Privacy Policy

• We do not sell your data. No ad networks, no data brokers, no "partners" buying behavioral profiles.
• We do not use your data to train AI models. AI analyses are sent to Anthropic's API, processed, and discarded. We don't store the prompts or responses beyond the one-line summary in your check history.
• We do not store your passwords. The password health tool hashes your password locally with SHA-1, sends only the first 5 characters of the hash to Have I Been Pwned's range API ("k-anonymity"), and throws away the rest. Your actual password never leaves your browser.
• We do not share your monitored identifiers with anyone outside the third-party services listed below that are strictly needed to run a check.

• Account (if you sign up): email address and, optionally, a display name and password hash, stored in Supabase.
• Check history (logged-in users only): a one-line summary of each check you run — the input value, the result, a risk score, and a timestamp. You can export or delete this at any time from your settings page.
• Monitored identifiers (logged-in users only): the email/phone/wallet values you opt to monitor, stored only on your profile row. Removing them deletes them.
• Alerts: when a monitored identifier appears in new threat reports, we log the alert against your account so you can see the history. Deleting your account wipes these.
• Cookies: we set cookies only for authentication session management (via Supabase). No third-party ad/analytics cookies.

Each of these receives only the specific data needed to run your check — nothing more, nothing linked back to your account.

• Google Safe Browsing — receives the URL you're checking.
• VirusTotal — receives the URL you're checking.
• WhoisXML — receives the domain you're checking.
• Twilio Lookup — receives the phone number you're checking.
• Have I Been Pwned — receives only the first 5 characters of a SHA-1 hash of your password (k-anonymity range API).
• Anthropic (Claude) — receives the text/URL/image you submit for AI analysis. Anthropic's API does not retain content sent to it.
• Supabase — hosts our database and authentication. Your profile, check history, alerts, and session tokens live here.
• Cloudflare Workers — serves the website and routes API requests.

• Export: download a JSON dump of all your data from /settings → Your data.
• Delete: the same page has a "Delete my account" button that removes your auth record, profile, check history, and alerts. Cascade delete — no soft-delete shadow.
• Access / correction: your profile is displayed on the settings page; email us if you need anything changed that the UI doesn't expose.

Privacy questions, data requests, or complaints: email the address on the footer contact link. We aim to respond within 5 working days.