Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: When you create an account, we collect your email address and display name. If you sign in with Google, we receive your name, email, and profile picture from Google.
• Phone Numbers: When you use our phone number verification service, you submit phone numbers for analysis.
• Website URLs: When you use our website verification service, you submit URLs for analysis.
• Text Messages: When you use our text message analysis service, you paste text message content for analysis. We extract phone numbers and URLs from the text for verification.
• Email Content: When you use our email analysis service, you paste email headers or body content for analysis. We extract sender information, embedded links, and other indicators.
• Forwarded Emails: When you forward a suspicious email to scan@scamverify.ai, we receive the full email including sender address, subject, body content, headers, and any attachments. We extract the forwarded email content, analyze it for scam indicators, and send you a reply with the analysis results. The forwarded content is hashed for caching (so re-forwarding the same email does not consume additional lookups). We log the sender address, analysis results, and processing metadata. We do not use forwarded email content for marketing purposes.
• Secondary Email Addresses: If you add secondary email addresses in Settings for email forwarding recognition, we store these addresses and associate them with your account. Secondary emails are verified via a confirmation link and are used solely to identify you when you forward emails to scan@scamverify.ai.
• Document Images: When you use our document analysis service, you upload photos of documents (court notices, invoices, letters) for scam analysis. We retain the uploaded images in secure private storage to improve scam pattern detection and help protect other users.
• QR Code Images: When you use our QR code verification service, you upload QR code images for decoding. The images are processed for decoding only and are not retained after processing.
• Community Reports: If you submit a report about a phone number or other threat, we collect the report type, any comments you provide, and whether you received the communication.
• Watchlist Data: If you add phone numbers to your watchlist, we store these numbers along with the risk score at the time you added them.
• Contact Information: If you contact us, we collect your name, email, and message content.

1.2 Information Collected Automatically

• Device Information: Browser type, operating system, and device identifiers.
• Usage Data: Pages visited, time spent, click patterns, and feature usage.
• IP Address: We collect and hash your IP address for rate limiting and fraud prevention. We do not store your raw IP address.
• Cookies: We use essential cookies for site functionality. We also use cookies from analytics partners (see Section 7).
• Session Data: Session tokens to maintain your login state.
• Lookup History: When you are logged in, we store your verification history including the items searched, risk scores, and timestamps.

1.3 Information from Third Parties

• Government Databases: We query FTC Do Not Call complaints and FCC consumer complaints (publicly available federal data).
• Carrier Data: Phone number carrier, line type, and caller ID information from Twilio.
• Threat Intelligence: Phone reputation scores, robocall detection flags, domain risk data, and malware database matches from our third-party data providers.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our verification services across all channels
• Generate AI-powered risk scores and analysis narratives
• Display aggregated community reports and risk assessments
• Authenticate your account and maintain your session
• Process payments and manage subscriptions via Stripe
• Send email notifications about watchlist changes and account activity
• Prevent fraud, abuse, and duplicate submissions
• Monitor usage patterns and improve service quality
• Respond to your questions and support requests
• Comply with legal obligations

3. AI Data Processing

ScamVerify™ uses artificial intelligence to analyze phone numbers, websites, text messages, emails, and documents. When you submit content for verification, relevant data (such as phone numbers, complaint summaries, carrier information, URLs, message content, or document images) is sent to our AI providers for analysis. For document analysis, uploaded images are processed by vision AI to extract entities such as addresses, official names, legal citations, and dollar amounts.

Our AI providers include OpenAI (primary) and Anthropic (fallback). We use these services via their commercial APIs under terms that prohibit the use of your data for model training.

ScamVerify™ does not use your submitted data to train AI models, and we do not permit our AI providers to use your data for training purposes.

4. How We Share Your Information

We may share your information with the following categories of recipients:

• AI Providers: OpenAI and Anthropic receive verification data for AI analysis. They process data under their commercial API terms and do not use it for model training.
• Payment Processor: Stripe processes your payment information. ScamVerify™ does not store credit card numbers. See Stripe's Privacy Policy.
• Authentication Provider: Supabase handles account authentication and data storage. If you sign in with Google, data is exchanged with Google for authentication.
• Carrier Lookup: Twilio receives phone numbers for carrier verification and caller ID lookups.
• Threat Intelligence Providers: Phone numbers and URLs may be sent to reputation scoring services for risk assessment.
• Document Verification Providers: Addresses, official names, and legal citations extracted from uploaded documents may be sent to Smarty (address validation), Google (institution verification), CourtListener (judge database), and GovInfo (federal statute verification) for entity verification.
• Bot Protection: Cloudflare Turnstile processes client-side signals (IP address, TLS fingerprint, user-agent) for bot detection. Cloudflare does not use this data for advertising.
• Analytics: PostHog receives anonymized usage data to help us understand how visitors use the Service and to improve it.
• Error Tracking: Sentry receives error and performance data, which may include technical details about your session when an error occurs.
• Email Delivery: Resend processes email addresses and message content for transactional emails (account verification, watchlist alerts, usage notifications).
• Aggregated Data: We display aggregated, anonymized community report data publicly to help other users identify potential scams.
• Legal Requirements: We may disclose information if required by law, regulation, or legal process.
• Protection of Rights: We may disclose information to protect the rights, property, or safety of ScamVerify™ LLC, our users, or others.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

5. Data Retention

• Verification data and community reports: Retained indefinitely to maintain our threat database and help protect future users.
• Account data: Retained until you delete your account.
• Watchlist and lookup history: Retained until you delete them or delete your account.
• Rate limiting data: Retained for 24 hours.
• Payment and billing records: Retained for 7 years as required by tax and accounting regulations.
• Document images: Uploaded document images are retained in secure private storage to enable scam pattern detection and near-duplicate matching. You may request deletion of your uploaded images by contacting us. QR code images are not retained.
• Analytics data: Retained per PostHog's default retention policies.
• Error tracking data: Retained per Sentry's default retention policies (typically 90 days).

You may request deletion of specific data by contacting us. To delete your account and all associated data, go to Settings > Privacy & Data.

6. Your Privacy Rights

6.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know: You can request what personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties we share it with.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions (such as data needed to complete a transaction, comply with legal obligations, or maintain our threat database).
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
• Right to Limit Sensitive Personal Information: We collect limited sensitive personal information (account credentials). You may request limits on how we use this data.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

How to exercise your rights: Submit a request through our contact form with the subject "Privacy & Data Deletion Request." We will verify your identity by confirming your email address. We will respond within 45 days. If we need additional time, we will notify you of the extension (up to an additional 45 days). You may also designate an authorized agent to submit requests on your behalf.

6.2 European Residents (GDPR)

If you are a resident of the European Economic Area or the United Kingdom, you have the right to:

• Access your personal data
• Correct inaccurate personal data
• Request erasure of your personal data
• Object to processing of your personal data
• Data portability
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority

Our legal basis for processing personal data includes: performance of a contract (providing the Service), legitimate interests (improving the Service, preventing fraud), consent (where applicable), and compliance with legal obligations.

6.3 Automated Decision-Making

ScamVerify™ uses automated systems, including AI models and algorithmic scoring, to generate risk scores and safety assessments. These automated decisions are informational only and do not produce legal or similarly significant effects. You have the right to request information about the logic involved in automated decision-making and to request human review of any automated assessment by contacting us.

6.4 Account Data Management

You can manage your data directly through your account:

• View and edit your profile information in Settings
• Clear your lookup history in Settings > Privacy & Data
• Remove numbers from your watchlist
• Delete your account and all associated data in Settings > Privacy & Data

7. Analytics

We use PostHog Analytics to understand how visitors use our site and to improve our service. For logged-in users, PostHog receives a pseudonymous user identifier to track feature usage across sessions. For anonymous visitors, PostHog collects aggregated data including page views, referral sources, browser type, and general location. For more information, visit PostHog's Privacy Policy.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including encryption in transit (TLS/HTTPS), hashed IP addresses, secure session management, and access controls. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

9. Data Breach Notification

In the event of a data breach involving your personal information, we will notify affected users within 30 days of discovery as required by California Civil Code Section 1798.82. If more than 500 California residents are affected, we will also notify the California Attorney General within 15 days of notifying consumers. Notifications will include a description of what happened, what information was involved, what we are doing about it, what you can do, and how to contact us for more information.

10. International Data Transfers

Your data is stored and processed in the United States. If you are accessing the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to this transfer. Where required by applicable law (such as GDPR), we rely on standard contractual clauses or other appropriate legal mechanisms for international data transfers.

11. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and core functionality. These cannot be disabled.
• Analytics cookies: PostHog uses cookies to track usage patterns and help us improve the Service.

You can manage cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

12. Do Not Track and Global Privacy Control

We do not track users across third-party websites ourselves. We do not use advertising cookies or serve advertisements on our website.

We honor Global Privacy Control (GPC) signals. If your browser sends a GPC signal, we automatically disable analytics cookies. You can also manage analytics cookies manually in Section 12 above. For more information about GPC, visit globalprivacycontrol.org.

13. Children's Privacy

Our Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn we have collected personal information from a child under 16, we will delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us.

14. Third-Party Services

Our Service uses the following third-party services:

• OpenAI: Primary AI analysis engine. OpenAI Terms
• Anthropic: Fallback AI analysis engine. Anthropic Privacy Policy
• Stripe: Payment processing. Stripe Privacy Policy
• Twilio: Phone number carrier verification. Twilio Privacy Policy
• Supabase: Authentication and database. Supabase Privacy Policy
• Google OAuth: Sign-in with Google. Google Privacy Policy
• Cloudflare Turnstile: Bot protection. Cloudflare Turnstile Privacy Policy
• PostHog: Product analytics. PostHog Privacy Policy
• Sentry: Error tracking. Sentry Privacy Policy
• Resend: Transactional email. Resend Privacy Policy

We also access publicly available government databases:

• FTC Do Not Call Complaints: Public consumer complaint data from the Federal Trade Commission
• FCC Consumer Complaints: Public complaint data from the Federal Communications Commission
• URLhaus: Malicious URL database from abuse.ch

Accessing these databases does not involve sharing your personal information with these organizations. We query their public data to enhance threat detection.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date at the top of this page and, for significant changes, by sending a notice to the email address associated with your account. We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your data is handled, please contact us.

ScamVerify™ LLC
115 W. California Blvd #9300
Pasadena, CA 91105
United States