Privacy
The short version: we keep almost nothing, scrub what we keep, and give you a one-click delete. Below is the longer version, written like a human.
- We don't collect emails, names, or accounts. There's no signup.
- We scrub phones, emails, IBANs, card numbers, and handles before saving anything.
- Your IP becomes a daily-salted hash for 25 hours, then it's gone.
- Raw text + uploaded images are auto-deleted after 30 days.
- Your result page is private by default. You opt in to make it public + searchable.
- One-click delete at any time — your data is gone within an hour.
What we collect
When you check a message, we receive:
- The message text you pasted (or image, if uploaded). Stored in a private 30-day table for re-analysis, then deleted.
- A scrubbed copy of that text — phones, emails, IBANs, card numbers, and Telegram handles replaced with placeholders. This is what may become public if you opt in.
- A daily-salted hash of your IP for rate limiting (15 free checks per day per IP). The salt rotates at UTC midnight, so the hash can't be linked back to you after 25 hours.
- The AI verdict (safe / suspicious / dangerous), confidence, category, and which signals fired.
We do not set tracking cookies. We use Plausible, a cookieless analytics service that doesn't track individuals.
Where it goes
Your data is processed by the following sub-processors:
- Cloudflare — hosts the service (Workers, D1, Vectorize, KV).
- OpenAI, Anthropic, Google — when our pipeline needs deeper analysis, the message text (already PII-scrubbed for repeated patterns) is sent to one or more of these AI providers under their respective enterprise data-handling terms. None of them train on inputs from API calls per their stated policies.
- Varta — the upstream classifier engine, run by the same team. Same scrubbing applies.
How long we keep things
- Public scrubbed result page: indefinitely, unless you delete it.
- Raw text + image bytes: 30 days, then auto-deleted.
- IP hash: 24-25 hours (linked to a daily salt that's gone after midnight UTC).
- Plausible aggregated analytics: 24 months, no individual identification.
Your rights
You can:
- Delete your result page — go to the result URL, click "Delete this analysis". Page returns 410 Gone within an hour.
- Hide the message text — same flow, makes the page show "[hidden by user]" while keeping the verdict.
- Opt out of indexing — pages are noindex by default. You actively opt in via the toggle on the result page.
- Request anything else — email hello@isitaspam.com. We aim for under 7 days.
GDPR / CCPA
Legal basis (GDPR Art. 6(1)(f)): legitimate interest in detecting and discouraging fraud. Where you've opted in to indexing, that's consent (Art. 6(1)(a)) and you can withdraw any time via the toggle.
If you're in the EU and want to escalate, our EU contact is hello@isitaspam.com (until traffic justifies a formal EU representative).
What we don't do
- We don't sell or share your data with advertisers.
- We don't profile you across sessions — there's no account.
- We don't store payment info — there's nothing to pay for.
- We don't process content from minors. If you're under 16, please don't use the service.
Privacy questions or deletion requests
hello@isitaspam.com — usually answered within 24h, always within 7 days.