Trust is not a feature. It's the precondition.
You hand us suspicious messages - sometimes your most private ones. How we treat them is written here, with no fine print.
Four commitments that shape everything else.
Servers in the EU
Hosted in Frankfurt and Falkenstein. No data flows to the US, no third-country transfer of app data.
No model training
Your messages train no model. They are used to analyze - not to learn from, not to sell.
No data resale
No ads, no trackers, no resale. The business model is future company licences, not your data.
Encrypted & minimal
TLS everywhere, encryption at rest. We store as little as possible, for as short as needed.
What happens to your message.
It depends on how you check - laid out transparently.
Anonymous check (paste)
Without an account, content is processed only for the analysis and not stored persistently. Rate limiting via hashed IP - no cookies, no fingerprinting.
Check with an account
Reports appear in your history so you can read along. You can delete any report and your whole account at any time.
Reputation cache
We cache URL reputations for up to 24 hours. That saves cost and adds speed - and concerns metadata, not your message text.
What we store - and what we don't.
When you check a message, we look only at what's needed. What actually hits disk is listed here.
- The message itselfPlain text you submit - so we can analyze it. Encrypted on EU storage. You can delete it any time.
- The verdict + signalsSo you can recall a report later without us re-analyzing.
- Your IP, hashedWe don't store your IP. We store a hash used only to count rate limits. Not reversible.
- Audit log (with an account)When you created a token, added an alias, or deleted a report. Append-only - for your transparency.
- Not storedNo raw IPs, no browser fingerprints, no geolocation, no cookies (besides session at login), no cross-site tracking, no device IDs.
Six patterns - named in every report.
You see these exact signals under „Why we think so“. They're stable and won't be silently renamed.
| Signal | Meaning |
|---|---|
| urgency Urgency | "Final warning", "24 hours", "act now" - time pressure keeps you from thinking. |
| credential_request Credential request | Asking for password, TAN, or credentials. Real banks and agencies never do this by email. |
| suspicious_link Suspicious link | URL points to a domain that doesn't belong to the claimed brand. Obfuscated via subdomain, shortener, or punycode. |
| lookalike_brand Brand imitation | Domain or sender impersonates a known brand (paypa1.com, sparkasse-de.io). Also logo theft inside the mail body. |
| payment_demand Payment demand | Demand for payment - often small amounts (fees, customs) on phishing pages that harvest your card. |
| external_reputation External database | URL flagged by Google Safe Browsing or PhishTank. 24-hour cache, transparent source. |
GDPR as a button.
Three buttons in the dashboard. That's all you need.
Right of access
What data do we hold? Available any time as JSON export - without writing an email.
/settings/security/auditData portability
Everything we store about you as a ZIP. With reports, aliases, audit trail. Generated async, delivered via mail link.
/settings/security/exportRight to erasure
Type-to-confirm, async deletion cascade, a single tombstone entry remains - to prove deletion to regulators.
/settings/security/deleteWho else reads along - by name.
To make Scampilot work we share data with a small set of other services. Full list:
| Service | For | Region | DPA |
|---|---|---|---|
| AI provider | AI analysis of message content | USA (EU SCC) | signed |
| Email provider | Inbound and outbound email | USA (EU SCC) | signed |
| Hosting | App servers, database, object storage | Germany (Falkenstein, Nuremberg) | signed |
| Error telemetry (EU) | Error telemetry (10 % sample rate) | Frankfurt | signed |
| Safe Browsing & PhishTank | URL reputation databases | URLs only, no content | public API |
Full privacy notice with legal bases and retention periods at /legal/privacy.
How we secure Scampilot itself.
Authentication, tokens, transport, storage - the whole list.
Authentication
Password login with Argon2id hashing. Optional: TOTP 2FA and WebAuthn hardware keys. Session cookies are HttpOnly, SameSite=Lax, Secure.
API tokens
Bearer tokens with per-token abilities. Hash-on-store (sha256) - even we only see the plaintext once at creation.
Transport
TLS 1.3, HSTS with a 6-month header. No mixed-content risks because all assets use relative URLs.
Storage encryption
Full-disk on all DB hosts. Backups with a dedicated key, managed separately. Object storage server-side encrypted.
CSRF + CORS
CSRF tokens on every form POST. API is stateless without cookie auth. The browser extension uses explicit Chrome/Firefox origins, no wildcards.
Audit & telemetry
Privileged actions append-only into the audit log. Unhandled errors to EU error telemetry at a 10 % sample rate, always without payload.
Binding - even after paid tiers.
The promises we won't break. Not even when a business tier ships.
Protecting yourself stays free.
Checking is and stays free. Only the optional family and company layers are ever paid for, later - not your content.
No ads in reports.
No "Powered by" banners, no cross-sell hints. A report contains the verdict and nothing else.
If we ever sell, we'll say so.
An acquisition only binds these promises insofar as we make them public. That is why they are here.
"Selling data isn't an accident. If someone does it, it's a business model. Ours isn't."- Pixel & Process UG, Lübeck
Frequently asked questions
Where does Scampilot store my data?
Only on EU servers (Germany). There are no data flows to the US, and content is never used for model training.
Does Scampilot set tracking cookies?
No. No tracking pixels, no analytics cookies outside the session, and no raw IP storage - IPs are hashed. Analytics load only after explicit consent.
Is Scampilot GDPR-compliant?
Yes. EU hosting, a full subprocessor list, and you can export or permanently delete your data from the dashboard with one click.
