Regulations of the website and service – Terms of Use


  1. These regulations define the conditions for the use of the website, in particular the rights and obligations of registered users of
  2. Whenever reference is made in these Regulations:
    1. Operator - this should be understood as a company operating under the name NIGRIV z o.o. (address: ul. SŁAWIŃSKA, no 6, lok. 807, places. WARSZAWA, code 01-218, WARSZAWA Post Office, Poland) entered in the Register of Entrepreneurs of the National Court Register under KRS number: 0000808806, holding Tax Identification Number (NIP): 527-290-88-16 and REGON identification number: 384634106, with a fully paid-up share capital of PLN 5000.00.
    2. Service - shall mean the internet portal operating at the internet address, run by the Operator, under the conditions specified in the Regulations.
    3. User - shall be understood as a person having full legal capacity, who by accepting the Regulations has gained access to the Services. The User may also be a legal person and an organizational unit which is not a legal person, to which the Act grants legal personality, and which uses the Services provided by the Operator.
    4. Services ( Service ) - shall mean the Service or Services provided by the Operator on the terms specified in the Regulations.
    5. Campaign - shall be understood to mean the performance by the Service of a test of resistance of the user's company e-mail addresses to phishing attacks in the manner described in these Terms and Conditions and in accordance with the type of selected campaign.
    6. Logins - shall be understood to mean an individual and unique e-mail address which is a unique User ID on the Website.
    7. Password - shall be understood to mean a string of at least 8 characters in length specified by the User and assigned to the User. The Password is required for logging into the Service by the User.
    8. Registration - shall be understood as a one-time activity consisting in establishing an Account by the User, performed with the use of the registration form made available by the Operator on one of the pages of the Website.
    9. Report - shall mean a summary of data collected on the Website according to the parameters specified by the User or the Website, created as part of the operation of the Website and consistent with the Campaign selected by the User.
    10. Account - shall be understood to mean a set of services provided by the Website together with individual User settings thanks to which the User may use the Website.
    11. Account Version - shall be understood to mean a set of functionalities to which a specific User Account has access.
    12. Regulations (Terms of Use) - it shall be understood as these regulations.
    13. Contract - shall be understood to mean the contract for provision of services by electronic means concluded between the User and the Operator at the moment of acceptance of the Regulations by the User, with the content corresponding to the content of the Regulations.
    14. Licenses - it shall be understood to mean the number of licenses to which the User is entitled corresponding to the number of employees whose data the User may introduce into the system as employees of a given organisation and subject them to the Campaign being created.
    15. Global Admin - shall be understood to mean an Account which is the first created User for a given company / organization and may create new User accounts in a given company / organization.
    16. Demo Account - shall be understood as an Account created by the Operator for the User for promotional and testing purposes.


  1. These Terms of Use specify the rules of using the Website and the Services offered by the Operator, as well as the scope of rights and obligations of the Operator and the User.
  2. The Operator is the owner of the Website and the entity providing the Services specified in these Terms of Use.
  3. Using the Website and in accordance with the rules specified in these Terms of Use, the Operator shall provide the Service of IT security research consisting in testing the resistance of the user's corporate e-mail addresses to phishing attacks via the Website:
    1. Sending by the Operator of phishing e-mails to company e-mail addresses indicated by the User;
    2. Monitoring of the statistics of opening messages and clicking on the links, buttons, links, etc. contained therein;
    3. Online training for persons subject to the Campaign;
    4. Preparation of a report presenting the collected statistics and data relevant to the Campaign selected by the User.
  4. Access to the Account and the Services offered by the Website is only available to Users who have registered an Account in the manner specified in the Terms and Conditions, received access to the Account created by the Account Administrator or their account was created by the company's Global Admin.
  5. To use the Website and the Services provided by the Operator, the User must read the Terms and Conditions and agree to the terms and conditions set forth in the Terms and Conditions.
  6. The Operator reserves the right to limit access to selected Services offered via the Website to Users who do not meet the condition specified by the Operator. Reservations concerning the possibility of using selected Services shall be posted on the Website's website each time.
  7. The functionalities available in each Account version offered by the Operator shall be placed on the Website's websites.
  8. Minimum technical requirements of the computer system that the User wants to use the Service:
    1. 2.8 GHz dual-core processor;
    2. RAM: 4 GB;
    3. Internet connection: 5Mbps;
    4. Browser supporting HTML5, CSS3 and JavaScript, with Cookie enabled, as well as mobile devices equipped with a web browser supporting Webkit technology.
  9. The Operator shall make every effort to ensure that data transmission over the Internet as part of the use of the Services is secure, i.e. that the transmitted information is sent in confidence, in its entirety and completeness.
  10. The Operator shall not be liable for technical problems or limitations in the computer equipment used by the User which prevent the User from using the Website and the Services offered through it.


  1. The Operator informs that access to the Services is possible after registering an Account on the Website and thus leaving the User's personal data on the Website in the manner described in this section of the Terms and Conditions, as well as after fulfilling other conditions specified in the Terms and Conditions.
  2. The registration of the User on the Website, and thus the creation of an Account, shall be effected by receiving an e-mail from the Operator containing a link to assign the Password to the User Account. The second method of registration of the User within the Service, and thus creation of an Account, shall take place by receiving an e-mail from the Operator containing information about the possibility of authentication through Azure Active Directory.
  3. The granting of the Password to the Account by the User is equivalent to activation of the Account and obtaining access to the Website.
  4. In order to conduct the Campaign and use the System, the User must have an active Account.
  5. When making the Registration, the User is obliged to provide truthful, accurate and current data, not misleading and not infringing the rights of third parties. Moreover, the User is responsible for maintaining proper confidentiality of his/her Password.
  6. The User is solely responsible for the content of the data provided by him. The Operator informs that any content sent or any Orders placed by third parties who identify themselves with the User's Login and Password, will be assigned to the User.
  7. Access to the User's Account and use of the Services provided by the Operator through the Website is possible after the User has logged in to the Website with the use of the correct Login and Password or using Azure Active Directory.
  8. The Operator reserves the right to block the User's access to the Services if it is proved that the User has used the Account and the Services in violation of the Regulations.
  9. The User's Account is valid for 365 days from the date of its creation or the last paid invoice. If the User wants to keep all the collected data during the period of validity of the Account after its expiration, he must download the said data to his own storage media, within a maximum of 30 days after the expiry of the Account. The functionality enabling data export is available only in selected Account Versions.
  10. The Operator reserves the right to delete the User's Account if the Account has lost its validity on the basis of the provisions of the regulations recorded in paragraph 9 above.


  1. The Operator reserves the right to modify the technical manner of the provision of the Services, according to the scope and conditions resulting from the rights held, as well as according to its technical capabilities.
  2. In order to ensure the security of the transmission of messages and in connection with the Services provided, the Operator takes technical and organisational measures appropriate to the degree of risk to the security of the Services provided.
  3. The User is particularly obliged to:
    1. Use the Service in a manner that does not interfere with its functioning, in particular by using specific software or devices;
    2. Not to take any actions such as: sending or posting in the Service unsolicited commercial information, taking IT actions or any other actions aimed at obtaining information not intended for the User;
    3. Use the Service in a manner consistent with the provisions of the law in force on the territory of the Republic of Poland and the provisions of the Regulations;
    4. Not to provide or place in the Service any content prohibited by the applicable law;
    5. To use the Service in a manner that is not burdensome for other Users and the Operator, respecting their personal rights (including their right to privacy) and all their rights;
    6. By creating the templates for training e-mails, the User declares that he has all rights to all materials used in them and does not violate the rights of third parties, including: copyright, trademarks, logos, etc;
    7. To use any and all content posted in the Service only for their own internal, personal use and in accordance with these Regulations;
    8. To conduct the Campaign only on persons employed by him/her and to provide data to which he/she is entitled.
  4. The Operator shall not be liable for any infringement of third party rights or any damage to third parties as a result of and in connection with the activities conducted by the User using the data collected by the User in connection with the Services provided.
  5. The Operator shall not be liable for any content obtained in the course of providing the Service to the User and any damage caused by them.
  6. The Operator shall not be liable in any way under Articles 12-14 of the Act of 18 July 2002 on provision of electronic services (Journal of Laws of 2002, No. 144, item 1204, as amended).
  7. The User is obliged to immediately notify the Operator of any breach of his rights within the scope of his use of the Service, as well as of any breach of the rules specified in the Regulations.
  8. The Operator may deprive the User of the right to use the Website, as well as restrict his or her access to some or all of the Website resources or Services offered by the Operator, with immediate effect if the User violates these Terms of Use, and in particular if the User:
    1. Provided false, inaccurate or outdated data, misleading or violating the rights of third parties during the registration in the Service;
    2. Will commit, through the Service, infringement of personal rights, in particular personal rights of other Users;
    3. Commits other behaviours, which will be considered by the Operator as reprehensible, inconsistent with the applicable laws or general rules of using the Internet, as inconsistent with the objectives of creating the Service or harming the good name of the Operator.
  9. A person who has been deprived of the right to use the Website may not register again without the prior consent of the Operator.
  10. The Account Holder may demand removal of the Account at any time during the availability of the Service. By deleting the Account, the User waives further use of any Services paid for on the Website and is aware that the funds paid by him/her are not refundable in the discussed situation.
  11. The Operator also allows the possibility of establishing cooperation with the User by concluding a separate agreement on the provision of Services. As provided for in the agreement, signing the agreement means acceptance of the provisions of the Terms of Use.
  12. The User has the right to conduct a specified number of Campaigns in accordance with the Account version to which he or she has purchased access.
  13. The employee on whom the Campaign is conducted may not undergo another Campaign before the end of the previous one.
  14. The User has the right to enter into the system the data of his or her employees in a quantity consistent with the number of Licenses purchased. He also has the right to exchange data, i.e. delete and add new users in a quantity equal to 5% (five percent) of the Licenses purchased in each month of the Account's validity.
  15. A user using a Demo Account can use all the functionalities provided to him/her. His account is valid for 90 days and the Operator is not obliged to store the collected data from Campaigns conducted by such a User for a period longer than the Account validity period. A Demo Account serves only promotional and familiarisation purposes. It is not intended to meet all the User's requirements.


  1. The use of particular Services provided by the Operator within the Website is chargeable.
  2. Access to the Website and functionalities compliant with the Account version selected by the User and additional Services offered by the Operator, to which the User wants to gain access, are subject to a fee.
  3. License prices are available on the Website's website. The Operator may also set prices individually with each User.
  4. If the User decides to purchase additional Licenses, the Operator shall, within 7 working days from the date of receipt of relevant information confirming the purchase from the User and receiving the necessary data, send the User a PROFORMA VAT invoice for the Services provided. From the moment of noticing the payment by the Operator, the Operator shall make a VAT invoice available in the User's Panel within 3 working days.
  5. Failure to pay the fee within the time limit specified in the PROFORMA VAT invoice delivered to the User will result in automatic blocking of the User's access to the Account. The payment made by the User within 14 days from the date of blocking the User's access to the Account shall result in the unblocking of such access within 3 working days. An ineffective lapse of the 14-day period counted from the date of blocking the User's access to the Account shall result in automatic removal of the Account and termination of the Agreement. The day of crediting the Operator's bank account shall be deemed the day of payment.
  6. Payment of the Subscription Fee within the period specified in the PROFORMA VAT invoice delivered to the User shall increase the available number of Licenses assigned to the User's Account.
  7. The User agrees to receive invoices via e-mail to the e-mail address used by him during registration and in the User Panel in the okKoala System.


  1. The Operator shall be entitled to temporary interruption in the operation of the Website and the Services provided by it for technical reasons.
  2. The Operator shall take the utmost care to ensure that technical breaks take place at night and last as shortly as possible.
  3. In case of a technical break lasting more than 24 hours, the Account Holder has the right to extend the validity of the Subscription Period during which the technical break took place, as many days as the technical break lasted.
  4. The Operator shall not be liable to Users for failure to perform or improper performance of the Services for reasons attributable to third parties (including telecommunication network operators) or caused by force majeure.


  1. The User may provide personal data in order to use the Services, as well as in the course of using them, for example by filling in forms and conducting correspondence with the Operator.
  2. Providing personal data is voluntary, however, necessary to use the Services. Without providing personal data, it will not be possible to provide the Services.
  3. Any personal data provided by the User or to be collected by the Operator about the User shall be processed in a manner consistent with the requirements set forth in the Polish law, and in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, hereinafter referred to as "TODO".
  4. The controller of the above mentioned personal data is the Operator.
  5. The Operator may entrust the processing of the collected Users' personal data to another entity on the basis of an entrustment agreement concluded with it.
  6. The Operator informs that the potential recipients of personal data may be: entities providing hosting of the Service, dealing with its security, authorized to do so on the basis of separate regulations by state authorities, providers of tools for analytics of traffic on the site, communication with Users, conducting marketing and sending newsletters.
  7. The User has the right to access his personal data and may verify or correct them, as well as delete them, by sending an appropriate request to the Operator.
  8. The User also has the right to object to the processing of personal data for reasons related to the specific situation of the User, if the personal data will be processed on the basis of legally justified interests. The User is also entitled to object to the processing of his/her personal data in any case, if the data will be processed for direct marketing purposes.
  9. The Operator processes Users' personal data and uses it to the extent and for the purpose necessary to provide the Services, including to inform about the operation of the tool, the possible use of the tool by the User and the necessary activities such as payments, invoices, etc.
  10. The legal basis for the processing of personal data is Article 6.1.b and Article 6.1.f of the TOP. The legally justified interest of the Operator is to market his own services.
  11. The Operator, on the basis of the additional and optional consent given by the User, has the right to send marketing information to the given e-mail addresses. The consent referred to in the preceding sentence may be revoked by the User at any time. In the case of such consent, the legal basis for the processing of personal data shall also be Article 10 of the Act of 18.07.2002 on the provision of electronic services and Article 172 of the Act of 16.07.2004. Telecommunication law.
  12. Personal data shall be processed for the time necessary for the provision of Services to the User, and after the completion of their provision for the time necessary to demonstrate the proper performance of the Operator's obligations to the User. This period corresponds to the length of the period of limitation of claims. The personal data processed within the scope of marketing activities shall be processed for the duration of their conduct by the Operator or the expression of the User's objection to further processing of personal data for marketing purposes, or cancellation of consent to send marketing information to the e-mail address. Cancellation of consent does not affect the legality of the processing before withdrawal of consent.
  13. The Operator applies the technical measures required by current regulations on personal data protection to prevent the acquisition and modification by unauthorized persons of personal data sent electronically.
  14. The User is not allowed to use the Services anonymously or under a pseudonym.
  15. Personal data of the Users will be transferred to countries outside the European Economic Area, i.e. to the following:
    1. The United States on the basis of the Executive Decision of the European Commission of 12.07.2016 introducing the Privacy Shield. The data will be transferred only to entities certified under this decision, which obliges them to properly secure personal data.
    2. To other countries on the basis of standard contractual clauses, which oblige the entities to which the data will be transferred to their respective data subjects security.
    3. You have the right to receive a copy of your personal information, which will be forwarded to that country.


  1. The Operator uses cookies, i.e. small text information stored on the User's end device (e.g. computer, tablet, smartphone). Cookies can be read by the Operator's or other entities' ICT system.
  2. The Operator stores cookies on the User's terminal device, and then obtains access to information contained therein for statistical and marketing purposes and to ensure proper functioning of the Service, and in particular to maintain the session after logging in and recognizing the User at the next session.
  3. The Operator informs Users that there is a possibility of such configuration of the Internet browser, which makes it impossible to store cookie files on the User's terminal device.
  4. The Operator indicates that the cookie files can be removed by the User after they are saved by the Operator, through: appropriate functions of the Internet browser, programs used for this purpose or the use of appropriate tools available within the operating system, which the User uses.
  5. The following links include information on how to remove cookies in the most popular web browsers:
    1. Firefox:
    2. Opera:
    3. Internet Explorer:
    4. Chrome:
  6. The Operator also informs Users that a change in the configuration of the Internet browser, which prevents or limits the storage of cookies on the User's terminal device may cause limitations in the functionality of the Services. The deletion of cookies during the Service may lead to similar effects. This may cause inability to log into the Service or interrupt the session after logging in.


  1. In order to enable the Operator to provide the Services to the User, the User shall entrust the Operator to carry out, on behalf of the User, the processing of the personal data referred to in the following paragraph to the extent and under the rules specified below. On this basis, the Operator is entitled to process personal data on behalf of the User only for the above purpose and in the manner specified below.
  2. The instruction to process personal data includes personal data in the following scope: name, first_name, telephone number, e-mail address and all personal information provided by the User in the System, including during the Campaign and all information collected during the Campaign. Further, all these data are called "Personal Data".
  3. Entrusting the processing of Personal Data includes the following activities: collecting, recording, organising, organising, arranging, storing, adapting, downloading, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or combining, limiting, deleting or destroying.
  4. The Operator declares that it provides sufficient guarantees - in particular through its expertise, experience, reliability and resources - of the implementation of technical and organizational measures - that the processing of Personal Data meets the applicable regulations on the protection of personal data, especially in the area of personal data security.
  5. The Operator is obliged to:
    1. To take organizational and technical measures to ensure an adequate level of security of the Personal Data before starting the processing of Personal Data and to apply at all times;
    2. Keeping the personal data protection documentation required by the applicable regulations, including all policies, registers, lists of collections;
    3. To cooperate, at any request, with any supervisory authority entitled to control the observance of the data protection regulations in the scope and manner specified by that authority;
    4. Document any data protection violations, including the circumstances of the personal data breach, its effects and the remedial actions taken;
    5. Ensure that:
      1. Only persons authorized by the Operator had access to the Personal Data;
      2. The persons authorized to process the Personal Data undertook in writing to keep the Personal Data secret and the ways of its protection.
  6. The Operator is obliged to immediately inform the User [via e-mail] about the following:
    1. any proceedings or ruling concerning Personal Data, including in particular its proper protection;
    2. any violation of the protection of Personal Data, as determined by the Operator; or the risk of such a breach with an indication:
      1. the nature of the personal data breach, including the category and approximate number of data subjects;
      2. the possible consequences of the personal data breach;
      3. the measures applied or proposed by the Operator to remedy the personal data protection breach, including measures to minimise its possible negative effects;
    3. the announcement or initiation of a supervisory authority's inspection or investigation of personal data.
  7. The Operator is obliged to support the User, in the manner specified by him/her, in all matters concerning Personal Data, in particular through:
    1. providing written explanations or information;
    2. providing documents or other records;
    3. enabling:
      1. to view or save information stored in IT systems;
      2. review the status of information systems;
      3. conducting security tests of information systems. This obligation also applies to support the User in fulfilling the obligation to provide the data subject with information on the processing of his/her personal data and any other User's obligations resulting from the use of his/her rights, in accordance with the applicable provisions of the law on personal data protection.
  8. The User gives his general consent for the Operator to use the services of another processing entity, hereinafter referred to as "Subprocessor", in order to perform on behalf of the Operator all or selected personal data processing activities.
  9. The Operator is obliged to inform the User in advance about any intended changes concerning the addition or replacement of the Subprocessors - in such a case the User is entitled to express a binding objection to such changes. Information about these changes should be provided via e-mail and include:
    1. the name and contact details of the Subprocessor;
    2. determination of personal data processing activities, for the purpose of which the Operator will use the services of the Subprocessor.
  10. In the case when a Subprocessor fails to meet its obligations to protect Personal Data, full responsibility for this lies with the Operator.
  11. The User is entitled to carry out, at his own expense, an audit of the Operator in the scope of compliance of his personal data processing activities with these provisions on entrusting personal data processing and the applicable data protection regulations, in particular in order to check the performance of the Operator's obligations. The User is obliged to notify the Operator at least 14 days in advance of the intention to conduct an audit. The User is entitled to provide the Operator with written recommendations for the audit together with the date of their implementation, which must be appropriate and not less than 30 days from the date of their submission to the Operator. He is obliged to carry out objectively justified post-control recommendations. The recommendations may not go further than the requirements arising from legal regulations. The use by the User of the rights specified in this section may not lead to a breach of the Operator's business secrets.
  12. Personal data are entrusted to the Operator for the duration of the Account. Failure to extend the validity of the Account by the User shall entitle the Operator to delete the Personal Data. After 30 days from the expiry of the validity of the User's Account, the Operator shall delete all collected data, including Personal Data.


  1. All complaints related to the provision of Services by the Operator and questions concerning the use of the Website should be sent to the electronic mail address or to the following correspondence address: ul. SŁAWIŃSKA, no. 6, lok. 807, places. WARSAW, code 01-218, post office WARSAW, country Poland, with the note "Complaint".
  2. The complaint should include in its content: company - in the case of a legal person or an organizational unit that is not a legal person, to which the law grants legal personality, User's Login, its exact address of residence or seat, or correspondence address, if different from the address of residence or seat, and e-mail address given during Registration, as well as a detailed description and reason for complaint.
  3. Complaints resulting from failure to comply with the content of the Regulations will not be considered by the Operator.
  4. The Operator considers the complaint within 14 working days from the date of its receipt and immediately informs the User, by e-mail, about the manner of its consideration. If the data or information provided in the complaint need to be supplemented, the Operator asks the complainant to supplement it before the complaint is considered. The time of providing additional explanations by the User shall extend the period of complaint processing accordingly.
  5. Consideration of the complaint by the Operator is final.
  6. All other notifications, comments and questions about the functioning of the Service can be sent via e-mail to


  1. The Operator declares that he will take special care to ensure a high level of safety in the use of the Service to the Users. Any events affecting the security of information transmission, including those related to the suspicion of sharing files containing viruses and other files of similar nature, should be reported to the Operator at
  2. The Operator informs and the User agrees that any notifications, information or other messages from the Operator related to the provision of the Services shall be sent electronically to the User's e-mail address indicated during registration or in the Account Settings Panel.
  3. The Operator reserves the right to transfer some or all of the rights and obligations under the Terms of Use to a third party or to enter into sub-contracting agreements relating to them, to which the User has agreed by being bound by the Terms of Use. The User may not assign or waive rights and obligations under the Terms and Conditions without the written consent of the Operator.
  4. Service Users can access the Terms of Service at any time free of charge through a link on the home page of the Service or by contacting
  5. The Operator reserves that the Service and the graphic elements of the Operator, the Operator's logotypes, navigation solutions, selection and arrangement of the content presented within the Service are the subject of exclusive rights of the Operator.
  6. In matters not regulated by the Regulations, the provisions of the Polish Civil Code and other laws in force in the Republic of Poland shall apply.
  7. All Users who are consumers regardless of their place of residence and place of consumption of the service recognize that the regulations of the Polish state will apply to any claim, action or dispute of the User remaining in connection with these Regulations, in all cases (i.e. in case of consumers and other legal entities) the User acknowledges and agrees that his claim will be settled by the competent court in the Republic of Poland and that the Polish law regulates these Regulations and any claims related to it regardless of the conflict of laws regulations.
  8. The Operator has the right to change the Regulations at any time. The user is bound by the new content of the Regulations in the case of consent to its content. If the User does not agree to the new content of the Regulations, the Agreement is terminated with immediate effect.