Privacy Policy

Last updated: 15 February 2026

Your privacy matters. Is This Safe? is designed with a privacy-first approach and operates in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains what data we collect, the lawful basis for processing, how we use it, and the rights you have.

The Short Version

We are committed to UK GDPR compliance. We do not collect personal information. Your scan history stays on your device. We only process the data you submit for scanning (URLs, text, file metadata) to return a safety verdict — nothing is stored permanently on our servers. We use only essential cookies and do not track you.

1. Who We Are

Is This Safe? is a mobile application that helps users identify potentially dangerous links, messages, files, and QR codes. For the purposes of the UK GDPR and the Data Protection Act 2018, we act as the data controller for any personal data processed through this service.

We are committed to protecting your privacy and ensuring that any data processing is carried out in accordance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

2. Information We Collect

Data you submit for scanning: When you use the app to scan a URL, text message, file, QR code, or email headers, that input is sent to our server for analysis. This includes:

URLs and links you paste for checking
Text or message content you submit for analysis
File metadata (file name, file type, file size, SHA-256 hash) — we never receive or store your actual files
QR code decoded content (typically a URL or text)
Email headers you paste for authentication analysis
Community threat reports you submit (indicator type, indicator value, and your verdict of spam or safe)

This data is processed under our legitimate interests (UK GDPR Article 6(1)(f)) to provide you with the scanning and safety analysis service.

Data we do NOT collect:

Personal information (name, email, phone number, address)
Device identifiers or advertising IDs
Location data
Contacts, photos, or other device content
Account credentials — we have no user accounts or sign-up

3. Lawful Basis for Processing

Under UK GDPR Article 6, we must have a valid lawful basis for processing any data. Our lawful bases are:

Legitimate interests (Article 6(1)(f)): We process scan data to provide you with the core scanning and safety analysis service. We have conducted a legitimate interests assessment and determined that processing this data is necessary to deliver the service you request, and that your rights and freedoms are not overridden given the minimal and non-personal nature of the data involved.
Consent (Article 6(1)(a)): Where we offer optional features (such as storing scan history locally on your device), we rely on your consent, which you may withdraw at any time by clearing your data through the app settings.

4. How We Use Your Data

Submitted scan data is processed solely to:

Perform real-time DNS verification and safety analysis
Return a safety verdict (safe, caution, or dangerous) with detailed findings
Improve our threat detection heuristics through anonymous, aggregated scan logs

We do not sell, rent, or share your data with third parties for advertising or marketing. Your data is never used for profiling, automated decision-making, or any purpose beyond providing the safety scanning service.

5. Data Storage & Retention

On your device: Your scan history, trusted/blocked lists, and app settings are stored locally on your device using AsyncStorage. This data never leaves your phone unless you choose to clear it.

On our servers: Scan requests may be logged temporarily for rate limiting and service monitoring. These logs contain the scan type and a summary of the input — not your personal information. Logs are automatically purged within 30 days.

Community threat reports: When you report a URL, domain, phone number, email, or message as spam or safe, this report is stored on our servers to contribute to community-driven threat scoring. These reports do not contain personal identifiers — only the indicator and your verdict.

Data minimisation: In accordance with the UK GDPR data minimisation principle (Article 5(1)(c)), we only collect and process the minimum amount of data necessary to provide the scanning service. We do not retain data longer than is necessary for the purposes for which it was collected.

6. Cookies & Similar Technologies

We use only essential cookies that are strictly necessary for the operation of our service. We do not use any tracking, advertising, or analytics cookies.

Cookie Usage Summary

Essential cookies (used):

Session management — maintaining your active session
Rate limiting — preventing abuse of the scanning service

Local storage (used):

Scan history — your previous scan results
App settings — your preferences and configuration
Cookie consent preference — remembering your consent choice

NOT used:

Analytics cookies
Advertising cookies
Social media cookies
Third-party tracking cookies

Because we use only strictly necessary cookies, consent is not required under PECR. However, we provide transparency about our cookie usage above.

7. Third-Party Services

The app does not integrate any third-party analytics, advertising networks, or tracking services. We do not use Google Analytics, Facebook SDK, or similar tracking tools.

The app uses real-time DNS lookups via public DNS infrastructure to verify domain records. These lookups are standard internet protocol queries and do not transmit personal information.

The app also performs SSL/TLS certificate verification by connecting to port 443 of scanned domains to check certificate validity, expiry dates, and issuer information. These are standard TLS handshakes and do not transmit personal information.

8. International Data Transfers

DNS lookups performed as part of our scanning service are sent to public DNS resolvers as standard internet protocol queries. These queries contain only the domain name being looked up and do not include any personal data.

We do not transfer personal data internationally. All personal data processing (to the extent any occurs) takes place in accordance with UK GDPR requirements.

9. Your Rights Under UK GDPR

Under the UK GDPR, you have the following rights in relation to your personal data:

Right of access (Article 15): You have the right to request a copy of the personal data we hold about you. Given our minimal data collection, this is likely to be limited to temporary scan logs.
Right to rectification (Article 16): You have the right to request correction of any inaccurate personal data we hold about you.
Right to erasure (Article 17): You have the right to request deletion of your personal data. You can delete local data through the app settings, or request server-side deletion via our Data Deletion page.
Right to restrict processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to object (Article 21): You have the right to object to processing based on legitimate interests. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. You can contact the ICO at ico.org.uk or by calling their helpline.

To exercise any of these rights, please contact us through the feedback feature in the app.

10. Children's Privacy

Is This Safe? does not knowingly collect information from children under 13. The app includes a Family Mode setting that provides stricter safety warnings, designed for family use. If we become aware that we have inadvertently collected data from a child under 13, we will take steps to delete that data promptly.

11. Data Security

We implement appropriate technical and organisational measures to protect data in accordance with UK GDPR Article 32. These measures include:

HTTPS encryption for all data in transit
Data minimisation — collecting only what is necessary for the service
No storage of personal data on our servers beyond temporary scan logs
Automatic purging of server-side logs within 30 days

Since we do not store personal data, the risk of data breaches affecting your personal information is minimal.

12. Data Deletion

You can delete your data at any time:

Local data: Use the delete button in the app's Settings tab to clear your scan history, preferences, and all locally stored data
Server data: Visit our Data Deletion page for instructions on requesting deletion of any server-side scan logs

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. Changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically. Continued use of the app after changes constitutes acceptance of the updated policy.

14. Contact & ICO

If you have questions about this privacy policy, your data, or wish to exercise your rights, please reach out through the feedback feature in the app.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113