Privacy Policy

Last updated: July 2, 2026

1. Introduction

Smells Fishy ("we," "us," or "our") is a screenshot-checking service consisting of an iOS app (including its share extension and Shortcuts integration), a website, and an API (collectively, the "Service"). This Privacy Policy describes how we collect, use, and protect your information when you use the Service.

By using Smells Fishy, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Device Information

You do not need an account to use Smells Fishy. When the app first runs, we generate a random device identifier and an API key for your device. We may also receive Apple's per-vendor device identifier, which we use only to avoid registering the same device twice. None of these are hardware identifiers and none can identify your physical device outside of our Service.

Optional Account Information

If you choose to sign in (optional, and not required for any core feature), we collect your email address through our authentication provider, Clerk. We do not store your password.

Scan Data

We store the following information about each check:

  • Risk level classification (HIGH, MEDIUM, LOW, or UNDETERMINED)
  • Timestamp of the check
  • AI processing token counts (for usage tracking)
  • A one-way SHA-256 hash of the image (used to prevent duplicate processing, not reversible back to the original image)

The screenshots you check are sent to our AI provider for analysis and are not stored by Smells Fishy — with one exception: share links, described below.

Shared Links

When you explicitly create a share link for a check, we store a copy of that screenshot and a snapshot of the analysis on our servers so the link can show them to the people you share it with. This happens only when you tap to create a link, never automatically. Shared data is retained as follows:

  • The screenshot and analysis stay on our servers only while the link is live. Links expire automatically (90 days by default, with a hard cap of one year), and you can turn a link off at any time from the app — the stored screenshot is then deleted.
  • We count how many times a link is viewed. To avoid double-counting we briefly derive a one-way hash from the viewer's IP address; the raw IP address is never stored with the view.
  • Messaging and social apps generate their own preview cards for links (the verdict headline and tag — never your screenshot). Those previews are copied into chat threads and third-party servers by those apps, and are outside our control: they can persist even after you turn the link off.

Technical Data

We use IP addresses for rate limiting; that data is held in-memory only and automatically cleared within about an hour. Separately, we keep a log of abuse-related events (such as rate-limit hits or malformed requests) to protect the Service, which may include the IP address and endpoint involved.

3. Information We Do NOT Collect

We want to be clear about what we do not do with your data:

  • Screenshots are not stored for ordinary checks. Images you submit are sent to our AI provider for real-time analysis; only a one-way hash is retained. The single exception is a share link you explicitly create, which stores that screenshot until the link expires or you turn it off.
  • We do not use analytics or tracking tools on our website.
  • We do not use advertising cookies or tracking pixels.
  • We do not sell, rent, or share your personal data with data brokers or advertisers.
  • We do not build advertising profiles about you.

4. How We Use Your Information

We use the information we collect to:

  • Provide the checking service (analyzing screenshots and returning risk assessments)
  • Serve share links you create, to the people you share them with
  • Manage your registered device (and account, if you create one)
  • Enforce rate limits and daily quotas, and prevent abuse of the Service
  • Generate anonymous, aggregate usage statistics for internal service improvement

5. Third-Party Services

Smells Fishy uses the following third-party services to operate. Each may receive limited data as described below:

Google Gemini API (AI Analysis)

Screenshots and extracted text you submit are sent to Google's Gemini API for real-time analysis. Google processes the content to generate the risk assessment. When you run a Deep Dive, the content is also analyzed with Google Search grounding enabled so the model can check claims against current public sources; Google may retain Deep Dive inputs for a limited period (about 30 days) for abuse monitoring under its own terms. See Google's Gemini API Terms.

Vercel (Hosting and File Storage)

Our website and API run on Vercel, and screenshots for share links you create are stored in Vercel's private blob storage until the link expires or is turned off. See Vercel's Privacy Policy.

Neon (Database)

Our database is hosted on Neon and uses encryption at rest. See Neon's Privacy Policy.

Clerk (Optional Authentication)

If you choose to sign in, we use Clerk to handle registration and sign-in. Clerk receives your email address and manages authentication sessions. See Clerk's Privacy Policy.

6. Data Retention

  • Device data is retained while your device is registered. Contact us to have it deleted.
  • If you created an account, you can delete it directly in the app (Settings → Account → Delete Account). This deletes the account immediately; your device reverts to anonymous use.
  • Scan logs (risk levels and token counts only — not screenshots) are retained for usage accounting.
  • Share-link screenshots are retained only while the link is live: until it expires (90 days by default, one year at most) or you turn it off, whichever comes first. The stored screenshot is deleted afterward.
  • View-count dedupe records are pruned automatically after a short window.
  • Rate limiting data (IP addresses) is held in-memory only and cleared automatically within about an hour.

7. Data Security

We take reasonable measures to protect your information, including:

  • All data transmitted to and from Smells Fishy is encrypted using HTTPS/TLS with HSTS enforcement.
  • Our database (hosted on Neon) uses encryption at rest.
  • Share-link screenshots live in private storage and are served only through a route that checks whether the link is still live; direct storage URLs are never exposed.
  • We implement Content Security Policy (CSP) headers, X-Frame-Options, and X-Content-Type-Options to protect against common web attacks.
  • Your device's API key is stored in the iOS Keychain on your device.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Your Rights

All Users

If you created an account, you can delete it directly in the app under Settings → Account → Delete Account. You may also request deletion of your device data (and account) at any time by contacting us at ajenglehardt81@gmail.com. You can turn off any share link you created directly from the app, which deletes the stored screenshot.

California Residents (CCPA)

If you are a California resident, you have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the sale of your personal information (we do not sell personal information); and not be discriminated against for exercising these rights.

EU/EEA Residents (GDPR)

If you are in the EU/EEA, you have the right to: access the personal data we hold about you; rectify inaccurate data; request erasure of your data; restrict or object to processing; and data portability. Our legal basis for processing is legitimate interest (providing the Service) and consent (where applicable). Contact us to exercise these rights.

9. Children's Privacy

Smells Fishy is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it.

10. Cookies

Smells Fishy uses only strictly necessary cookies, and only for authentication sessions (managed by Clerk) if you choose to sign in. We do not use analytics cookies, advertising cookies, or any other tracking technologies. Because these cookies are strictly necessary for the Service to function, they are exempt from cookie consent requirements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of Smells Fishy after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or your data, contact us at ajenglehardt81@gmail.com.