ScamGuard Privacy Policy

Last updated: June 12, 2026

ScamGuard is a browser extension that helps you avoid scam websites. This policy describes exactly what data the extension sends to our servers, what we store, and what we never collect. Our backend is open source, so every claim below can be verified in code.

What we collect

• An anonymous ID. On install, the extension generates a random identifier (a UUID) stored only in your browser. It is not derived from, or linked to, your name, email, Google account, IP address, or any other identity. It exists so we can enforce fair-use limits and credit your contributions.
• Domain names you check. When the extension performs a cloud check, it sends the domain name of the site (for example, example.com) — never the full URL, never the page content, and never your search terms or form data. Results are cached server-side per domain, not per user: we do not keep a record of which user checked which domain.
• Reports you choose to submit. If you report a site, we store the domain, your verdict (scam / suspicious / looks legit), your optional comment, and your anonymous ID. Comments are not displayed publicly; they are used only for verifying reports.

What we never collect

• Your browsing history. There is no server-side record of which sites any user has visited or checked.
• Full URLs, page contents, keystrokes, form inputs, or credentials.
• Your name, email address, or any account information — there are no accounts.
• Advertising identifiers. We do not sell or share personal data with advertisers or data brokers, and we never will.

How data is used

• Domain checks are evaluated against threat databases (Google Safe Browsing, urlscan.io), public domain-registration records, and aggregated community reports, then returned to your browser.
• Community reports contribute to a shared, aggregate trust signal for each domain. Verified reports may earn the reporting user premium features, credited to the anonymous ID.
• We may publish or license aggregated, non-identifying threat intelligence (for example, lists of domains flagged as scams). This never includes anonymous IDs, comments, or any per-user information.

Third-party services

Cloud checks are processed by our backend hosted on Railway, which queries Google Safe Browsing, urlscan.io, and public RDAP registries server-side. The domain being checked is shared with those services as part of the lookup; your anonymous ID is not.

Data retention and deletion

• Cached check results expire automatically within 24 hours.
• Reports are retained while they remain useful for community protection.
• You can erase everything at any time. The extension can request deletion of all data tied to your anonymous ID — reports, credits, and the ID itself. This is immediate and permanent.

Disputes

If you operate a website that you believe has been incorrectly flagged, contact us by opening an issue at our public repository and we will review the flag promptly.

Changes

If this policy changes, the date above will be updated. Material changes will be noted in the extension's release notes.