Privacy in Plain English

No legalese. No vague corporate speak. Here's exactly what happens to your data from the moment you paste it until it's gone — with links so you can verify every claim yourself.

1.You paste or upload something

When you paste a suspicious message or upload a screenshot, it stays in your browser until you hit “Check This Message.” We don't see it, store it, or do anything with it until you actively choose to scan.

2.It travels encrypted to our server

Your message is sent over HTTPS — the same encryption your bank uses. Nobody can read it in transit. It arrives at our server, which runs on Netlify's SOC 2-certified infrastructure.

3.We hand it to Claude for analysis

We send your message to Anthropic's Claude AI to check for scam patterns. Anthropic's policy is explicit: they do not train models on API inputs. They process it, return the analysis, and that's it. We use the paid API tier, which has a zero-retention data policy.

4.Results are cached briefly for sharing

The analysis result is held in server RAM (not a database, not a CDN, not disk) for up to 1 hour. This is solely so the share link works — if you send someone your result URL, they can view it during that window.

Is the share link guessable? No. Each result gets a random UUID (e.g. a3f8c2d1-7b4e-...). There are 340 undecillion possible IDs — it cannot be guessed or enumerated.

What if I don't share? The result still expires from RAM after 1 hour regardless. We don't extend the cache based on whether you shared or not.

Who can access it? Only someone with the exact URL. There is no index, no search, no way to browse other people's results. After the hour, even the URL returns nothing.

5.Then everything is deleted

After the cache expires, your message and the analysis are permanently gone. We don't write anything to a database. We don't keep server logs of what you scanned. There is no “history” to worry about. When the server restarts, the cache is wiped entirely.

What about screenshots?

If you upload a screenshot instead of pasting text, here's what's different:

Your image is resized in your browser first. Before it ever leaves your device, we scale it down and compress it. This happens entirely client-side — we never see the full-resolution original.
The image is sent directly to Claude's vision model. We don't run OCR ourselves or store the image on our server. It goes straight to Anthropic for analysis and follows the same zero-retention policy as text.
Be aware of what's visible in your screenshot. If your screenshot shows your name, profile photo, phone number, or other personal info, that will be included in what's sent for analysis. Consider cropping first if you're concerned.

Our promises to you

We do not sell your data. Not now, not ever.
We do not run ads or use tracking pixels.
We do not build a profile of you.
We do not store your messages permanently.
We do not require an account to use the scanner.
We do not share your data with anyone except Anthropic (for the AI analysis).

The hard questions

What if you get hacked?

Because we don't have a database of user scans, there's nothing to steal. The only data that exists at any moment is whatever's in the 1-hour RAM cache — and that's gone on every server restart. An attacker who breached our server would find an empty room.

What if Anthropic changes their data policy?

We monitor their policies and would switch providers or notify users before sending data under different terms. Their current API terms explicitly prohibit using customer inputs for training. If that changes, we change too.

Where are your servers located?

Our app runs on Netlify's edge network, with serverless functions executing in the US. Anthropic's API also processes requests in the US. Both are SOC 2 compliant.

Do you comply with GDPR and CCPA?

Yes. Since we don't store personal data permanently and don't require accounts, most GDPR/CCPA obligations are minimized by design. EU and California residents can email us to exercise any data rights — though in practice, there's nothing to delete because we didn't keep it.

Can law enforcement subpoena my scanned messages?

They can ask, but we won't have anything to hand over. We don't log what you scan, and the RAM cache is gone within an hour. You can't subpoena data that doesn't exist.

Why should I believe any of this?

Fair question. You can verify the key claims yourself:

Still have questions? Email us at hello@scamsignal.ai and we'll answer in plain English, too. You can also read the full legal privacy policy if you want the formal version.

← Back to Home

4.Results are cached briefly for sharing

Is the share link guessable? No. Each result gets a random UUID (e.g. a3f8c2d1-7b4e-...). There are 340 undecillion possible IDs — it cannot be guessed or enumerated.

What if I don't share? The result still expires from RAM after 1 hour regardless. We don't extend the cache based on whether you shared or not.

Who can access it? Only someone with the exact URL. There is no index, no search, no way to browse other people's results. After the hour, even the URL returns nothing.