Privacy Policy
Last updated: 2026-05-29.
Scam Checker is a free, privacy-first tool. The checker analyses what you paste in your browser, not on our servers. The community-report database holds only masked values and salted hashes. This page is written in plain English; it is engineering practice, not legal advice.
1. What Scam Checker does
We help you decide whether a message, email, link, SMS, screenshot, or PDF you received is a scam. The analysis is local to your device. We also publish community-reported scams so other readers can search for the same value.
2. Data we collect
2.1 Scam checker tool (/check and dedicated tool pages)
- Pasted text, URLs, screenshots, PDFs, etc. — nothing is transmitted to our servers. Analysis runs entirely in your browser via JavaScript.
- File OCR (images, PDFs) is done with
tesseract.jsandpdfjs-distin the browser. Files are never uploaded.
2.2 Community scam reports (/api/report)
- The type of scam (e.g. email, phone, URL).
- The value(the scammer's phone, email, or URL) — truncated to 500 characters, sensitive patterns stripped by the server-side scrubber before write, and masked at display time.
- Optional notes — capped at 1000 characters and scrubbed for OTPs, CVVs, card numbers, passwords, SSN / TFN / Medicare numbers, and JWT-shaped tokens before saving.
- Salted SHA-256 hash of the request IP address (NOT the raw IP). Used for rate-limit only.
- MD5 hash of the User-Agent string (NOT the raw UA). Opaque grouping signal for abuse defence.
- Country code (2 letters) — coarse geo only.
2.3 Server logs (Vercel)
- Request-level metadata only: route, status code, region, response time. No request bodiesare written to logs.
2.4 Analytics (opt-in only)
- Google Analytics 4 (
G-4NCNQMQVFB) loads only after explicit consent via the cookie banner. - Vercel Analytics counts page views. No event parameters carry user content.
- The allowed GA4 event parameters are listed in
src/lib/analytics.tsin the repo. Anything outside the allowlist is dropped. - We never send the contents of your pasted text, URLs, phone numbers, emails, OCR output, OTPs, card details, or report notes to GA.
3. Data we deliberately do NOT collect
- The text of pasted messages, emails, SMS, WhatsApp.
- Uploaded images / PDFs (bytes never leave your browser).
- Raw IP addresses (only a salted hash for rate-limit).
- Raw User-Agent strings (only an MD5 hash).
- Passwords, login credentials, OTPs, card numbers, CVVs.
- Newsletter / mailing-list sign-ups — we don't run one.
- Cross-site tracking pixels or advertising IDs.
- Browser fingerprinting techniques.
4. Cookies
Detail lives on the dedicated Cookie Policy. Summary:
sc_consent— first-party, lax SameSite, 6-month expiry. Stores your cookie-consent decision.- Google Analytics cookies (
_ga,_ga_<id>) — only after you accept. - No advertising cookies. No tracking pixels.
5. AI & third-party processors
- Vercel hosts the site and ships request-level logs.
- Prisma + Postgres stores the masked community reports.
- Google Analytics 4 — consent-gated.
- Gemini / Groq APIs are used only inside the daily GitHub Action that generates blog posts. They receive the FindQuestions topic prompt and a pre-curated source ID list, never user data.
We do not train any AI model on user submissions, and we do not sell or share data with advertisers.
6. Retention
- Reports: kept while still useful for the community report database. A 24-month rolling retention is on the engineering backlog (tracked in
docs/privacy-data-map.md). - Consent cookie: 6 months, then re-prompt.
- Analytics cookies: GA4 default (13 months).
- Vercel logs: per Vercel plan default.
7. Your rights
Wherever you are, you can request:
- A copyof any report tied to a value that's yours.
- Correction of inaccurate data.
- Removal of a specific report.
- Withdrawal of analytics consent at any time via the cookie banner or /cookies.
Submit requests via the data removal page. Some regions (EU/UK GDPR, California CCPA, Australian Privacy Principles) grant additional formal rights — we honour the substance of these requests in the same workflow.
8. Security
See the dedicated security page for the engineering details: defence-in-depth redaction, security headers, API hardening, and our coordinated disclosure policy.
9. Children
Scam Checker is not directed to children under 13 (16 in some EU/UK contexts). If a parent or guardian believes a child's data was submitted, email privacy@scamchecker.app and we'll remove it on receipt.
10. Changes
We update this policy when our data practice changes. Material changes will be flagged on the homepage banner or via a new cookie-consent prompt where appropriate.
11. Contact
Privacy questions: privacy@scamchecker.app. Security: responsible disclosure. General contact: contact page.
This page is engineering practice and transparency, not a legal warranty. Specific regional requirements (GDPR, ePrivacy, CCPA, Australian Privacy Principles) require legal review before commercial scale-up.