Skip to main content

Privacy Policy

Effective Date: March 2026

Who We Are

Scam Support operates scam.support, a free email fraud analysis service designed to help people — particularly seniors and their caretakers — identify suspicious emails before falling victim to scams. We are operated by Boundary Labs. Our mission is to make email fraud detection accessible to everyone, regardless of technical ability.

Operator: Boundary Labs
Service address: check@scam.support
Privacy inquiries: privacy@scam.support

What Data We Collect

When you forward an email to check@scam.support for analysis, we collect and store the following information:

Your Information (Submitter)

  • Your email address: Your email address (the person forwarding the suspicious email) is stored in plain text in our database. We need your email address to send you risk assessment replies, to deliver TIPS marketing content if you opt in, to set up a caretaker relationship if you request one, and to process STOP (unsubscribe) requests. A one-way cryptographic hash of your email address is also stored for rate limiting and threat intelligence purposes.
  • Email domain: The domain portion of your email address (for example, gmail.com or rogers.com) is stored to help us understand which email providers our users rely on.
  • Inferred country and locale: We infer your approximate country from your email domain (for example, eircom.net suggests Ireland) or from brand signals in the email you forwarded. We also store locale and timezone offset information extracted from your email headers. This helps us provide regionally relevant advice in your risk assessment reply (such as the correct fraud reporting authority for your country).
  • Email client: If your email includes an X-Mailer header, we store the name of your email client (for example, Apple Mail or Outlook).
  • Submission count and last submission date: We track how many emails you have submitted and when you last submitted one.

Suspicious Email Metadata

  • Sender information: The email address of the person or entity who sent the suspicious email is stored as a one-way cryptographic hash. We do not store the suspect sender's original email address in readable form. We also store the sender's domain name and display name for reputation tracking.
  • Subject line: The subject line of the forwarded email is stored to aid in scam template identification and pattern matching.
  • URLs found in the email: All URLs extracted from the email body and HTML content are stored in full (including the complete URL and domain) along with a hash, for reputation tracking and threat intelligence. URLs are also checked against Google Safe Browsing.
  • Email addresses found in the email body: Any email addresses appearing in the body of the forwarded email are extracted and stored as hashes for sender reputation tracking.
  • Attachment metadata: Filenames and MIME types of any attachments are recorded. Attachment content is not stored.

Analysis Results

The risk assessment email you receive includes:

  • Risk level: A categorical risk level (critical, high, medium, or low).
  • Risk score: A numerical score on a scale of 0 to 100 (with a floor of 3 and a ceiling of 97).
  • Explanation: A plain-language explanation of why the email was assessed at a particular risk level. This is generated by AI and sanitized (URLs stripped, HTML removed, character limits enforced) before delivery.
  • Action recommendations: Fixed action steps appropriate to the risk tier (for example, delete and do not reply for critical risk, or exercise caution for medium risk).
  • Education text: General safety guidance relevant to the type of scam detected.
  • Risk reasoning: A brief explanation of the specific signals and tactics that contributed to the risk score.

The following data is stored in our database for threat intelligence purposes but is not included in the reply email you receive:

  • Analysis method: Whether the assessment was based on rule engine analysis, threat database matching, AI analysis, or a combination thereof.
  • Detected signals: The specific fraud indicators identified during analysis (stored as structured data for pattern matching across submissions).
  • Scam template fingerprint: A content fingerprint used to identify recurring scam campaigns across submissions.
  • Processing time: How long the analysis took to complete.

Marketing Consent Records

  • If you opt in to TIPS marketing content, we record whether you have given consent, the date and time you gave consent, and the method by which you gave consent (for example, replying TIPS to a scam.support email). This is required by Canada's Anti-Spam Legislation (CASL).

Caretaker Information

  • If you set up a caretaker, the caretaker's email address is stored in plain text so that we can send them copies of your risk assessment replies.

Email Body Content — Temporary Storage Only

When you forward an email to check@scam.support, the full text of that email is parsed and temporarily stored in encrypted object storage (Cloudflare R2) while our analysis pipeline processes it. Once analysis is complete, the stored content is permanently deleted. Email body content is never written to our database. Only the metadata and analysis results described above are retained.

What We Do NOT Collect

  • No account information. We do not require or collect usernames, passwords, login credentials, or any form of account registration.
  • No personal demographics. We do not collect your name, age, physical address, phone number, or any other personal demographic information.
  • No device or browser data. The email analysis service does not use cookies, tracking pixels, or browser fingerprinting.
  • No attachment content. We record attachment filenames and MIME types only. The actual content of attachments is not stored.

How We Use Your Data

  1. To analyze forwarded emails and send risk assessment replies. This is the primary purpose of the service. You send us a suspicious email, and we reply with our assessment.
  2. To build a threat intelligence database. Every submission contributes to a growing database of sender reputation data, URL reputation data, and scam template patterns. Suspect sender email addresses are stored as one-way hashes (not in readable form). Suspect URLs are stored in full for threat detection.
  3. To improve fraud detection accuracy over time. Aggregate patterns in submissions help us refine our rule engine and identify emerging scam campaigns.
  4. To enforce rate limits. Your email hash is used to enforce a limit of 10 submissions per hour per sender, ensuring fair access to the service for all users.
  5. To send marketing content (TIPS), if you opt in. If you reply TIPS to a scam.support email, we use your email address to send you scam alerts and safety tips. You can opt out at any time by replying STOP.
  6. To deliver caretaker notifications, if you set one up. If you designate a caretaker, we use the caretaker's email address to send them copies of your risk assessment replies.
  7. To provide regionally relevant advice. Country, locale, and timezone data help us include the correct fraud reporting authority and locally relevant guidance in your reply.

Legal Basis for Processing

PIPEDA (Canada)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), we process your information on the basis of implied consent and legitimate interest in fraud prevention and public safety. The forwarding of an email to check@scam.support constitutes implied consent for: (a) the collection and storage of your email address, (b) analysis of the forwarded email, and (c) delivery of a risk assessment reply to your email address.

We collect only the information necessary to provide the service and build the threat intelligence database.

GDPR (European Union and Ireland)

If you are located in the European Union or Ireland, our lawful basis for processing your personal data is:

  • Legitimate interest in fraud prevention and public safety (Article 6(1)(f)) for the analysis of forwarded emails and the building of threat intelligence data.
  • Consent (Article 6(1)(a)) for marketing communications (TIPS opt-in).

Under GDPR, you have the right to: access the personal data we hold about you; request rectification of inaccurate data; request erasure of your data (Article 17); object to processing based on legitimate interest; and request data portability. To exercise any of these rights, email privacy@scam.support.

How erasure works: Upon receiving a valid deletion request, we will null the following fields from your user record within 30 days: email address, caretaker email address, email domain, locale, email client, timezone offset, and country. Your email hash and anonymized submission data (risk scores, detected signals, and threat intelligence contributions) are retained because, once the identifying fields are removed, this data is no longer linked to an identifiable person and serves the public interest in fraud prevention.

Lawful basis for initial processing: You initiated the analysis by forwarding an email to check@scam.support. We rely on legitimate interest (Article 6(1)(f)) as the lawful basis for this processing — you took a deliberate action requesting our service, and the processing is necessary to fulfil that request and to protect the public from fraud.

Data Sharing

  • Anonymized threat data may be shared publicly. Sender reputation data (hashed email addresses, domain patterns), URL reputation data, and scam template patterns may be published through the scam.support website. Suspect sender email addresses are stored as one-way hashes and cannot be reversed to reveal the original address.
  • Submitter information is never shared. Your email address and your identity as someone who forwarded an email for analysis are never disclosed, published, or shared with any third party.
  • No data is sold to third parties. We do not sell, rent, license, or otherwise commercially distribute any user data.
  • Law enforcement cooperation. We may share anonymized threat intelligence data with law enforcement agencies investigating fraud. We will not share identifiable submitter information without a valid legal order.

Data Retention

  • Submitter records (email address, email hash, metadata) are retained for the operational life of the service.
  • Email body content is stored temporarily in Cloudflare R2 during analysis and deleted immediately after processing. A cleanup process removes any orphaned objects older than 24 hours.
  • Threat intelligence data (sender reputation, URL reputation, scam templates, submission records) is retained indefinitely to improve detection accuracy.
  • Marketing consent records are retained for as long as you remain opted in, plus a reasonable period after you opt out for compliance record-keeping.

Your Rights: Access, Correction, and Deletion

You have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your submitter record.

To exercise any of these rights, email privacy@scam.support. Upon receiving a valid request, we will respond within 30 days. For deletion requests, we will null the identifying fields in your user record (email address, caretaker email, email domain, locale, email client, timezone offset, and country) and confirm deletion. Your email hash and anonymized submission data (risk scores, signals, and threat intelligence contributions) are retained, as this data is no longer linked to an identifiable person once the identifying fields are removed.

Marketing Communications (CASL and CAN-SPAM)

In compliance with Canada's Anti-Spam Legislation (CASL) and the United States CAN-SPAM Act:

  • Marketing communications are entirely optional. You will never receive unsolicited marketing emails from Scam Support.
  • Opt-in (express consent): Reply TIPS to any email from scam.support to receive scam alerts and safety tips. This constitutes express consent under CASL. We record the date, time, and method of your consent.
  • Implied consent window: Under CASL, each email you submit for analysis establishes or renews an implied consent window of 6 months from the date of your last submission. During this window, we may send you transactional communications related to the service.
  • Opt-out: Reply STOP to any scam.support email to revoke marketing consent immediately. We honour opt-out requests within 10 business days as required by CAN-SPAM (in practice, revocation is processed instantly).
  • Transactional emails (risk assessment replies sent in response to your submissions) are not marketing communications and are exempt from CASL and CAN-SPAM consent requirements.
  • Sender identification: All commercial messages from Scam Support identify Boundary Labs as the sender and include contact information at check@scam.support.

Caretaker Feature

Scam Support offers an optional caretaker feature. You may designate a trusted person to receive copies of your analysis results by replying CARETAKER to any scam.support email and providing the caretaker's email address.

  • What we store: The caretaker's email address is stored in plain text in your user record so that we can deliver copies of your risk assessment replies to them.
  • What caretakers receive: The caretaker receives a copy of each risk assessment reply generated from your submissions. Caretakers do not receive the original forwarded email content.
  • Removing a caretaker: You may remove a caretaker at any time by emailing privacy@scam.support.

Security

  • Cryptographic hashing: Suspect sender email addresses are stored using one-way SHA-256 hashing (not in readable form). Submitter email addresses are stored both as a hash (for threat intelligence) and in plain text (required for reply delivery, TIPS, STOP, and caretaker functionality).
  • Database access controls via row-level security policies and service role keys.
  • Encryption in transit — all communications between service components and with external APIs use TLS.
  • Temporary email storage — email body content is stored in encrypted Cloudflare R2 during analysis only and deleted immediately after processing.
  • LLM output sanitization — all AI-generated content is sanitized (URLs stripped, HTML removed, character limits enforced) before being included in reply emails.
  • Stateless AI analysis — each AI analysis call is independent. The AI has no access to the threat database, other submissions, or any information beyond the current email being analyzed.

Third-Party Services

We use the following third-party services in the operation of Scam Support. Your data may be processed by these services as described:

  • Cloudflare: Email routing, edge computing, key-value storage (rate limiting, temporary flags), queue processing, and object storage (R2, for temporary email content during analysis).
  • Supabase: Database hosting (PostgreSQL) for all persistent data described in this policy.
  • Postmark: Outbound email delivery for risk assessment replies and marketing communications.
  • Anthropic (Claude AI): AI-powered email analysis for ambiguous cases. Email content is sent to the Anthropic API for analysis. Anthropic does not store email content beyond their standard API processing retention.
  • Google Safe Browsing: URL reputation checking. URLs found in forwarded emails are checked against Google's threat database.

Children's Privacy

Scam Support is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has submitted information to our service, please contact privacy@scam.support.

Changes to This Policy

We may update this privacy policy from time to time. Updated versions will be posted to scam.support/privacy. The effective date at the top of this policy indicates when it was last revised. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

For any questions, concerns, or requests related to your privacy, contact us at privacy@scam.support. We will respond to all privacy inquiries within 30 days.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Scam Support is operated by Boundary Labs.

Last updated: March 2026