Privacy Policy

Last updated: April 4, 2026

1. Introduction

Smells Fishy ("we," "us," or "our") is operated by [Your Name / Entity]. This Privacy Policy describes how we collect, use, and protect your information when you use the Smells Fishy service, including our website, API, and iOS Shortcut integration (collectively, the "Service").

By using Smells Fishy, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your email address through our authentication provider, Clerk. We do not store your password directly.

Contact Information

If you use the contact alert feature, we store the names and phone numbers of contacts you add so that scan results can be shared with them via SMS.

Device Information

We generate a unique identifier (UUID) for each device registered with Smells Fishy. This is not a hardware identifier and cannot be used to identify your physical device outside of our Service.

Scan Data

We store the following information about each scan:

  • Risk level classification (HIGH, MEDIUM, LOW, or UNDETERMINED)
  • Timestamp of the scan
  • AI processing token counts (for usage tracking)
  • A one-way SHA-256 hash of the image (used to prevent duplicate processing, not reversible back to the original image)

Technical Data

We collect IP addresses solely for rate limiting purposes. This data is stored in-memory only and is automatically cleared within one hour. It is not written to any database or persistent storage.

Trial Data

If you use our trial feature (no account required), we store a trial code, device identifier, scan count, and expiration timestamp. Trial records expire after 24 hours.

3. Information We Do NOT Collect

We want to be clear about what we do not do with your data:

  • Screenshots are NEVER stored. Images you submit are sent directly to our AI provider for real-time analysis and are not saved by Smells Fishy. Only a one-way hash of the image is retained.
  • We do not use analytics or tracking tools on our website.
  • We do not use advertising cookies or tracking pixels.
  • We do not sell, rent, or share your personal data with data brokers or advertisers.
  • We do not build advertising profiles about you.

4. How We Use Your Information

We use the information we collect to:

  • Provide the scam detection service (analyzing screenshots and returning risk assessments)
  • Manage your account and registered devices
  • Send scan results to your designated contacts via SMS when the feature is enabled
  • Enforce rate limits and prevent abuse of the Service
  • Track aggregate scan usage for plan enforcement (free vs. paid limits)
  • Generate anonymous, aggregate usage statistics for internal service improvement

5. Third-Party Services

Smells Fishy uses the following third-party services to operate. Each may receive limited data as described below:

Clerk (Authentication)

We use Clerk to handle user registration and sign-in. Clerk receives your email address and manages authentication sessions. See Clerk's Privacy Policy.

Google Gemini API (AI Analysis)

Screenshots and OCR-extracted text you submit are sent to Google's Gemini API for real-time analysis. Google processes the content to generate a scam-risk assessment. When you explicitly request a Factual Check on news or social-media content, that screenshot is also sent to Gemini with Google Search grounding enabled so the model can verify claims against public sources. See Google's Gemini API Terms.

Cloudflare Turnstile (Bot Protection)

We use Cloudflare Turnstile to verify that trial activations are initiated by humans. Turnstile may collect device and browser information for this purpose. See Cloudflare's Privacy Policy.

QR Code Generation

We use a third-party QR code service to generate install links. Only the install URL is sent to this service; no personal data is included.

6. Data Retention

  • Account data is retained as long as your account is active. When you delete your account, all associated data (devices, contacts, scan logs) is deleted.
  • Scan logs (risk levels and token counts only — not screenshots) are retained indefinitely for your scan history.
  • Trial records automatically expire after 24 hours.
  • Rate limiting data (IP addresses) is held in-memory only and cleared automatically within one hour.
  • Install tokens expire after 24 hours and are no longer valid.

7. Data Security

We take reasonable measures to protect your information, including:

  • All data transmitted to and from Smells Fishy is encrypted using HTTPS/TLS with HSTS enforcement.
  • Our database (hosted on Neon) uses encryption at rest.
  • We implement Content Security Policy (CSP) headers, X-Frame-Options, and X-Content-Type-Options to protect against common web attacks.
  • Screenshots are never stored — they exist only in-transit during AI analysis.
  • Authentication is delegated to Clerk, a security-focused authentication provider.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Your Rights

All Users

You may request deletion of your account and all associated data at any time by contacting us at [support@email.com].

California Residents (CCPA)

If you are a California resident, you have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the sale of your personal information (we do not sell personal information); and not be discriminated against for exercising these rights.

EU/EEA Residents (GDPR)

If you are in the EU/EEA, you have the right to: access the personal data we hold about you; rectify inaccurate data; request erasure of your data; restrict or object to processing; and data portability. Our legal basis for processing is legitimate interest (providing the Service) and consent (where applicable). Contact us to exercise these rights.

9. Children's Privacy

Smells Fishy is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it.

10. Cookies

Smells Fishy uses only strictly necessary cookies for authentication sessions (managed by Clerk). We do not use analytics cookies, advertising cookies, or any other tracking technologies. Because these cookies are strictly necessary for the Service to function, they are exempt from cookie consent requirements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of Smells Fishy after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or your data, contact us at [support@email.com].