service to target individuals who are not employees of your organisation, send simulated phishing emails for any purpose other than legitimate security awareness training, attempt to collect real credentials or sensitive personal information, or resell or sublicense the Service without our prior written consent.
5. Data We process employee names and email addresses solely for the purpose of delivering simulated phishing campaigns and reporting results. See our Privacy Policy for details.
6. Intellectual Property All content, software, and materials provided through the Service remain our property or that of our licensors.
7. Disclaimers The Service is provided “as is.” We do not guarantee that simulated phishing emails will bypass all email security filters. To the maximum extent permitted by Australian Consumer Law, we exclude all other warranties.
8. Limitation of Liability To the maximum extent permitted by law, our liability for any claim arising from the Service is limited to the fees you paid in the 12 months preceding the claim. We are not liable for any indirect, consequential, or incidental loss.
9. Termination Either party may terminate at any time by providing written notice. On termination, we will delete your data within 30 days unless retention is required by law.
10. Governing Law These Terms are governed by the laws of Victoria, Australia. You submit to the non-exclusive jurisdiction of the courts of Victoria.
11. Changes We may update these Terms from time to time. Continued use of the Service after changes constitutes acceptance.
Contact: blaine@bcbpholdings.com
Privacy Policy
Last updated: March 2026
BCBP Holdings Pty Ltd operates OutPhish (“we”, “us”, “our”). We are committed to protecting your privacy in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth).
1. Information We Collect Account information: name, email address, business name, and billing details of the account holder. Employee data: names and email addresses uploaded by account holders for the purpose of conducting simulated phishing campaigns. Usage data: campaign results including open rates, click rates, and credential submission events (no actual credentials are collected or stored). Technical data: IP addresses, browser type, and device information when you access our platform.
2. How We Use Your Information We use your information to deliver and improve the Service, generate campaign reports for account holders, process payments, communicate with you about your account, and comply with legal obligations.
3. Disclosure We may disclose personal information to payment processors for billing, email delivery providers (such as Mailgun) for sending simulated phishing emails, and law enforcement or regulatory authorities where required by law. We do not sell personal information.
4. Data Retention We retain account data for the duration of your subscription and for 12 months after termination. Campaign data is retained for 12 months after the campaign date. You may request earlier deletion by contacting us.
5. Security We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. Data is encrypted in transit and at rest.
6. Access and Correction You may request access to or correction of your personal information by contacting us at support@outphish.com. We will respond within 30 days.
7. Complaints If you believe we have breached the Australian Privacy Principles, please contact us at support@outphish.com. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
8. Changes We may update this Privacy Policy from time to time. Updates will be posted on this page.
Contact: blaine@bcbpholdings.com