Effective date: June 14, 2026 · Last updated: June 14, 2026
1. Who We Are
ScamCatchr is a Chrome browser extension built to help individuals and businesses identify scam, phishing, and fraud emails in Gmail. The Service is operated at scamcatchr.com and can be reached at info@scamcatchr.com.
This Privacy Policy explains what personal data ScamCatchr collects, why we collect it, and what choices you have. It applies to the extension, the website, and the weekly digest email service.
2. What Data We Collect
2.1 Data we never collect
- The body content of any email — we never read, store, or transmit email body text
- Attachments, images, or any media in emails
- Your contacts, calendar, or any Google data beyond Gmail email headers
- Browsing history outside Gmail
- Keystrokes, mouse movements, or clipboard content
2.2 Data collected automatically (when you use the extension)
| Data | Why | Where stored |
|---|---|---|
| Sender domain of emails you view in Gmail | To check against known scam domain lists | Your device only (memory, not persisted) |
| Email display name and sender address | To detect brand impersonation and display-name spoofing | Your device only (memory) |
| Authentication-Results email header | To check SPF, DKIM, and DMARC verification status | Your device only (memory) |
| Risk level and warning reasons for flagged emails | To power the popup stats and recent threats view | chrome.storage.local on your device |
2.3 Data you provide when submitting a phishing report
| Data | Why | Where stored |
|---|---|---|
| Sender domain (not the full email address) | To add to community flagging database | Firestore (anonymised) |
| Email subject line | To categorise the scam pattern | Firestore (anonymised) |
| Scam type (chosen from dropdown) | For digest statistics | Firestore |
| Risk level (warning / danger) | For digest statistics | Firestore |
| Detection reasons (which checks triggered) | For pattern analysis | Firestore |
| Timestamp | For trend analysis | Firestore |
evil-shipping.com), not your full sender address or your own address.
2.4 Data collected when you subscribe to the weekly digest
- Your Gmail email address — used only to send the weekly digest. Never used for marketing or shared with any third party.
- Your Firebase User ID — a pseudonymous identifier used to link your subscription to your Firestore document so we can send and later delete your digest subscription.
3. How We Use Your Data
We use collected data only for the following purposes:
- Scam detection — to analyse email headers in real time and display warnings in Gmail
- Community flagging — to build a shared database of reported sender domains that benefits all users
- Weekly digest — to generate and send a summary of scam trends to subscribers
- Detection improvement — to improve keyword patterns and brand lists used by the extension (using anonymised, aggregated data only)
We do not use your data for advertising, profiling, or any purpose unrelated to scam detection.
4. Local Storage
ScamCatchr stores the following data in chrome.storage.local on your own device. This data never leaves your device except where explicitly described:
- OAuth access token — your Google authentication token, used to call the Gmail API. Never transmitted to our servers.
- Phishing report history — a local log of reports you have submitted, used to power the popup stats and deduplicate submissions.
- Reported domains — domains you have personally flagged, checked on each new email.
- Community-flagged domains — a cached list of domains reported by other users (no personal data, domain names only).
- Extension preferences — settings such as background scan toggle, digest subscription status, and onboarding state.
You can clear all local storage at any time: chrome://extensions → ScamCatchr → Clear data.
5. Cloud Storage (Firestore)
When you submit a phishing report, anonymised fields are written to Google Cloud Firestore, a secure cloud database operated by Google. The following Firestore collections are used:
scamReports/{docId}— anonymised report records (domain, subject, scam type, risk level, timestamp). No personal identifiers.communityFlags/{domain}— aggregated report counts per domain. Contains only domain names and counts.subscribers/{uid}— your Gmail address and Firebase UID, stored only if you subscribe to the digest. Deleted on unsubscription.
6. Gmail API & OAuth
ScamCatchr's Gmail API integration is governed by the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
- We request only the
gmail.readonlyOAuth scope — the narrowest available Gmail read permission - We access only the From and Authentication-Results headers of emails you open
- We do not transfer Gmail data to third parties except as required to provide the Service (e.g., Firestore for anonymised reports)
- We do not use Gmail data for advertising or to train machine learning models
- We do not allow humans to read your Gmail data
You can revoke Gmail access at any time from Google Account → Third-party apps & services or from the extension popup.
7. Weekly Digest
The weekly digest is an entirely optional service. If you subscribe:
- Your Gmail address is stored in Firestore solely to send the digest
- The digest contains only aggregated, anonymised statistics — no individual report data is disclosed
- Emails are sent via SendGrid, a transactional email provider. Your address is passed to SendGrid only at the moment of sending and is not stored by SendGrid beyond delivery
- You can unsubscribe at any time via the link in any digest email or from the extension popup. Your address is deleted from our database within 24 hours
- We will never send you any other type of email, and will never share your address with third parties
8. Third-Party Services
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Google Cloud Firestore | Cloud database for anonymised reports and digest subscriptions | Anonymised report data; Gmail address (digest subscribers only) | google.com/privacy |
| Google Cloud Functions | Backend processing: report storage, community flags, digest sending | Same as Firestore above | google.com/privacy |
| Google Firebase Authentication | Pseudonymous user identity for digest subscription management | Firebase UID only (no personal data) | google.com/privacy |
| SendGrid (Twilio) | Transactional email delivery for the weekly digest | Gmail address at send time only | sendgrid.com/policies/privacy |
| Google Fonts | Roboto typeface on the website | Your IP address (standard web request) | google.com/privacy |
We do not use any analytics, advertising, or tracking services on this website or in the extension.
9. Data Sharing
We do not sell, rent, or trade your personal data. We do not share your data with advertisers. The only circumstances under which we share data are:
- Service providers — Google (Firestore, Functions, Firebase Auth) and SendGrid, as described above, solely to provide the Service
- Legal requirement — if required by applicable law, court order, or governmental authority, we may disclose data to the extent legally required
- Business transfer — in the event of a merger, acquisition, or sale of assets, your data may transfer to the acquiring entity, subject to the same privacy protections
10. Data Retention
- Local storage — retained until you clear extension data or uninstall the extension
- Phishing reports (Firestore) — retained for 2 years from submission to support trend analysis, then automatically deleted
- Community flags (Firestore) — retained indefinitely as domain-level aggregated counts with no personal data
- Digest subscriptions (Firestore) — deleted within 24 hours of unsubscription
- OAuth token — stored locally until you disconnect or clear extension data; we hold no copy
11. Security
We take the following measures to protect your data:
- All communication with our Cloud Functions uses HTTPS/TLS encryption
- Firestore access is controlled by security rules that enforce authentication and restrict write access to Cloud Functions only
- OAuth tokens are stored only in
chrome.storage.localand are never transmitted to our servers - Phishing reports use a deduplication key to prevent duplicate submissions without storing additional personal data
- We do not log raw email header data on our servers
No method of transmission over the internet or electronic storage is 100% secure. While we implement strong safeguards, we cannot guarantee absolute security.
12. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your personal data (digest email address)
- Portability — request your data in a structured, machine-readable format
- Objection — object to processing of your data
- Withdraw consent — unsubscribe from the digest or disconnect Gmail at any time
To exercise any of these rights, email info@scamcatchr.com. We will respond within 30 days. Most data subject rights can be exercised immediately via the extension popup (disconnect Gmail, unsubscribe from digest, clear local data).
If you are located in the European Economic Area, United Kingdom, or California, additional rights may apply under GDPR, UK GDPR, or CCPA respectively.
13. Children's Privacy
ScamCatchr is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided personal data to us, please contact us at info@scamcatchr.com and we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page. For material changes, we will display a notice in the extension popup. Your continued use of the Service after any change constitutes acceptance of the revised policy.
15. Contact
For privacy questions, data subject requests, or any concerns about this policy:
- Email: info@scamcatchr.com
- Website: scamcatchr.com
See also our Terms of Service for the rules governing use of the extension.