Terms of Service

By accessing or using phishunt.io, including its website, REST API, data feeds, and any related content (collectively, the "Service"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree, do not use the Service. These Terms also apply if you only read, download, or redistribute data from the Service without further interaction.

phishunt.io aggregates publicly available signals (Certificate Transparency logs and third-party threat intelligence feeds) to publish a best-effort list of domains and URLs that are suspected of impersonating brands or conducting phishing. The Service is provided free of charge, without authentication, for security research, incident response, brand protection, and other lawful purposes.

The data distributed by phishunt.io reflects suspicion based on automated heuristics and third-party signals. It is not a legal finding, judicial determination, or verified assertion that any specific domain or party is engaged in phishing, fraud, or any other wrongdoing. False positives and false negatives occur routinely. Anyone relying on the data must perform their own verification before taking action. Inclusion in the Service does not constitute an accusation.

You may use the Service and its data for any lawful purpose. You may NOT:

• Use the data to facilitate, promote, or carry out phishing, fraud, harassment, or any illegal activity;
• Attempt to disrupt, overload, reverse-engineer, scrape beyond rate limits, or otherwise interfere with the Service infrastructure;
• Circumvent or try to circumvent any rate limit, access control, or security mechanism;
• Misrepresent the source of the data or publicly assert that a listed domain is confirmed phishing based solely on its presence in phishunt.io;
• Use the Service in any way that violates applicable law or third-party rights.

API and feed endpoints are rate-limited to 10 requests per second per IP, with a burst of 20. Exceeding the limit returns HTTP 429. The Service may be modified, suspended, or discontinued at any time, with or without notice. No uptime or availability commitment is made.

If you believe a domain, URL, or other content published by phishunt.io is incorrect, outdated, or should not be listed, email [email protected] with the specific entry and your reasoning. Requests are reviewed on a best-effort basis, typically within a few business days. phishunt.io retains sole discretion over what is published, in line with its editorial judgement and security research purposes.

The data distributed through phishunt.io (JSON, CSV, TXT feeds, and API responses) is released into the public domain under Creative Commons CC0 1.0. When redistributing or publishing the data, attribution to phishunt.io is appreciated but not required. The website design, source code, trademarks, and branding remain reserved and are not covered by this license.

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY. phishunt.io DISCLAIMS ALL WARRANTIES INCLUDING ACCURACY, COMPLETENESS, RELIABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND MERCHANTABILITY. phishunt.io DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, SECURE, OR ERROR-FREE.

To the maximum extent permitted by law, phishunt.io and its operator shall not be liable for any direct, indirect, incidental, consequential, special, exemplary, or punitive damages arising from or related to your use of, reliance on, or inability to use the Service, including but not limited to loss of data, loss of profits, business interruption, or reputational harm - even if advised of the possibility of such damages.

You agree to defend, indemnify, and hold harmless phishunt.io and its operator from any claim, loss, liability, expense, or damage (including reasonable legal fees) arising from your use of the Service, your violation of these Terms, or your violation of any law or third-party right.

The Service contains references and links to third-party domains that are suspected of phishing. Those domains are not controlled by phishunt.io. Visiting them may expose you to credential theft, malware, or other risks. phishunt.io assumes no responsibility for third-party content, privacy practices, or security. You access those links entirely at your own risk.

phishunt.io is operated from Spain and processes personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Spanish LOPDGDD (Ley Orgánica 3/2018). Cookieless tracking practices follow the Spanish LSSI (Ley 34/2002, art. 22.2). Data controller: Daniel López. Contact: [email protected].

Data processed:

• IP address, User-Agent, request path, referer - recorded in server access logs for rate limiting, abuse prevention, and troubleshooting. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Retention: up to 90 days, then deleted.
• Aggregate traffic analytics - collected via Umami and Ahrefs Web Analytics, both cookieless. No cookies, no localStorage, and no fingerprinting are used. IP addresses are hashed with a daily-rotating salt and never stored. Only aggregate page views, referrers, and coarse device/country information are retained. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
• Email content - only if you contact [email protected] or post on the Featurebase feedback board. Used solely for correspondence.

No personal data is sold, rented, or disclosed beyond the subprocessors listed in §13.

Your GDPR rights: access, rectification, erasure, restriction, portability, and the right to object to processing based on legitimate interest. To exercise them, email [email protected]. You may also lodge a complaint with the Spanish Data Protection Authority (AEPD).

The Service relies on the following third parties, each governed by its own terms and privacy policy:

• Cloudflare, Inc. - CDN, DDoS protection, WAF. Processes all incoming HTTP requests.
• Umami Software, Inc. - cookieless web analytics (cloud.umami.is). Receives page URL, referrer, and hashed visitor signal; does not set cookies or store IP addresses.
• Ahrefs Pte. Ltd. - cookieless web analytics (analytics.ahrefs.com). Receives page URL, referrer, and coarse device/country signals; does not set cookies or store IP addresses.
• Google LLC - Google Fonts and the favicon service used to display brand icons in lists.
• Public CDN providers - BootstrapCDN, jsDelivr, Cloudflare CDN, Google CDN serve common JavaScript and CSS libraries.
• Featurebase (Useful Ltd.) - hosts the public feedback board at phishunt.featurebase.app. Collects email and post content when you interact with the board.

The detection pipeline ingests data only from public sources (OpenPhish, PhishTank, urlscan.io, Google Safe Browsing, TweetFeed, Certificate Transparency logs). No personal data about visitors is transmitted to these sources.

The Service is not directed at individuals under the age of 16. If you are under 16, do not use the Service or submit any personal data to it.

phishunt.io may revise these Terms at any time. The "Last updated" date at the bottom reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the revised Terms.

These Terms are governed by and construed in accordance with the laws of Spain, without regard to conflict-of-law principles. Any dispute arising out of or related to the Service shall be subject to the exclusive jurisdiction of the competent courts of Spain. If you use the Service from outside Spain, you do so on your own initiative and are responsible for complying with local laws.

If any provision of these Terms is found unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that the remaining Terms remain in full force and effect.

The Service is operated by Daniel López as an independent side project.