We don't sell your data. We don't train models on it.
You're handing us a message you don't know whether to trust. So you have to be able to trust us. Here's everything we do.
"Selling data isn't an accident. If someone does it, it's a business model. Ours isn't."- Data protection officer
Three clicks in the dashboard.
Access (Art. 15), portability (Art. 20), erasure (Art. 17). No lawyer, no ticket system.
Servers in Frankfurt & Falkenstein.
Database, cache, object storage - all in EU data centers. Data only leaves the EU toward the AI provider.
No cookies. No pixels.
This page loads two web fonts and nothing else. No Google Analytics, Meta pixel, or LinkedIn Insight.
What we store - and what we don't.
When you check a message, we look only at what's needed. What actually hits disk is listed here.
- The message itselfPlain text you submit - so we can analyze it. Encrypted on EU storage. You can delete it any time.
- The verdict + signalsSo you can recall a report later without us re-analyzing.
- Your IP, hashedWe don't store your IP. We store a hash used only to count rate limits. Not reversible.
- Audit log (with an account)When you created a token, added an alias, or deleted a report. Append-only - for your transparency.
- Not storedNo raw IPs, no browser fingerprints, no geolocation, no cookies (besides session at login), no cross-site tracking, no device IDs.
Six patterns - named in every report.
You see these exact signals under „Why we think so“. They're stable and won't be silently renamed.
| Signal | Meaning |
|---|---|
| urgency Urgency | "Final warning", "24 hours", "act now" - time pressure keeps you from thinking. |
| credential_request Credential request | Asking for password, TAN, or credentials. Real banks and agencies never do this by email. |
| suspicious_link Suspicious link | URL points to a domain that doesn't belong to the claimed brand. Obfuscated via subdomain, shortener, or punycode. |
| lookalike_brand Brand imitation | Domain or sender impersonates a known brand (paypa1.com, sparkasse-de.io). Also logo theft inside the mail body. |
| payment_demand Payment demand | Demand for payment - often small amounts (fees, customs) on phishing pages that harvest your card. |
| external_reputation External database | URL flagged by Google Safe Browsing or PhishTank. 24-hour cache, transparent source. |
GDPR as a button.
Three buttons in the dashboard. That's all you need.
Right of access
What data do we hold? Available any time as JSON export - without writing an email.
/settings/security/auditData portability
Everything we store about you as a ZIP. With reports, aliases, audit trail. Generated async, delivered via mail link.
/settings/security/exportRight to erasure
Type-to-confirm, async deletion cascade, a single tombstone entry remains - to prove deletion to regulators.
/settings/security/deleteWho else reads along - by name.
To make Scampilot work we share data with a small set of other services. Full list:
| Service | For | Region | DPA |
|---|---|---|---|
| AI provider | AI analysis of message content | USA (EU SCC) | signed |
| Email provider | Inbound and outbound email | USA (EU SCC) | signed |
| Hosting | App servers, database, object storage | Germany (Falkenstein, Nuremberg) | signed |
| Error telemetry (EU) | Error telemetry (10 % sample rate) | Frankfurt | signed |
| Safe Browsing & PhishTank | URL reputation databases | URLs only, no content | public API |
Full privacy notice with legal bases and retention periods at /legal/privacy.
How we secure Scampilot itself.
Authentication, tokens, transport, storage - the whole list.
Authentication
Password login with Argon2id hashing. Optional: TOTP 2FA and WebAuthn hardware keys. Session cookies are HttpOnly, SameSite=Lax, Secure.
API tokens
Bearer tokens with per-token abilities. Hash-on-store (sha256) - even we only see the plaintext once at creation.
Transport
TLS 1.3, HSTS with a 6-month header. No mixed-content risks because all assets use relative URLs.
Storage encryption
Full-disk on all DB hosts. Backups with a dedicated key, managed separately. Object storage server-side encrypted.
CSRF + CORS
CSRF tokens on every form POST. API is stateless without cookie auth. The upcoming browser extension uses explicit Chrome/Firefox origins, no wildcards.
Audit & telemetry
Privileged actions append-only into the audit log. Unhandled errors to EU error telemetry at a 10 % sample rate, always without payload.
What Scampilot won't do - now or ever.
The promises we won't break. Not even when a business tier ships.
We don't sell data.
To anyone. Not "anonymized" or "aggregated" either. Our business model is future paid tiers for pro users - not your content.
We don't train models on your messages.
The only training source we trust is our eval set of 30 manually labelled fixtures. Your mail goes nowhere.
We don't read along.
We have no access to individual messages - unless you explicitly forward one for error analysis.
No ads - on the site or by email.
If you delete your account, you won't hear from us again - except the legally required deletion confirmation.