We never read your emails or messages — our email scanner can only see the web addresses inside them. We don't sell your data, ever. We check the links you encounter against trusted threat databases, and we keep only what we need to keep you safe. The detail below explains exactly how.
What's in here
1. Who we are
Scam SafeGuard ("we", "us", "our") is a browser extension and related service that helps protect you from scam and phishing websites. The service is operated by [LEGAL NAME], an independent developer based in Australia (ABN [ABN]). We are not affiliated with any bank, telco, or government agency.
This policy applies to the Scam SafeGuard browser extension, the website at scamsafeguard.com, and our backend scanning service.
2. What information we process
Web addresses (URLs) of pages and links checked
To protect you, Scam SafeGuard checks web addresses against threat databases. Depending on your settings, this includes addresses of pages you visit, links you click from social media, and links you ask us to check. These checks are matched by website address, not tied to a personal profile of your browsing history. Results are briefly cached by website address so we don't re-check the same site repeatedly.
Page content — only for borderline sites
If a site looks suspicious but isn't a confirmed match, we may send the visible text content of that page to an AI service for a closer look (see section 5). This only happens for the small number of sites that fall into a "needs a closer look" category — not for normal browsing on sites already known to be safe.
Messages you choose to check
When you paste a message into the "Check a Message" tool, we process that text to find and check any links inside it. If the message shows signs of a scam, its text may be analysed by our AI service to help judge the risk.
Email links you choose to check
When you click "Check Links" inside Gmail or Outlook, our code extracts only the web addresses (the href of links) from the email and checks them. See section 3 for what this explicitly excludes.
A random installation ID
When you install the extension, it creates a random identifier (a string of characters) stored on your device. It is sent with scan requests to help us apply fair-use limits and prevent abuse. It is not your name, email, or anything that identifies you personally, and we do not link it to your identity.
Your settings
Your preferences — such as notification level and your list of trusted sites — are stored locally on your own device using your browser's storage. They are not sent to us.
Payment information
If you subscribe to a paid plan, payments are handled by our payment provider, Paddle, acting as Merchant of Record. We never see or store your full card details. We receive limited information such as your subscription status and country (for tax purposes).
3. What we never collect
Our email scanner is built so that it physically cannot access the following. This is an architectural fact, not a setting that could be switched on:
- The body or text content of your emails
- Email subject lines
- Sender or recipient names and addresses
- Attachments
We also do not:
- Sell, rent, or trade your personal information to anyone
- Build or sell an advertising profile of you
- Log your browsing history against your identity
- Read the contents of messages you haven't chosen to check
4. How we use information
We use the information we process only to:
- Check links and warn you about dangerous sites in real time
- Improve the accuracy of our scam detection
- Apply fair-use limits and protect the service from abuse
- Provide customer support when you contact us
- Process payments and manage subscriptions (via Paddle)
- Meet our legal obligations
5. How AI analysis works
For sites and messages that can't be judged by threat-database matching alone, we use Google's Gemini AI service to assess scam indicators. In these cases:
- The visible page text (or the message text you pasted) is sent to Google for analysis.
- This is limited to borderline cases — not your everyday browsing.
- Google processes this text to return a risk assessment to us.
Google's handling of this data is governed by Google's own terms and privacy practices for its AI services. We send only what's needed for the assessment and never include your installation ID or any account details in that request.
6. Who we share data with
We don't sell your data. We rely on a small number of trusted service providers to run the service:
| Provider | Purpose | What they receive |
|---|---|---|
| Google (Web Risk) | Checks addresses against Google's threat database | The web address being checked |
| Google (Gemini AI) | Analyses borderline sites and messages | Page text or pasted message text (borderline cases only) |
| Google Cloud | Hosts our scanning service | Data processed in transit as above |
| Upstash (Redis) | Temporarily caches scan results | Website addresses and their risk results |
| Paddle | Processes payments (Merchant of Record) | Your payment and billing details |
We use public scam blocklists (such as global phishing and malware feeds) by downloading their lists to our own servers. Your data is never sent to those providers.
We may also disclose information if required by law, or to protect the rights, safety, and security of our users and the service.
7. How long we keep it
- Scan results are cached by website address for a short period (typically between 12 hours and 7 days) and then expire automatically.
- Fair-use and abuse-prevention records tied to your random installation ID are kept in a hashed (scrambled) form for up to 30 days.
- Your settings stay on your device until you change them or uninstall the extension.
- Support correspondence is kept only as long as needed to help you and for our records.
8. How we protect it
We use encryption in transit (HTTPS), access controls, and data-minimisation by design — we simply don't collect most of the data that would be sensitive. No method of transmission or storage is ever 100% secure, but we work to protect your information using reasonable, industry-standard measures.
9. Your rights and choices
Depending on where you live (including under the Australian Privacy Act 1988, the EU/UK GDPR, and the California CCPA/CPRA), you may have rights to access, correct, delete, or restrict the use of your personal information, and to object to certain processing.
Because we deliberately collect very little personal information, much of your control is direct:
- You can turn off scanning, change notification levels, or manage your trusted-sites list at any time in the extension settings.
- You can uninstall the extension at any time, which removes the locally stored data on your device.
- You can contact us to make a privacy request, and we will respond as required by the laws that apply to you.
To exercise any right, contact us at [PRIVACY EMAIL]. You also have the right to complain to your local privacy regulator — in Australia, the Office of the Australian Information Commissioner (OAIC).
10. International users
We are based in Australia and use service providers that may process data in other countries, including the United States. Where we transfer personal information internationally, we take steps to ensure it remains protected in line with applicable law.
11. Children
Scam SafeGuard is intended for adults and is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us information, please contact us and we will delete it.
12. Changes to this policy
We may update this policy as the product or the law evolves. When we make material changes, we'll update the date at the top and, where appropriate, notify you. Continuing to use Scam SafeGuard after changes take effect means you accept the updated policy.
13. Contact us
Questions about your privacy, or want to make a request? Email us at [PRIVACY EMAIL]. We read every message.