Skip to content
Security & privacy

Trust is not a feature. It's the precondition.

You hand us suspicious messages - sometimes your most private ones. How we treat them is written here, with no fine print.

01
The principles

Four commitments that shape everything else.

Servers in the EU

Hosted in Frankfurt and Falkenstein. No data flows to the US, no third-country transfer of app data.

No model training

Your messages train no model. They are used to analyze - not to learn from, not to sell.

No data resale

No ads, no trackers, no resale. The business model is future company licences, not your data.

Encrypted & minimal

TLS everywhere, encryption at rest. We store as little as possible, for as short as needed.

02
Data lifecycle

What happens to your message.

It depends on how you check - laid out transparently.

01

Anonymous check (paste)

Without an account, content is processed only for the analysis and not stored persistently. Rate limiting via hashed IP - no cookies, no fingerprinting.

02

Check with an account

Reports appear in your history so you can read along. You can delete any report and your whole account at any time.

03

Reputation cache

We cache URL reputations for up to 24 hours. That saves cost and adds speed - and concerns metadata, not your message text.

03
Inventory

What we store - and what we don't.

When you check a message, we look only at what's needed. What actually hits disk is listed here.

  • The message itselfPlain text you submit - so we can analyze it. Encrypted on EU storage. You can delete it any time.
  • The verdict + signalsSo you can recall a report later without us re-analyzing.
  • Your IP, hashedWe don't store your IP. We store a hash used only to count rate limits. Not reversible.
  • Audit log (with an account)When you created a token, added an alias, or deleted a report. Append-only - for your transparency.
  • Not storedNo raw IPs, no browser fingerprints, no geolocation, no cookies (besides session at login), no cross-site tracking, no device IDs.
04
Methodology

Six patterns - named in every report.

You see these exact signals under „Why we think so“. They're stable and won't be silently renamed.

Signal Meaning
urgency
Urgency
"Final warning", "24 hours", "act now" - time pressure keeps you from thinking.
credential_request
Credential request
Asking for password, TAN, or credentials. Real banks and agencies never do this by email.
suspicious_link
Suspicious link
URL points to a domain that doesn't belong to the claimed brand. Obfuscated via subdomain, shortener, or punycode.
lookalike_brand
Brand imitation
Domain or sender impersonates a known brand (paypa1.com, sparkasse-de.io). Also logo theft inside the mail body.
payment_demand
Payment demand
Demand for payment - often small amounts (fees, customs) on phishing pages that harvest your card.
external_reputation
External database
URL flagged by Google Safe Browsing or PhishTank. 24-hour cache, transparent source.
05
Your rights

GDPR as a button.

Three buttons in the dashboard. That's all you need.

Article 15

Right of access

What data do we hold? Available any time as JSON export - without writing an email.

/settings/security/audit
Article 20

Data portability

Everything we store about you as a ZIP. With reports, aliases, audit trail. Generated async, delivered via mail link.

/settings/security/export
Article 17

Right to erasure

Type-to-confirm, async deletion cascade, a single tombstone entry remains - to prove deletion to regulators.

/settings/security/delete
06
Supply chain

Who else reads along - by name.

To make Scampilot work we share data with a small set of other services. Full list:

ServiceForRegionDPA
AI providerAI analysis of message contentUSA (EU SCC)signed
Email providerInbound and outbound emailUSA (EU SCC)signed
HostingApp servers, database, object storageGermany (Falkenstein, Nuremberg)signed
Error telemetry (EU)Error telemetry (10 % sample rate)Frankfurtsigned
Safe Browsing & PhishTankURL reputation databasesURLs only, no contentpublic API

Full privacy notice with legal bases and retention periods at /legal/privacy.

07
Operations

How we secure Scampilot itself.

Authentication, tokens, transport, storage - the whole list.

Authentication

Password login with Argon2id hashing. Optional: TOTP 2FA and WebAuthn hardware keys. Session cookies are HttpOnly, SameSite=Lax, Secure.

API tokens

Bearer tokens with per-token abilities. Hash-on-store (sha256) - even we only see the plaintext once at creation.

Transport

TLS 1.3, HSTS with a 6-month header. No mixed-content risks because all assets use relative URLs.

Storage encryption

Full-disk on all DB hosts. Backups with a dedicated key, managed separately. Object storage server-side encrypted.

CSRF + CORS

CSRF tokens on every form POST. API is stateless without cookie auth. The browser extension uses explicit Chrome/Firefox origins, no wildcards.

Audit & telemetry

Privileged actions append-only into the audit log. Unhandled errors to EU error telemetry at a 10 % sample rate, always without payload.

08
Three promises

Binding - even after paid tiers.

The promises we won't break. Not even when a business tier ships.

01

Protecting yourself stays free.

Checking is and stays free. Only the optional family and company layers are ever paid for, later - not your content.

02

No ads in reports.

No "Powered by" banners, no cross-sell hints. A report contains the verdict and nothing else.

03

If we ever sell, we'll say so.

An acquisition only binds these promises insofar as we make them public. That is why they are here.

"Selling data isn't an accident. If someone does it, it's a business model. Ours isn't."- Pixel & Process UG, Lübeck

Frequently asked questions

Where does Scampilot store my data?

Only on EU servers (Germany). There are no data flows to the US, and content is never used for model training.

Does Scampilot set tracking cookies?

No. No tracking pixels, no analytics cookies outside the session, and no raw IP storage - IPs are hashed. Analytics load only after explicit consent.

Is Scampilot GDPR-compliant?

Yes. EU hosting, a full subprocessor list, and you can export or permanently delete your data from the dashboard with one click.