Privacy Policy

What happens when you scan

When you paste an email and click Scan, we send the text to our analysis servers. Any URLs in the email are checked against threat databases, and an AI model analyzes the text for phishing patterns. The entire process takes a few seconds. Your email content is never written to disk, never stored in a database, and permanently discarded the moment the response is sent back to your browser.

Third-party services we use

We rely on the following services to make Smells Phishy work. Each processes data on our behalf.

• Google Gemini AI — analyzes the email text to identify phishing patterns. Google AI Terms & Data Use
• Google Web Risk — checks URLs in the email against known threat lists. Privacy Policy
• urlscan.io — looks up URL reputation data. Privacy Policy
• Buttondown — handles the extension announcement list and launch emails only. We do not send your IP address to Buttondown. Privacy Policy
• Cloudflare Turnstile — bot verification on the scan form. May set functional cookies. Privacy Policy
• PostHog — privacy-friendly product analytics. No email content is included in any analytics event. Session recording is disabled. Privacy Policy
• Google Analytics — aggregate traffic analytics to understand visitor behavior. Privacy Policy
• Meta Pixel — marketing attribution for campaigns on Facebook and Instagram. Privacy Policy
• TikTok Pixel — marketing attribution for campaigns on TikTok. Privacy Policy
• Microsoft Advertising UET — marketing attribution for campaigns on Bing and the Microsoft Advertising network. Privacy Statement
• Upstash Redis — stores rate limit counters and an aggregate scan count. No email content is stored. Privacy Policy

Analytics and tracking

We use several analytics and marketing tools to understand how the product is used and measure the effectiveness of our outreach, but optional analytics and advertising tools load only after you say yes. The scanner still works if you decline optional tracking.

• PostHog — product analytics (page views, section engagement). Session recording is disabled. No email content is included in any analytics event.
• Google Analytics — aggregate traffic data to understand visitor patterns.
• Meta Pixel — measures the effectiveness of Facebook and Instagram advertising campaigns.
• TikTok Pixel — measures the effectiveness of TikTok advertising campaigns.
• Microsoft Advertising UET — measures the effectiveness of Bing and Microsoft Advertising campaigns.

These tools collect device and browsing information for users who interact with our marketing campaigns only after consent. Email content is never included in any tracking data, and you can reopen Privacy settings from the footer later if you want to change your choice.

IP addresses

Your IP address is temporarily stored in our rate-limiting system (Upstash Redis) to enforce the daily scan limit of 3 scans per day. It is automatically deleted after 24 hours. IP addresses are never linked to email content, and we do not forward them to Buttondown for waitlist signups.

What we never do

• ✓Store your email content after a scan completes
• ✓Create user accounts or track your identity
• ✓Sell or share your data with advertisers
• ✓Log the contents of your emails

Your rights

Since we don't store email content or create user accounts, most data subject requests (access, erasure, portability) have nothing to act on — we simply don't hold that data. For questions about analytics data (non-identifying usage metrics), contact us at the address below.

Who is responsible for this service

This service is operated by an independent developer. For privacy questions, contact: help@smellsphishy.app

Disclaimer

This tool provides AI-assisted analysis only and should not be considered definitive security advice. Results may contain errors or omissions. You are responsible for any actions you take based on the analysis. We accept no liability for loss or damage arising from use of this service. When in doubt, contact the sender directly through official channels or consult a security professional.