Privacy Policy
Last updated: 23 March 2026
The short version:
We analyse emails you forward and text messages you submit, then send back a safety report. We store message content for 90 days, then permanently delete it. We never store attachments. We never sell your data. You can delete everything at any time.
Who we are
Don't Click is a scam detection service for emails, SMS, and WhatsApp messages, operated by AR Technologies Ltd, a company registered in Ireland.
- Registered address: 77 Camden Street Lower, Dublin, D02 XE80, Ireland
- Contact email: privacy@dontclick.app
AR Technologies Ltd is the data controller for all personal data processed through this service.
What we collect and why
| Data | Purpose | Retention |
|---|---|---|
| Your email address | Send you results, track your free check usage, manage your account | Until you delete your account |
| Forwarded email content and submitted text messages (sender, subject/type, body text — first 10,000 characters only) | Analyse for scam indicators, review accuracy when you dispute a result | 90 days, then permanently deleted |
| Analysis results (risk rating, confidence score, reasons) | Send you the safety report, improve accuracy over time | 90 days, then permanently deleted |
| One-way hash of the forwarded email or submitted message | Detect duplicate submissions so we don't analyse the same message twice | 90 days (deleted with the check record) |
| Usage events (check submitted, payment made, account deleted) | Service operation, debugging errors | Deleted when you delete your account |
What we do NOT collect
- Email attachments — we do not process, open, or store any attachments.
- Your inbox or messages — we cannot and do not access your email inbox or phone messages. We only see what you explicitly forward or paste to us.
- Passwords or payment card numbers — we never ask for these. Payment is handled entirely by Stripe (see below).
How the analysis works
When you forward an email or submit a text message, we run two layers of analysis:
- Automated security checks — we scan for urgency and phishing language patterns, check links against the Google Safe Browsing database, and detect requests for sensitive information. For emails, we also verify the sender's domain (DNS, SPF, DKIM, DMARC records) and check domain registration age. For SMS and WhatsApp messages, we expand shortened URLs and check their destinations.
- AI analysis — the message content is sent to an AI model (currently Anthropic Claude) which assesses risk, provides a confidence score, and writes a plain-English explanation.
No human reads your messages as part of the analysis process. The only time a human may review content is if you dispute a result and we need to investigate accuracy.
Third-party services we use
We use a small number of trusted third-party services to operate Don't Click. Here is exactly what data each one receives:
| Service | What they receive | Why |
|---|---|---|
| Anthropic (Claude AI) San Francisco, USA |
Message sender, subject/type, body text (first 4,000 characters), URLs, and authentication header results (for emails) | Powers the AI scam analysis. Anthropic does not use this data to train their models when accessed via their API. |
| Google Safe Browsing USA |
URLs found in the forwarded email or submitted message (up to 500) | Checks links against Google's database of known phishing and malware sites. |
| Resend USA |
Your email address, the result email content | Receives inbound forwarded emails and sends you the analysis report. |
| Stripe USA |
Your email address (pre-filled on checkout), payment details | Processes payments. We never see or store your card details. See Stripe's privacy policy. |
| Google Analytics USA |
Standard analytics data (pages visited, device type, approximate location from IP) | Helps us understand how people use the website. Only active on the landing page. Not used for email analysis. |
| RDAP / public DNS Various |
The sender's domain name only (not your email or the email content) | Looks up domain registration age and DNS records to detect newly created scam domains. |
We do not sell, rent, or share your personal data with anyone for marketing purposes. We do not allow any third party to use your data for their own purposes beyond providing the specific service described above.
Admin notifications
For service monitoring, we send real-time notifications to a private, access-controlled channel when key events occur (new check, dispute, payment, error). These notifications include your email address and the analysis result (rating, confidence, reasons). They do not include the full body text of the email you forwarded. Only the service operator has access to this channel.
Legal basis for processing (GDPR)
We process your data under the following legal bases:
- Performance of a contract (Article 6(1)(b)) — processing your forwarded email and delivering the analysis result is the service you requested.
- Legitimate interests (Article 6(1)(f)) — service monitoring, error detection, fraud prevention, and accuracy improvement. We balance these against your rights and only process the minimum data necessary.
International data transfers
Your data is processed by services based in the United States (Anthropic, Google, Resend, Stripe). These transfers are covered by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses as applicable. We only use processors that maintain appropriate safeguards for EU personal data.
Data retention
- Message content and analysis results: automatically and permanently deleted after 90 days. This is enforced by an automated daily cleanup process.
- Your account record (email address and usage count): kept while your account is active. When you delete your account, all check records and event logs are immediately deleted. Your email address is retained in a minimal record marked as deleted, solely to prevent abuse (e.g. repeated free-tier resets). This record contains no email content or analysis data.
- Anonymised, aggregated statistics: retained indefinitely (e.g. "87% of checks this month were rated Safe"). These cannot identify you or reconstruct any email content.
Your rights
Under GDPR and Irish data protection law, you have the right to:
- Access your data — email privacy@dontclick.app to request a copy of all data we hold about you.
- Delete your data — click the "Delete your account" link in any email from us, or email privacy@dontclick.app. All check records and event logs are deleted immediately.
- Rectify inaccurate data — contact us and we will correct it.
- Object to processing based on legitimate interests.
- Complain to the Irish Data Protection Commission (the supervisory authority for AR Technologies Ltd) if you believe your rights have been violated.
Cookies
The Don't Click website uses Google Analytics, which sets cookies to distinguish visitors and track page views. We do not use cookies for advertising or personalisation. The email analysis service itself (forwarding and receiving results) uses no cookies at all.
Children
Don't Click is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has used this service, contact us and we will delete their data.
Changes to this policy
We will update this page if our practices change. Material changes will be noted with an updated date at the top. We will not reduce your rights under this policy without giving you notice.
Contact
For any privacy questions, data requests, or concerns:
- Email: privacy@dontclick.app
- Post: AR Technologies Ltd, 77 Camden Street Lower, Dublin, D02 XE80, Ireland