Privacy Policy — ScamKit | In-Browser Analysis, No Accounts

Overview

ScamKit is a free, browser-based scam safety toolkit built by Isaiah Shawver. Your privacy matters. This policy explains what data ScamKit collects, how it is used, and how it is stored.

Data Stored in Your Browser

ScamKit stores the following data locally in your browser using localStorage. This data never leaves your device unless you explicitly export it.

Saved cases — URL and email analysis results you choose to save.
Quiz scores and streaks — Your Scam Simulator performance data.
Pro unlock status — Whether Pro features are activated on this browser.
UI preferences — Onboarding tip dismissal and similar settings.

You can clear all locally stored data at any time by clearing your browser's site data for ScamKit, or by using the "Clear All" button on the Reports page.

Analytics and Event Tracking

ScamKit collects anonymous usage events (such as which tools are used and which buttons are clicked) to improve the site. These events include:

Page visited and page title.
Button clicks and tool usage (e.g., "analyzed a URL", "started quiz").
Timestamp of the event.

Events may be sent to analytics providers (currently Google Analytics) to measure usage trends. ScamKit does not send message text, email body content, or saved case content as analytics payloads.

Error Reporting

ScamKit uses Sentry for error tracking to identify and fix bugs. When an error occurs, Sentry may collect technical information such as the browser type, operating system, and the error message. Sentry is configured with sendDefaultPii: false, meaning no personally identifiable information is sent.

Server-Side Processing

When you use certain features, data is sent to ScamKit's serverless functions hosted on Netlify for processing:

URL Analysis — The URL you submit is checked for redirects on the server. The URL is not stored after analysis.
Pro Code Verification — Your access code is sent to the server for validation. Codes are compared in memory and not logged.
Threat-intel lookups — The URL or domain you submit may be forwarded to Google Safe Browsing, AlienVault OTX, AbuseIPDB, and abuse.ch URLhaus for threat intelligence. These services have their own privacy policies.

Rate limiting uses your IP address (from request headers) to prevent abuse. IP addresses are stored in memory only and are not persisted or logged.

For the daily-scan quota (2 scans/day for guests, 10/day for confirmed accounts), the server tracks how many scans an identifier has run today. The identifier is your Supabase user ID if you’re signed in, or a salted SHA-256 hash of your IP if you’re a guest — we never store your raw IP. Counters reset daily and old rows are pruned periodically.

Signups are protected by Google reCAPTCHA. Your browser exchanges a short-lived token with Google to prove it’s not an automated bot. Google may process IP-level and behavioural data to score the challenge; see Google’s privacy policy and terms.

Accounts & Email Storage

Creating a ScamKit account is optional. Without an account you get 2 free scans a day; signing in raises that to 10 scans a day. When you create an account, we use Supabase (a third-party authentication and database provider) to handle sign-in.

What we store — Your email address, a securely hashed password, and an account creation timestamp. Email confirmation, password reset, and session tokens are also handled by Supabase.
Where it lives — In a managed Supabase Postgres database under our project. ScamKit administrators can see your email address in order to provide support and detect abuse.
What we don’t do — We don’t sell, rent, or share account emails with advertisers or third parties. We don’t link your account email to the messages, URLs, or phone numbers you scan; scan content is processed without being attached to your identity.
Deleting your data — You can delete your account directly from your account page at any time. Deletion removes your row from Supabase auth and clears the daily-scan rows tied to your user ID. If you can’t access the page (e.g. you forgot your password), email us via the contact form and we’ll remove it manually.

For Supabase’s own data practices, see Supabase’s privacy policy at supabase.com/privacy.

Third-Party Services

Supabase — Hosts authentication and stores account emails for sign-in. See "Accounts & Email Storage" above.
Google reCAPTCHA — Bot protection on the signup form. Google may receive your IP and limited interaction signals per their privacy policy.
Google Fonts — Fonts are loaded from Google's CDN. Google may collect usage data per their privacy policy.
Sentry — Error reporting service. See Sentry's privacy policy for details.
Gumroad — Used for product purchases and subscriptions. Purchases are handled entirely by Gumroad under their privacy policy.
Google Safe Browsing, AlienVault OTX, AbuseIPDB, and abuse.ch (URLhaus) — Threat-intel lookups send queries to these services for reputation and pulse data.

Cookies

ScamKit does not set tracking cookies. App data is stored using localStorage. If you sign in to an account, Supabase stores a session token in browser storage so you stay signed in — this is essential for the sign-in feature and is not used for tracking.

Children's Privacy

ScamKit is an educational tool and does not knowingly collect personal information from children under 13. The core scam-checking tools can be used without creating an account. If you choose to create an account, you must be 13 or older.

Changes to This Policy

This privacy policy may be updated from time to time. The "Last updated" date at the top of the page will reflect the most recent revision.

Contact

If you have questions about this privacy policy, contact Isaiah Shawver via the contact form.