ScamNotScam reads the email you're currently viewing to tell you whether it looks like a scam. That requires seeing email content — so here's exactly what happens to it, in plain language.
01 What we access
When you open an email with ScamNotScam active, it reads that email's subject line, sender information, body text, and links in order to analyze it for scam risk. It only looks at the email you're actively viewing — it does not scan your inbox, read past emails in bulk, or run in the background on messages you haven't opened.
02 How the analysis works
The content of the email you're viewing is sent to a third-party AI provider for automated analysis, which produces the risk verdict you see. We only use providers operating under commercial-grade terms that prohibit using your data to train their models and that apply short, bounded data retention. We do not store the raw content of your emails ourselves. Only the resulting verdict — the risk level and its explanation — is temporarily cached on your own device for up to 24 hours, tied to that specific email, so the same message isn't re-analyzed every time you open it.
03 Account access
ScamNotScam uses Google Sign-In to confirm you're an approved user during the beta. We request only the minimal permissions needed to read your email address for this check — nothing more. Your email address is checked against a private beta-access list; we do not access your Google contacts, files, profile information, or any other account data.
You can revoke ScamNotScam's access to your Google account at any time from your Google Account permissions settings.
04 Analytics
We use PostHog to collect anonymous usage data — for example, how many emails were analyzed or whether a verdict was flagged — to help us improve accuracy. This data is tied to a randomly-generated device identifier, not your name, email, or Google identity, and is not linked to the content of your emails.
05 What we never do
We do not sell your data. We do not use your emails to train AI models. We do not share your data with third parties except the services required to run ScamNotScam: our AI analysis provider, Google (sign-in and whitelist verification), and PostHog (anonymous analytics). In rare cases, our AI provider's automated safety systems may retain flagged content longer than their standard retention window, per their own published policies.
06 Beta status & changes
ScamNotScam is in active beta. Features and data handling may evolve as the product develops, and this policy may change with them. If it does, we'll update this page and the date at the top.
07 Contact
Questions about this policy? Email hello@scamnotscam.com.