Privacy Policy
Last updated: November 11, 2025
Quick Navigation
Overview
ScamBrake ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our scam detection service.
This policy complies with:
- GDPR (General Data Protection Regulation) - EU/UK
- CCPA (California Consumer Privacy Act)
- CPRA (California Privacy Rights Act)
- VCDPA (Virginia Consumer Data Protection Act)
- CPA (Colorado Privacy Act)
- CTDPA (Connecticut Data Privacy Act)
- UCPA (Utah Consumer Privacy Act)
What Data We Collect
1. Account Information
- Email address (required for account creation)
- Display name (optional)
- Authentication tokens
- Subscription tier (free, premium, enterprise)
- Account creation and last sign-in timestamps
2. Scam Detection Data
- Masked email/message content (with PII removed)
- Sender information
- Subject lines
- Detection results (risk level, category, confidence)
- Timestamps of scans
- Channel type (email, messenger, WhatsApp, etc.)
- Inbox provider (Gmail, Outlook, etc.)
3. Device Information
- Device IDs (for sync across devices)
- Device type (extension, mobile, web)
- Browser type and version
- Operating system
- IP address (for security and rate limiting)
4. Caregiver System Data
- Caregiver email addresses
- Permission levels (view, manage)
- Invitation status and timestamps
- Relationship links between users
5. Communication Data
- Email delivery status (sent, delivered, opened)
- Support correspondence
- Feedback and survey responses
6. Analytics & Usage Data
- API request logs
- Error logs and debugging information
- Performance metrics
- Feature usage statistics
What We NEVER Collect:
- Full unmasked message content
- Passwords or banking credentials
- Contact lists or address books
- Browsing history outside supported platforms
- Precise location data
- Any data you don't explicitly share
How We Use Your Data
We use collected data exclusively for the following purposes:
Service Provision
- Detect and analyze potential scams using AI
- Deliver real-time alerts and warnings
- Provide alert history and scan records
- Sync data across your devices
- Enable caregiver monitoring features
Communication
- Send transactional emails (alerts, confirmations)
- Notify caregivers of high-risk scams
- Respond to support requests
- Send important service updates
Improvement & Security
- Improve scam detection algorithms
- Debug and fix technical issues
- Monitor for abuse and fraud
- Ensure system security and stability
Legal Compliance
- Comply with legal obligations
- Respond to lawful requests
- Protect our legal rights
- Prevent fraud and illegal activity
We NEVER sell your data. Ever.
Data Sharing & Third Parties
We share your data only in the following limited circumstances:
Service Providers
We use the following third-party services to operate ScamBrake:
- Supabase: Database and authentication (EU/US data centers)
- OpenAI: AI-powered scam classification
- Resend: Transactional email delivery
- Railway: Infrastructure and hosting
- Sentry: Error tracking and monitoring
All service providers are contractually bound to protect your data and use it only for providing services to us.
Caregiver Sharing (Opt-In Only)
If you invite a caregiver, we share your scam alerts with them. This is entirely optional and you control who has access.
Legal Requirements
We may disclose your information if required by law, court order, or government request, or to protect our legal rights.
Business Transfers
If ScamBrake is acquired or merged, your data may be transferred to the new owner. You will be notified of any such change.
Your Privacy Rights
You have extensive rights regarding your personal data:
All Users (Worldwide)
- Right to Access: Request a copy of all your personal data
→ Export Your Data - Right to Delete: Request permanent deletion of your account and data
→ Delete Your Data - Right to Correct: Update inaccurate information
→ Update Profile - Right to Opt-Out: Manage your privacy preferences
→ Privacy Settings
GDPR Rights (EU/UK/EEA Users)
- Right to Portability: Export your data in machine-readable format
- Right to Object: Object to processing of your data
- Right to Restrict: Limit how we process your data
- Right to Withdraw Consent: Withdraw consent at any time
- Right to Lodge Complaint: File complaint with your data protection authority
CCPA/CPRA Rights (California Users)
- Right to Know: Know what personal information is collected
- Right to Delete: Request deletion of personal information
- Right to Opt-Out: Opt-out of sale of personal information (N/A - we don't sell data)
- Right to Correct: Correct inaccurate personal information
- Right to Limit: Limit use of sensitive personal information
- Right to Non-Discrimination: Not be discriminated against for exercising rights
Other US State Rights (VA, CO, CT, UT)
- Right to access, delete, correct, and port your data
- Right to opt-out of targeted advertising and profiling
- Right to appeal if we deny your request
How to Exercise Your Rights:
Use the self-service links above or email privacy@scambrake.com
We will respond within 30 days (45 days for complex requests).
Security Measures
We implement industry-standard security measures to protect your data:
- Encryption: All data encrypted in transit (TLS/HTTPS) and at rest
- PII Masking: Personal information automatically masked before AI analysis
- Access Controls: Strict access controls and authentication
- Regular Audits: Security audits and vulnerability scanning
- Monitoring: 24/7 security monitoring and logging
- Data Backups: Regular encrypted backups with redundancy
- Incident Response: Documented breach notification procedures
In the event of a data breach, we will notify affected users within 72 hours as required by GDPR.
Data Retention
We retain your data only as long as necessary:
- User Accounts: Until you request deletion
- Scam Alerts: 2 years or until account deletion
- Scan History: 1 year or until account deletion
- Email Events: 90 days
- API Logs: 30 days
- Consent Logs: 7 years (legal requirement)
When you delete your account, all data (except legally required records) is permanently deleted within 30 days.
International Data Transfers
ScamBrake operates globally. Your data may be transferred to and processed in:
- United States (primary servers)
- European Union (for EU users)
We use Standard Contractual Clauses (SCCs) and ensure adequate safeguards for international transfers as required by GDPR.
Children's Privacy
ScamBrake is not intended for users under 13 years old (or 16 in the EU). We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately at privacy@scambrake.com.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via:
- Email notification to your registered email
- Notice on our website and app
- Updated "Last updated" date at the top of this policy
Continued use of ScamBrake after changes constitutes acceptance of the updated policy.
Contact Us
Questions about this privacy policy or want to exercise your rights?
- Privacy Email: privacy@scambrake.com
- Data Protection Officer: dpo@scambrake.com
- Support: Contact Form
Legal Entity
ScamBrake is operated by [Your Company Name]
[Your Company Address]
[Tax ID / Company Registration]
TL;DR: We collect minimal data to provide scam detection. We never sell your data. You have full control to access, export, and delete your data anytime.