Privacy Policy

When you use ScamGuard, a WebyStudio product, we collect only the minimum data necessary to provide the service: • **Account info**: Email address and password hash (never stored in plaintext) • **Scan URLs**: URLs you submit for analysis — retained for 90 days, then anonymized • **Usage metrics**: Scan counts, API usage, and fair-use limit status (no message content stored in metrics) • **Device info**: Browser user-agent and IP address for rate limiting and abuse prevention We do NOT collect: browsing history, contacts, personal files, or any data beyond what's listed above.

Your data is used exclusively to: • Provide scam and phishing detection services • Improve our detection models (anonymized scan results only) • Prevent abuse and enforce rate limits • Send critical service notifications (security breaches, terms changes) We never sell, rent, or share your personal data with third parties for marketing purposes.

• **Active accounts**: Data retained for the lifetime of your account • **Scan history**: Retained 90 days, then user_id is anonymized (threat intelligence data is retained) • **Deleted accounts**: All personal data is hard-deleted within 30 days (GDPR right to erasure) • **Audit logs**: Retained 1 year for security incident investigation

ScamGuard uses httpOnly cookies for session management: • **sg_access**: Short-lived access token (24 hours, httpOnly, not accessible via JavaScript) • **sg_refresh**: Long-lived refresh token (30 days, httpOnly) • **sg_user**: Non-sensitive user info for UI display (email, tier — not a secret) We do not use third-party tracking cookies, advertising pixels, or analytics trackers.

ScamGuard integrates with these third-party services: • **Firebase Authentication** (Google): Handles login and OAuth — subject to Google's privacy policy • **Stripe / Razorpay**: Payment processing only if a paid enterprise, sponsor, or custom workflow is initiated — no card numbers touch our servers • **Threat intelligence feeds** (URLhaus, OpenPhish, PhishStats): Public data, no personal info Each service operates under its own privacy policy. We share only the minimum data required.

Under GDPR, CCPA, and other privacy regulations, you have the right to: • **Access**: Request a copy of your personal data • **Rectification**: Correct inaccurate data • **Erasure**: Delete your account and all personal data (available in Settings) • **Portability**: Export your data in machine-readable format • **Objection**: Object to processing for specific purposes To exercise these rights, contact WebyStudio at https://webystudio.in or use the account settings page.

We implement industry-standard security measures: • All data encrypted in transit (TLS 1.3) and at rest (AES-256) • Passwords hashed with bcrypt (never stored in plaintext) • httpOnly cookies prevent XSS-based session theft • CORS policies restrict cross-origin data access • Regular security audits and dependency vulnerability scanning No system is perfectly secure. If you discover a vulnerability, please contact WebyStudio through https://webystudio.in.

For privacy-related questions or concerns: • WebyStudio: https://webystudio.in • Response time: Within 30 days (as required by GDPR) Last updated: May 2026