Privacy Policy

This Privacy Policy explains how RS Digital (“we,” “us,” “our”) collects, uses, discloses, and protects your personal information when you use the Scam Scanner mobile application (“the App”) and any associated services, including the website at tryscamscanner.com (“the Services”).

Scam Scanner is an AI-powered scam detection tool that analyses content you submit (such as text messages, emails, URLs, screenshots, QR codes, and business or charity names) and provides a trust score, verdict, identified red flags, and actionable advice. The App is informational only and does not constitute legal, financial, or professional advice.

We are committed to handling your personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and, where applicable, the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By using the App, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use the App or the Services.

We collect and process the following categories of information:

2.1 Account Information

When you create an account (via email registration, Google OAuth, or Apple Sign In), we may collect:

• Email address
• Display name
• Account creation date
• Subscription status (free or premium)

If you use the App in guest mode (without creating an account), we do not collect any account information.

2.2 Scan Data

When you submit content for analysis, the App creates a local scan record that may include:

• The content you submit (text, URLs, entity names, or text extracted from images)
• The type of scan performed (e.g., text message, email, screenshot, charity, website, QR code, invoice, romance scam, investment scam)
• The input method used (e.g., camera, photo library, text paste, URL submission)
• Images captured or selected (stored locally on your device only and never transmitted to any server)
• AI-generated analysis results, including trust score, verdict, red flags, risk categories, and recommended actions
• Web search results and government registry verification results obtained during analysis
• Bookmark status and other user interaction flags

2.3 Purchase Information

If you subscribe to Scam Scanner Pro or make a voluntary tip payment, Apple's StoreKit framework processes the transaction. We store locally:

• Total number and cumulative amount of voluntary tips
• Date of last tip
• Total scans completed (lifetime count)
• UI preference states (e.g., whether a donation prompt has been dismissed)

We do not collect or have access to your payment card details, Apple ID password, or billing address. All payment processing is handled exclusively by Apple Inc. through the App Store.

2.4 Device Permissions

The App may request access to the following device features:

You may revoke any permission at any time through your device's Settings. Revoking a permission may limit certain App functionality.

2.5 Information We Do NOT Collect

We want to be transparent about what we do not collect:

• We do not use any third-party analytics SDKs (no Firebase Analytics, Mixpanel, Google Analytics, or similar)
• We do not collect or use advertising identifiers (IDFA)
• We do not use cookies or web tracking technologies within the App
• We do not perform device fingerprinting
• We do not track your location
• We have declared NSPrivacyTracking: false in our App privacy manifest (PrivacyInfo.xcprivacy)

We collect your information through the following methods:

• Directly from you: when you create an account, submit content for scanning, adjust settings, or make purchases.
• From your device: camera images and photo library selections, processed on-device using Apple's Vision framework for text extraction. Raw images are never transmitted off your device.
• From third-party authentication providers: Google (via OAuth 2.0) or Apple (via Sign in with Apple), which provide your name and email address upon your authorisation.
• From third-party services during analysis: web search results (Brave Search API), government registry data (ACNC, ABN Lookup), and AI analysis results (xAI/Grok API), all obtained to process your scan request.

We collect and use your personal information for the following purposes:

Under the Australian Privacy Principles, we collect personal information only where it is reasonably necessary for, or directly related to, one or more of our functions or activities as described above.

When you submit content for a scan, the following processing steps occur:

Step 1 — Input Capture. You provide content via the camera, photo library, text paste, URL entry, or entity name search.

Step 2 — On-Device Image Processing. If you submit an image, it is processed entirely on your device using Apple's Vision framework (VNRecognizeTextRequest). Text is extracted locally. No image data is transmitted to any external server. Only the extracted text proceeds to subsequent steps.

Step 3 — Optional Personal Information Stripping. If you have enabled the “Strip Personal Info” setting, phone numbers and email addresses are automatically removed from the extracted text before any data is transmitted externally.

Step 4 — Web Search Verification. Up to three concurrent searches are performed via our backend proxy to identify publicly available information about the entity or content you submitted. Results are deduplicated, capped at ten results, and validated.

Step 5 — Government Registry Verification. For charity and business scans, the App queries the Australian Charities and Not-for-profits Commission (ACNC) API and the Australian Business Register (ABN Lookup) API to verify registration status.

Step 6 — AI Analysis. The gathered context (extracted text, web search results, and registry data) is transmitted to the xAI Grok API via our secure backend proxy for AI-powered analysis. The AI returns a structured response including a trust score, verdict, red flags, and recommended actions.

Step 7 — Local Storage. The complete scan result is saved to the local SwiftData database on your device. No scan results are stored on our servers.

We do not sell, rent, or trade your personal information. We share limited data with the following third-party service providers solely to deliver the App's functionality:

6.1 xAI Corp (Grok API)

• Purpose: AI-powered scam analysis engine
• Data shared: Entity names, extracted text, URLs, web search results, and registry verification results
• Data NOT shared: Raw images, user account details, device identifiers, or payment information
• Transmission: All data is transmitted via HTTPS through our secure backend proxy (api.tryscamscanner.com). API keys are stored server-side only.
• Location: xAI servers are located in the United States

6.2 Brave Software (Brave Search API)

• Purpose: Web search for entity and scam verification
• Data shared: Search query strings only
• Transmission: Via our secure backend proxy

6.3 Australian Government APIs

• ACNC (Australian Charities & Not-for-profits Commission): Charity name sent for registration verification via a publicly accessible government API.
• ABN Lookup (Australian Business Register): Business name sent for registration verification via a publicly accessible government API.

6.4 Authentication Providers

• Google OAuth 2.0: If you choose to sign in with Google, authentication data (email, name) is exchanged with Google's servers in accordance with Google's Privacy Policy.
• Apple Sign In: If you choose to sign in with Apple, authentication data is handled by Apple in accordance with Apple's Privacy Policy. Apple may provide a private relay email address.

6.5 Apple Inc. (StoreKit 2)

• Purpose: Subscription and tip purchase processing
• Data shared: Transaction data is processed entirely through Apple's infrastructure. We do not have access to your payment details.

6.6 Other Disclosures

We may also disclose your personal information where:

• Required by law, regulation, court order, or governmental request
• Necessary to protect the rights, property, or safety of RS Digital, our users, or the public
• Necessary in connection with a merger, acquisition, or sale of all or a portion of our assets (in which case you will be notified via prominent notice in the App)

7.1 On-Device Storage

The majority of your data is stored locally on your device:

• Account credentials and tokens: Stored in the iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly protection. This data is hardware-encrypted, not included in iCloud backups, and not shared with app extensions.
• Scan results and history: Stored in a local SwiftData (SQLite) database within the App's sandbox, encrypted at rest by iOS.
• Preferences and usage counters: Stored in UserDefaults and AppStorage on-device.

7.2 Cross-Border Data Transfers

When you perform a scan, extracted text and contextual data are transmitted to our backend proxy hosted on Vercel (servers in the United States), which forwards requests to:

• xAI (Grok API): United States
• Brave Search API: United States

This means that some of your data will be transferred to, and processed in, the United States. By using the App, you consent to this transfer. We take reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy and applicable law.

For users in the European Economic Area (EEA), transfers are made pursuant to appropriate safeguards, including standard contractual clauses where required.

Our backend proxy (api.tryscamscanner.com) operates as a stateless pass-through and does not persistently store your scan data. However, our AI provider (xAI) may retain data transmitted via their API in accordance with their own data retention policies. We encourage you to review xAI's privacy policy for further details.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

9.1 All Users

• Access: You can view all data the App holds about you directly within the App (account details in Settings; scan history in History).
• Correction: You can update your account details at any time.
• Deletion: You can delete individual scans, delete all scan history, or delete your entire account from Settings. Account deletion removes all locally stored account data, tokens, and profile information.
• Portability: Your scan data is stored locally on your device and is accessible to you at all times.
• Withdraw consent: You may revoke device permissions (camera, photos, notifications) at any time via iOS Settings.

9.2 Australian Users

Under the Privacy Act 1988 (Cth), you have the right to:

• Request access to your personal information held by us
• Request correction of inaccurate, out-of-date, or incomplete personal information
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs

9.3 EEA/UK Users (GDPR)

If you are located in the European Economic Area or United Kingdom, you additionally have the right to:

• Object to processing of your personal data
• Request restriction of processing
• Request erasure (“right to be forgotten”)
• Data portability in a machine-readable format
• Lodge a complaint with your local data protection authority

Our legal basis for processing your personal data under the GDPR is: (a) your consent (for authentication and optional features); (b) performance of a contract (to provide the scanning service); and (c) our legitimate interests (to improve and secure the App).

9.4 California Users (CCPA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell your personal information)
• Non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at support@tryscamscanner.com. We will respond within the timeframe required by applicable law (generally 30 days, or as otherwise required).

We implement the following technical and organisational measures to protect your information:

• Transport encryption: All data transmitted between the App and external services uses HTTPS/TLS encryption.
• Keychain storage: Sensitive credentials are stored in the iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly, ensuring hardware-level encryption that is not backed up or shared.
• On-device image processing: Images are processed locally using Apple's Vision framework and are never transmitted externally.
• Server-side API key management: Third-party API keys for AI analysis and web search services are stored as server-side environment variables and are not embedded in the App binary.
• Rate limiting: API endpoints are rate-limited to 30 requests per 60 seconds per IP address to prevent abuse.
• Local database encryption: The SwiftData (SQLite) database resides in the App's sandboxed container and is encrypted at rest by iOS.
• No tracking: NSPrivacyTracking is set to false. We do not track you across apps or websites.

While we take commercially reasonable steps to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10.1 Data Breach Notification

In the event of an eligible data breach affecting your personal information, we will comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). This means we will:

• Assess whether the breach is likely to result in serious harm to any affected individuals
• Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable if serious harm is likely
• Where applicable, comply with equivalent notification obligations under the GDPR or CCPA

The App is rated 4+ on the App Store and is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK without parental consent).

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@tryscamscanner.com and we will take steps to delete such information.

If we become aware that we have collected personal information from a child without appropriate parental consent, we will take steps to delete that information promptly.

The App may contain links to third-party websites and services, including:

• Scamwatch (scamwatch.gov.au) — Australian Government scam reporting service
• ReportCyber (cyber.gov.au) — Australian Government cyber incident reporting
• ACCC — Australian Competition & Consumer Commission

These links are provided for your convenience and informational purposes. We are not responsible for the privacy practices or content of these third-party services. We encourage you to review their privacy policies before providing any personal information.

The App uses artificial intelligence (specifically the xAI Grok large language model) to analyse content you submit and generate trust scores, verdicts, and advice. This constitutes automated decision-making.

Important: AI-generated results are provided for informational purposes only. They do not constitute legal, financial, or professional advice. Results may be inaccurate, incomplete, or outdated. You should always verify information with official sources before making any decisions based on a scan result.

Every scan result in the App includes the following disclaimer:

“This analysis is AI-generated for informational purposes only. Always verify with official sources before making decisions.”

If you are located in the EEA/UK, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. As the App's results are advisory and informational only, they do not produce such effects. If you have concerns, please contact us.

The App provides you with the following privacy controls:

We may update this Privacy Policy from time to time to reflect changes to our practices, legal requirements, or the App's functionality. When we make material changes, we will:

• Update the “Effective Date” and “Last Updated” date at the top of this policy
• Notify you via a prominent notice in the App (such as a pop-up or banner)
• Where required by law, seek your renewed consent

We encourage you to review this Privacy Policy periodically. Your continued use of the App following the posting of changes constitutes your acceptance of such changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

RS Digital
Email: support@tryscamscanner.com
Website: https://tryscamscanner.com

If you are not satisfied with our response, you have the right to lodge a complaint with:

• Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
• Your local data protection authority (for EEA/UK residents)
• The California Attorney General (for California residents)

This Privacy Policy is governed by and construed in accordance with the laws of the Commonwealth of Australia and the State of South Australia. You irrevocably submit to the non-exclusive jurisdiction of the courts of South Australia and the Federal Court of Australia.

Where the GDPR or CCPA applies to you, nothing in this Privacy Policy limits your rights under those laws.