Terms of Service

By creating an account, accessing, or using any ThouShaltNotClick service — including our web platform, Chrome extension, phishing simulations, training courses, and breach monitoring ("Services") — you agree to be bound by these Terms of Service ("Terms"). If you do not agree, do not use the Services. These Terms constitute a legally binding agreement between you and Education Technology Professionals, LLC ("ETP," "we," "us," or "our"), the company that operates ThouShaltNotClick.

ThouShaltNotClick provides personal cybersecurity awareness services including: • Simulated phishing emails sent to your personal email to test your awareness • Interactive training courses on phishing, passwords, social engineering, and safe browsing • A Chrome browser extension with email scanning and a "Report Suspicious" button • Personal email breach monitoring via third-party data sources • A personal dashboard tracking your training progress and simulation results For Family plans, these services extend to up to 5 additional family members you invite. As the primary account holder, you are responsible for ensuring invited family members consent to receiving simulated phishing emails.

IMPORTANT: ThouShaltNotClick is a cybersecurity awareness and training platform — NOT a comprehensive cybersecurity solution. We do not guarantee that our Services will prevent all phishing attacks, data breaches, or security incidents. • Our Chrome extension and email scanning tools help identify many suspicious emails, but they cannot catch 100% of phishing attempts. Phishing techniques evolve rapidly, and new attack methods emerge constantly. While we continuously update our detection capabilities, no tool can guarantee complete protection. • AI-Enhanced Analysis provides an additional layer of detection but is not infallible. AI models can produce false positives (flagging legitimate emails) or false negatives (missing real threats). AI analysis results should be considered advisory, not definitive. • Community Threat Protection helps share threat intelligence within your organization, but it depends on at least one person identifying and analyzing a suspicious email first. It cannot protect against novel, targeted attacks that no one has analyzed yet. • Our phishing simulations are training exercises. They test awareness using known techniques, but real-world attacks may use novel methods not covered in our simulations. • Breach monitoring relies on third-party data sources and can only report breaches that have been publicly discovered and cataloged. • In cybersecurity, defensive measures inherently lag behind offensive innovation. We are committed to staying at the forefront of phishing prevention, but we cannot guarantee our Services will detect every new threat. You acknowledge that cybersecurity is a shared responsibility and that our Services are one layer of a comprehensive security strategy — not a replacement for email filtering, endpoint protection, network security, and organizational security policies.

By using our Services, you consent to receiving simulated phishing emails at your registered email address. These emails are designed to appear realistic and may use urgency, authority impersonation, and social engineering tactics for training purposes. • Clicking links in simulated emails is recorded to track your progress. • Your simulation results are private to you (and your family plan administrator, if applicable). • You may opt out of simulations at any time by cancelling your account. For Family plans: family members you invite also consent to receiving simulations upon accepting their invitation.

The Chrome extension provides several features: EMAIL ANALYSIS (LOCAL): When you open an email in Gmail, the extension analyzes it for phishing indicators using a local analysis engine that runs entirely inside your browser. Full email content is never transmitted to our servers. AI-ENHANCED ANALYSIS (OPT-IN): You may choose to click the "AI Analysis" button on any email to request a deeper analysis. This is entirely optional and requires explicit action each time. When used, the email's sender address, subject line, visible headers, full link URLs with display text, and up to 3,000 characters of the body are sent to our AI service for analysis. The AI returns a score and explanation. Email content is processed in real-time and not stored; analysis results (score and verdict) are logged for organizational security monitoring. COMMUNITY THREAT PROTECTION: When AI analysis identifies an email as dangerous (score below 30), the sender address and subject line are stored in our database and shared with other members of your organization. This helps protect your colleagues from the same phishing attack. No email body content is ever stored or shared. Administrators can dismiss false positives. ONLINE KINDNESS SCORE: The extension monitors your communication patterns across email, chat, and AI platforms for polite language. This analysis runs 100% in your browser. Only aggregate statistics (not message content) are synced daily to the server for organizational leaderboards if you are part of an organization. Your actual messages are never recorded or transmitted. REPORT & REPORT SAFE: The "Report Suspicious" and "Report Safe" buttons let you flag emails for your administrator to review. Reports include the sender address, subject line, and trust score — not the full email content. The extension requires certain browser permissions used solely for its stated functionality — not for surveillance, advertising, or unnecessary data collection. The extension cannot guarantee detection of all phishing attempts.

We take the privacy and security of your data seriously. Our complete data practices are described in our Privacy Policy at thoushaltnotclick.com/privacy, which is incorporated into these Terms by reference. • We collect only data necessary to provide our Services. • Simulation data (click rates, report rates, training scores) is used for analytics and reporting. We do not sell data to third parties. • Standard email analysis runs entirely in your browser. No email content leaves your device during standard analysis. • AI-Enhanced Analysis is opt-in and clearly marked. When used, limited email data (sender, subject, visible headers, full link URLs, and up to 3,000 characters of body text) is sent to our AI service for real-time analysis. This data is not stored by our AI provider. • Community Threat Protection shares only sender addresses and subject lines of AI-confirmed dangerous emails within your organization. No email body content is ever stored or shared in community threats. • We use industry-standard security measures including encryption in transit (TLS) and at rest. • For organization accounts, data is isolated per organization. One organization cannot access another's data.

• All paid plans begin with a 7-day free trial with full feature access. • Payment information is collected at signup via Stripe. You will not be charged during the trial. • After the trial, your subscription automatically converts to paid unless cancelled. • Subscriptions are billed monthly or annually depending on the plan selected. • You may cancel at any time through the billing portal. Cancellation takes effect at the end of your current billing period. • We do not offer refunds for partial billing periods, except as required by law. • Price changes will be communicated at least 30 days in advance.

You agree not to: use the Services for any malicious purpose; attempt unauthorized access to other accounts; reverse-engineer our software; use the Services in any way that violates applicable law. Violation may result in account termination.

If you joined ThouShaltNotClick first as a member of an organization (such as a school or diocese) and have now converted to a personal account, the following apply: • Your former organization may retain a copy of password vault entries that were stored under your organization account, including entries you tagged as Personal during migration. Per the organization's Recovery Covenant in their Terms of Service, those entries may only be accessed for documented continuity reasons (departure, incapacity, written user request, formal investigation under applicable law), with you notified of any such access. • You should change passwords for any personal accounts (banking, social media, personal email, etc.) that were stored in your former organization's vault. While the recovery capability is governed by contract, you have no technical ability to remove those entries from your former organization's records. • Your migrated personal entries (those tagged Personal or Both during migration) are now in your personal vault, encrypted under your master password. ThouShaltNotClick cannot read them. • If a 50%-first-year discount was applied to your migration, it applies once. The subscription will renew at the regular annual price after the first year unless you cancel. • You may view a record of any access to your former organization vault in your account settings.

TO THE MAXIMUM EXTENT PERMITTED BY LAW: • ETP's total liability shall not exceed the amount you paid for the Services in the twelve (12) months preceding the claim. • ETP shall not be liable for indirect, incidental, special, consequential, or punitive damages, including loss of data, revenue, or damages resulting from a security breach that our Services did not detect. • ETP is not liable for damages resulting from reliance on our Services as your sole cybersecurity measure. • Our Services are provided "as is" and "as available" without warranties of any kind, express or implied.

We may modify these Terms at any time. For material changes, we will notify active account holders via email at least 30 days before changes take effect. Continued use after the effective date constitutes acceptance. If you disagree, you must cancel your account before changes take effect.

Either party may terminate the relationship. You may cancel your account at any time. We may suspend or terminate your account for Terms violations or non-payment. Upon termination, data is retained for 90 days, then permanently deleted unless legally required otherwise. Sections that by nature should survive termination (Liability, Indemnification, IP) shall survive.

These Terms are governed by the laws of the State of New Jersey. Disputes shall be resolved through binding arbitration per the American Arbitration Association rules, except that either party may seek injunctive relief in court. The prevailing party may recover reasonable attorney's fees.

Questions about these Terms? Contact us: Education Technology Professionals, LLC Email: support@thoushaltnotclick.com Website: www.thoushaltnotclick.com Privacy inquiries: privacy@thoushaltnotclick.com