Marulk

Privacy Policy

Last updated: 28th January 2026

This Privacy Policy explains how Aubeco AB, a company registered in Sweden with registration number 559518-5157 ("Marulk", "we", "us", or "our"), collects, uses, discloses, and protects personal data when you use our phishing simulation and security awareness training platform (the "Service").

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller and Processor Roles

1.1. Marulk as Data Controller: We act as a data controller for personal data we collect directly from you when you create an account, visit our website, or interact with us (e.g., account administrators, billing contacts).

1.2. Marulk as Data Processor: When our customers (organizations) use the Service to conduct phishing simulations and security awareness training for their employees, the customer is the data controller for their employees' personal data, and we act as a data processor on the customer's behalf.

1.3. If you are an employee or end-user participating in phishing simulations or training through your employer, please contact your employer (the organization using Marulk) for information about how your data is processed.

2. Information We Collect

2.1. Account and Customer Information

When you register for an account or subscribe to our Service, we collect:

  • Name and contact information (email address, phone number)
  • Organization name and business details
  • Billing information (billing address, VAT/Tax ID)
  • Payment information (processed securely through Stripe; we do not store full card details)
  • Account credentials (email, encrypted password)

2.2. End-User Data (Processed on Behalf of Customers)

When customers use the Service for phishing simulations and training, they may upload or provide data about their employees, including:

  • Employee names and email addresses
  • Department or organizational unit
  • Simulation and training results (e.g., whether an employee clicked a simulated phishing link, completed training modules)
  • Training progress and completion status

This data is processed by us on behalf of the customer (data controller) according to their instructions.

2.3. Usage and Technical Data

We automatically collect certain information when you use the Service:

  • IP address and approximate location
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used
  • Date and time of access
  • Referring website or source

2.4. Cookies and Similar Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and support our operations. See Section 10 for more details on cookies.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1. Providing the Service

  • Creating and managing your account
  • Delivering phishing simulation and training features
  • Processing payments and managing subscriptions
  • Generating reports and analytics for customers

3.2. Communication

  • Sending transactional emails (account confirmations, invoices, service notifications)
  • Responding to support requests and inquiries
  • Sending product updates and announcements (with your consent or legitimate interest)

3.3. Improvement and Analytics

  • Analyzing usage patterns to improve the Service
  • Monitoring performance and troubleshooting issues
  • Developing new features and functionality

3.4. Security and Compliance

  • Detecting and preventing fraud, abuse, and security incidents
  • Enforcing our Terms of Service
  • Complying with legal obligations

4. Legal Bases for Processing

We process personal data based on the following legal grounds under GDPR:

  • Contract: Processing necessary to perform our contract with you (e.g., providing the Service, managing your subscription).
  • Legitimate Interest: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and communicating with you, where these interests are not overridden by your rights.
  • Legal Obligation: Processing necessary to comply with legal requirements (e.g., tax and accounting obligations).
  • Consent: Where you have given consent for specific processing activities (e.g., marketing communications). You may withdraw consent at any time.

5. How We Share Your Information

We do not sell your personal data. We may share your information in the following circumstances:

5.1. Service Providers

We use trusted third-party service providers to help us operate the Service, including:

  • Cloud hosting and infrastructure providers
  • Payment processors (Stripe)
  • Email delivery services
  • Analytics providers
  • Customer support tools

These providers are contractually obligated to protect your data and may only use it to provide services to us.

5.2. Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, safety, or the rights of others.

5.3. Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have.

5.4. With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

  • Transfers to countries with an adequacy decision by the European Commission
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Other legally recognized transfer mechanisms

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments and monitoring
  • Employee training on data protection

While we strive to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

  • For the duration of your subscription and a reasonable period thereafter
  • As required to comply with legal, accounting, or reporting obligations
  • To resolve disputes and enforce agreements

End-user data processed on behalf of customers is retained according to the customer's instructions and our data processing agreement. Upon termination of a customer's subscription, we will delete or return their data within a reasonable period, unless retention is required by law.

9. Your Rights

Under GDPR and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data in certain circumstances.
  • Right to Restriction: Request restriction of processing in certain circumstances.
  • Right to Data Portability: Receive your data in a structured, commonly used format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.

To exercise these rights, please contact us at support@marulksecurity.com. We will respond to your request within the timeframes required by law (typically within one month).

If you are an employee whose data is processed through the Service by your employer, please contact your employer to exercise your rights, as they are the data controller for that data.

You also have the right to lodge a complaint with a supervisory authority. In Sweden, the supervisory authority is Integritetsskyddsmyndigheten (IMY).

10. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

10.1. Essential Cookies

Required for the Service to function properly (e.g., authentication, security, session management).

10.2. Analytics Cookies

Help us understand how visitors interact with our website and Service, allowing us to improve functionality and user experience.

10.3. Preference Cookies

Remember your settings and preferences (e.g., language, display options).

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

11. Children's Privacy

The Service is designed for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

12. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Company: Aubeco AB

Address: Stationsvägen 18, Åkersberga, Sweden

Registration Number: 559518-5157

Email: support@marulksecurity.com

By using Marulk, you acknowledge that you have read and understood this Privacy Policy.