Questions we actually get.
Including the awkward ones. If your question isn't here, write us - we'll add it the second time someone asks.
For users
Do I need an account to use Scampilot?
No. You can paste a message at scampilot.de/check and get a verdict instantly. Up to 3 checks per day are free without an account. A free account raises that to 20 checks per day.
What does an account give me?
Your own forwarding address for suspicious mails, burner aliases for family members, and all your reports in one dashboard. Your daily quota goes up to 2880.
How accurate is the verdict?
Every report carries a confidence score between 0 and 100. Below 60, Scampilot automatically escalates to a more precise model. On our 30-fixture eval set we hit 100 % accuracy - and never a false "safe" on an actual scam.
What if Scampilot flags a harmless email as a scam?
It happens. We tune toward caution - better one extra "warn" than one missed "danger". The report shows the specific signals so you can double-check the reasoning. We're a co-pilot, not the captain.
What if Scampilot marks a real scam as safe?
That would be the worst case. It doesn't happen on our eval set - but we don't claim it never will. If something feels off about a "safe" message, trust your gut. And email us - every wrong call helps us improve.
Does it work for Swiss German or Austrian dialects?
Heuristic keywords are tuned primarily for standard German and English today. The AI analysis handles most dialects and mixed-language mails. Swiss German and strong Austrian phrasing are on the roadmap.
Privacy & trust
Where is my data stored?
In German data centers (Falkenstein and Nuremberg). Database, object storage, and cache are all in the EU. AI analysis runs through an AI provider under EU Standard Contractual Clauses. More details on the security page.
Do you read my messages?
No - not in the "click-through" sense. The message goes through an automated pipeline, an AI model analyzes it, and the result lands in your report. No one on the Scampilot team reads your mail - unless you explicitly forward one for error analysis.
Do you sell my data?
No. Not "anonymized" or "aggregated" either. Our business model is the future business tier for company integrations - not your content.
How do I delete my data?
In the dashboard at /settings/security/delete. Type-to-confirm, then the deletion cascade runs asynchronously. What remains: a tombstone audit entry to prove to authorities that deletion happened.
Does the AI provider see my mail?
Yes - the plaintext message goes to the AI provider for analysis, under its API terms (no training on content). If that's too much for you, you can use heuristic-only mode: less precise, but purely in the EU.
Families & seniors
Can I set Scampilot up for my mother?
Yes - it's actually the most common use. You create your own account, set up a burner alias like mama@in.scampilot.de, and add a forwarding rule in her mail account. Full walkthrough on the families page.
Is there a family account with multiple logins?
No - by design. Each account belongs to one person. Multiple people don't share a login; they forward to burner aliases. That protects each person individually, even if one account is compromised.
What if I'm unreachable and my mom clicks anyway?
Scampilot can't prevent clicks - we're not a browser firewall. What we can do: help your mom check before clicking. If something already happened, the browser extension (coming soon) will be the fastest way to check an already-open page against our reputation database.
Developers & integration
Is there an OpenAPI spec?
Yes, at scampilot.de/docs/api. Generated from PHP annotations - always current, no drift between docs and code. Downloadable as openapi.json.
What does the API cost?
Free for personal use (2880 requests per day, shared bucket across all tokens). For company integrations a business tier is coming - see pricing.
What happens if the AI provider goes down?
Scampilot falls back to a heuristic and keeps answering. The model_used field becomes heuristic-fallback so your client can decide whether to retry once the AI provider is back.
How do I wire the MCP server into Claude Desktop?
Add a scampilot entry to your Claude Desktop config with http transport and a bearer token. Full example on the developers page.
Can I self-host Scampilot?
No. Scampilot is not open source and cannot be self-hosted. You use it as a hosted service - via web, mail forwarding, Telegram, the browser extension (coming soon), or the API.
About the product
Why a duck with a pilot helmet?
Because we're the co-pilot through scam-infested waters - and a friendly mascot invites embarrassing questions more readily than a padlock icon. Senior testers liked the duck. That was enough for us.
Who's behind Scampilot?
A small team in Berlin. One engineer, one security advisor, one UX designer with a seniors background. We build this because our own families needed it and nothing fitting existed.
How do you make money?
Today: not directly. We carry the server costs out of pocket, funded by consulting. Mid-term: a business tier for company integrations.
Do you have an app?
No, and we don't plan to. Telegram and soon the browser extension cover the mobile use cases more cheaply. The web app works offline once loaded.
What's coming next?
A public stats page with volume and verdict distribution over the last 30 days. Our own reputation feed of German phishing domains. Heuristics for Austrian and Swiss dialects.
Write us.
We reply personally. No ticket system, no bot. General feedback welcome. Bug reports even more so.