🔒 Privacy First

Privacy Policy

Compliant with India's DPDP Act 2023 & IT Rules 2021

Effective date: 1 January 2026  ·  Last updated: 16 May 2026  ·  Governing law: Digital Personal Data Protection Act, 2023 (India)

✅ Our Core Privacy Promise

ScamDetect India is designed to be zero-knowledge by default. We do not store your scans, messages, images, or UPI IDs. Content you submit for analysis lives in server memory for the duration of the API call (~1–2 seconds), then is permanently discarded. We have no database of user scans.

Your device may store preferences (dark mode, language, checklist progress) in localStorage — this data never leaves your browser.

1. Data Fiduciary

Under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Data Fiduciary is:

For the purposes of this policy, "we", "us", "our" refers to the above Data Fiduciary operating ScamDetect India.

2. What We Do NOT Collect

We do not collect or store:

  • The text, SMS, or WhatsApp messages you submit for analysis
  • The URLs, UPI IDs, or phone numbers you submit for checking
  • Images or photos you upload for EXIF inspection
  • Passwords you test for strength (these are checked client-side or via k-anonymity hashing)
  • Email addresses used for breach checking (sent via Have I Been Pwned's k-anonymity API)
  • Your IP address (no IP logging in our application layer)
  • Browser fingerprint, device identifiers, or location data
  • Any behavioural or analytics data (no Google Analytics, no Mixpanel, no trackers)

3. What We Process (Transiently)

The following data is processed in-memory only during an API request and is not persisted to any database or log:

  • Scan content: Text, URLs, and UPI IDs are sent to Anthropic's Claude API for analysis. Anthropic's privacy policy governs that interaction. We do not retain a copy.
  • Image metadata: EXIF data is extracted server-side and returned to you. No image or EXIF data is stored.

Server infrastructure logs (e.g., Nginx access logs) may temporarily record request metadata (HTTP method, response code, timestamp) for operational purposes. These logs are rotated and deleted regularly and do not contain scan content.

4. Newsletter Subscribers

If you voluntarily subscribe to our weekly scam alerts newsletter, we collect and store:

  • Your email address
  • Subscription date and time
  • Subscription source (e.g., "homepage")

This data is stored in a secure database and is used solely to send you the newsletter you requested. We do not sell, rent, or share subscriber email addresses with any third party. You can unsubscribe at any time via the link in any newsletter email or by emailing us directly.

Legal basis under DPDP Act: Consent (freely given, specific, informed, unambiguous).

5. Community Reports

If you voluntarily submit a scam report to our Community Database, we store:

  • The scam indicator you report (phone number, UPI ID, URL)
  • The scam category and description you provide
  • Submission timestamp

We do not associate reports with user accounts, email addresses, or IP addresses. Reports are anonymous by design. Legal basis: Legitimate interest (maintaining a public scam database to protect Indian citizens).

6. localStorage — Data Stored on Your Device

The following data is stored in your browser's localStorage. It never leaves your device:

Key Purpose Retention
scam_shield_dark Dark mode preference Until cleared by user
scam_shield_lang Language preference (EN/HI) Until cleared by user
scam_shield_senior_mode Senior citizen accessibility mode Until cleared by user
scam_shield_trust_dismissed Trust strip banner dismissed Until cleared by user
scam_shield_checklist_* Security checklist progress Until cleared by user
scamshield_push_opted Push notification opt-in status Until cleared by user
scamshield_scan_history Last 50 scan results (local only) Until cleared by user
scam_shield_cookie_notice_dismissed Storage notice banner dismissed Until cleared by user

You can clear all localStorage data at any time via your browser settings (Settings → Privacy → Clear browsing data).

7. Cookies

We do not use cookies for tracking, advertising, or analytics. We do not set any first-party or third-party tracking cookies. Google Fonts may set a browser cache entry but does not use cookies for tracking.

The Service is a Progressive Web App (PWA) that uses Service Worker caching for offline functionality. This is a browser cache mechanism, not a cookie.

8. Children's Privacy

The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has submitted personal data through the newsletter signup, please contact us at teamcyberrishabh@gmail.com and we will delete it promptly.

Under the DPDP Act, 2023, processing of children's personal data requires verifiable parental consent. We avoid collecting children's data altogether.

9. Data Retention

Data Type Retention Period Location
Scan content (text, URLs, images) Not retained — processed in-memory only Server RAM (seconds)
Newsletter email addresses Until unsubscribe + 30 days Secure server database
Community scam reports Indefinite (public database) Secure server database
User preferences Indefinite (user-controlled) Your browser (localStorage)
Scan history Indefinite (user-controlled) Your browser (localStorage)
Server access logs 7 days (rotated) Server filesystem

10. Your Rights Under DPDP Act 2023

Under India's Digital Personal Data Protection Act, 2023, you have the following rights regarding personal data we hold about you (primarily newsletter subscribers and community reporters):

  • Right to access: Request a copy of your personal data we hold
  • Right to correction: Request correction of inaccurate personal data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to grievance redressal: Lodge a complaint with our Grievance Officer (see below)
  • Right to withdraw consent: Unsubscribe from newsletter at any time without penalty
  • Right to nominate: Nominate another person to exercise your rights in case of death or incapacity

To exercise any of these rights, email teamcyberrishabh@gmail.com. We will respond within 15 days.

11. Security

We implement the following security measures:

  • HTTPS-only with HSTS headers
  • Content Security Policy (CSP) headers
  • Rate limiting on all API endpoints
  • No server-side storage of scan content
  • k-Anonymity for password and email breach checks (your full data is never sent)

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to teamcyberrishabh@gmail.com.

12. Grievance Officer — DPDP Act 2023 & IT Rules 2021

In compliance with the DPDP Act, 2023 and IT Rules, 2021, the Grievance Officer is:

  • Name: Rishabh (CyberRishabh)
  • Email: teamcyberrishabh@gmail.com
  • Response time: 24 hours for acknowledgement; 15 days for resolution

You may also escalate unresolved grievances to the Data Protection Board of India once it is operational under the DPDP Act, 2023.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect changes. For newsletter subscribers, material changes will be communicated via email. Continued use of the Service after changes constitutes acceptance of the revised Policy.

14. Contact

Privacy questions, data requests, or complaints: teamcyberrishabh@gmail.com

General feedback: feedback form