Privacy Policy
Last updated: March 11, 2026
Overview
ScamKit is a free, browser-based scam safety toolkit built by Isaiah Shawver. Your privacy matters. This policy explains what data ScamKit collects, how it is used, and how it is stored.
Data Stored in Your Browser
ScamKit stores the following data locally in your browser using localStorage. This data never leaves your device unless you explicitly export it.
- Saved cases — URL and email analysis results you choose to save.
- Quiz scores and streaks — Your Scam Simulator performance data.
- Pro unlock status — Whether Pro features are activated on this browser.
- UI preferences — Onboarding tip dismissal and similar settings.
You can clear all locally stored data at any time by clearing your browser's site data for ScamKit, or by using the "Clear All" button on the Reports page.
Analytics and Event Tracking
ScamKit collects anonymous usage events (such as which tools are used and which buttons are clicked) to understand how people use the site and improve the tools. These events include:
- Page visited and page title.
- Button clicks and tool usage (e.g., "analyzed a URL", "started quiz").
- Timestamp of the event.
Events are stored locally in your browser and may be sent to analytics providers (such as Google Analytics or Plausible) if configured. No personally identifiable information (PII) is included in analytics events.
Error Reporting
ScamKit uses Sentry for error tracking to identify and fix bugs. When an error occurs, Sentry may collect technical information such as the browser type, operating system, and the error message. Sentry is configured with sendDefaultPii: false, meaning no personally identifiable information is sent.
Server-Side Processing
When you use certain features, data is sent to ScamKit's serverless functions hosted on Netlify for processing:
- URL Analysis — The URL you submit is checked for redirects on the server. The URL is not stored after analysis.
- Pro Code Verification — Your access code is sent to the server for validation. Codes are compared in memory and not logged.
- VirusTotal and URLhaus lookups (Pro) — The URL or domain you submit is forwarded to third-party APIs for threat intelligence. These services have their own privacy policies.
Rate limiting uses your IP address (from request headers) to prevent abuse. IP addresses are stored in memory only and are not persisted or logged.
Third-Party Services
- Google Fonts — Fonts are loaded from Google's CDN. Google may collect usage data per their privacy policy.
- Sentry — Error reporting service. See Sentry's privacy policy for details.
- Gumroad — Used for product purchases and subscriptions. Purchases are handled entirely by Gumroad under their privacy policy.
- VirusTotal and abuse.ch (URLhaus) — Pro features send queries to these services for threat intelligence lookups.
Cookies
ScamKit does not set any cookies. All client-side data is stored using localStorage.
Children's Privacy
ScamKit is an educational tool and does not knowingly collect personal information from children under 13. No account creation or personal data submission is required to use the free tools.
Changes to This Policy
This privacy policy may be updated from time to time. The "Last updated" date at the top of the page will reflect the most recent revision.
Contact
If you have questions about this privacy policy, contact Isaiah Shawver via the contact form.