Privacy Policy

Last updated: 23 March 2026

The short version:

We analyse the email you forward to us and send back a safety report. We store email content for 90 days, then permanently delete it. We never store attachments. We never sell your data. You can delete everything at any time.

Who we are

Don't Click is an email scam detection service operated by AR Technologies Ltd, a company registered in Ireland.

Registered address: 77 Camden Street Lower, Dublin, D02 XE80, Ireland
Contact email: privacy@dontclick.app

AR Technologies Ltd is the data controller for all personal data processed through this service.

What we collect and why

Data	Purpose	Retention
Your email address	Send you results, track your free check usage, manage your account	Until you delete your account
Forwarded email content (sender, subject, body text — first 10,000 characters only)	Analyse for scam indicators, review accuracy when you dispute a result	90 days, then permanently deleted
Analysis results (risk rating, confidence score, reasons)	Send you the safety report, improve accuracy over time	90 days, then permanently deleted
One-way hash of the forwarded email	Detect duplicate submissions so we don't analyse the same email twice	90 days (deleted with the check record)
Usage events (check submitted, payment made, account deleted)	Service operation, debugging errors	Deleted when you delete your account

What we do NOT collect

Email attachments — we do not process, open, or store any attachments.
Your inbox — we cannot and do not access your email inbox. We only see what you explicitly forward to us.
Passwords or payment card numbers — we never ask for these. Payment is handled entirely by Stripe (see below).

How the analysis works

When you forward an email, we run two layers of analysis:

Automated security checks — we verify the sender's domain (DNS, SPF, DKIM, DMARC records), check domain registration age, scan for urgency and phishing language patterns, and check links against the Google Safe Browsing database.
AI analysis — the email content is sent to an AI model (currently Anthropic Claude) which assesses risk, provides a confidence score, and writes a plain-English explanation.

No human reads your email as part of the analysis process. The only time a human may review email content is if you dispute a result and we need to investigate accuracy.

Third-party services we use

We use a small number of trusted third-party services to operate Don't Click. Here is exactly what data each one receives:

Service	What they receive	Why
Anthropic (Claude AI) San Francisco, USA	Email sender, subject, body text (first 4,000 characters), URLs, and authentication header results	Powers the AI scam analysis. Anthropic does not use this data to train their models when accessed via their API.
Google Safe Browsing USA	URLs found in the forwarded email (up to 500)	Checks links against Google's database of known phishing and malware sites.
Resend USA	Your email address, the result email content	Receives inbound forwarded emails and sends you the analysis report.
Stripe USA	Your email address (pre-filled on checkout), payment details	Processes payments. We never see or store your card details. See Stripe's privacy policy.
Google Analytics USA	Standard analytics data (pages visited, device type, approximate location from IP)	Helps us understand how people use the website. Only active on the landing page. Not used for email analysis.
RDAP / public DNS Various	The sender's domain name only (not your email or the email content)	Looks up domain registration age and DNS records to detect newly created scam domains.

We do not sell, rent, or share your personal data with anyone for marketing purposes. We do not allow any third party to use your data for their own purposes beyond providing the specific service described above.

Admin notifications

For service monitoring, we send real-time notifications to a private, access-controlled channel when key events occur (new check, dispute, payment, error). These notifications include your email address and the analysis result (rating, confidence, reasons). They do not include the full body text of the email you forwarded. Only the service operator has access to this channel.

Legal basis for processing (GDPR)

We process your data under the following legal bases:

Performance of a contract (Article 6(1)(b)) — processing your forwarded email and delivering the analysis result is the service you requested.
Legitimate interests (Article 6(1)(f)) — service monitoring, error detection, fraud prevention, and accuracy improvement. We balance these against your rights and only process the minimum data necessary.

International data transfers

Your data is processed by services based in the United States (Anthropic, Google, Resend, Stripe). These transfers are covered by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses as applicable. We only use processors that maintain appropriate safeguards for EU personal data.

Data retention

Forwarded email content and analysis results: automatically and permanently deleted after 90 days. This is enforced by an automated daily cleanup process.
Your account record (email address and usage count): kept while your account is active. When you delete your account, all check records and event logs are immediately deleted. Your email address is retained in a minimal record marked as deleted, solely to prevent abuse (e.g. repeated free-tier resets). This record contains no email content or analysis data.
Anonymised, aggregated statistics: retained indefinitely (e.g. "87% of checks this month were rated Safe"). These cannot identify you or reconstruct any email content.

Your rights

Under GDPR and Irish data protection law, you have the right to:

Access your data — email privacy@dontclick.app to request a copy of all data we hold about you.
Delete your data — click the "Delete your account" link in any email from us, or email privacy@dontclick.app. All check records and event logs are deleted immediately.
Rectify inaccurate data — contact us and we will correct it.
Object to processing based on legitimate interests.
Complain to the Irish Data Protection Commission (the supervisory authority for AR Technologies Ltd) if you believe your rights have been violated.

Cookies

The Don't Click website uses Google Analytics, which sets cookies to distinguish visitors and track page views. We do not use cookies for advertising or personalisation. The email analysis service itself (forwarding and receiving results) uses no cookies at all.

Children

Don't Click is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has used this service, contact us and we will delete their data.

Changes to this policy

We will update this page if our practices change. Material changes will be noted with an updated date at the top. We will not reduce your rights under this policy without giving you notice.

Contact

For any privacy questions, data requests, or concerns:

Email: privacy@dontclick.app
Post: AR Technologies Ltd, 77 Camden Street Lower, Dublin, D02 XE80, Ireland