← Back to PhishScan
Privacy Policy
Effective date: June 30, 2026 · Last updated: June 30, 2026
GDPR · CCPA · NIST SP 800-53 Compliant
What We Collect
PhishScan is designed with data minimization as a core principle (GDPR Art. 5, CCPA). We collect only what is necessary to provide the service:
- Domain name you submit for scanning — used solely to perform DNS lookups and generate your report.
- Hashed IP address (one-way SHA-256 hash) — stored temporarily for rate-limiting purposes only. We never store your raw IP address.
- Generated PDF report — stored on our servers for up to 1 hour, then permanently deleted. We do not keep copies.
What We Do Not Collect
- No account, name, email, or personal identification required to use the free tier.
- No tracking cookies, advertising pixels, or cross-site trackers.
- No browsing history or behavioral profiling.
- No sale or sharing of any data with third parties for marketing.
Third-Party Services
To generate AI-written narrative summaries, the domain name you submit is sent to Anthropic's Claude API. Anthropic's data handling is governed by their Privacy Policy. No other third-party services receive your data.
Data Retention
- PDF reports: auto-deleted after 1 hour from generation.
- Hashed IP rate-limit records: auto-purged after 24 hours.
- Audit logs: retained for 30 days for security monitoring, then purged. Logs contain only hashed IPs and event types — no domain names.
Your Rights (GDPR / CCPA)
Because we do not store personally identifiable information, there is no user profile to access, export, or delete. If you have concerns about data processed during a scan session, contact us and we will investigate within 72 hours (GDPR Art. 33).
Security Measures
- All traffic encrypted via HTTPS/TLS 1.2+ (NIST SP 800-52)
- HTTP security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
- Input validation and SSRF prevention on all domain inputs
- Rate limiting per anonymized IP to prevent abuse
- No server-side session cookies
Compliance Framework
- GDPR (EU) — data minimization, storage limitation, security by design
- CCPA (California) — no sale of personal information
- NIST SP 800-53 — access control, audit logging, system hardening
- OWASP Top 10 — injection prevention, broken access control, security misconfiguration
Contact
Security issues or privacy concerns: privacy@phishscan.app