Privacy Policy – FraudAce
Table of Contents
1. Introduction
Welcome to FraudAce (“we,” “our,” or “us”). FraudAce is a mobile security application designed to help you identify and protect against email scams, phishing attempts, malicious links, and compromised accounts. This Privacy Policy explains how we collect, use, store, and protect your information when you use our mobile application.
By using FraudAce, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
2.1 Information You Provide Directly
Email Address
- Purpose: Account creation, authentication, identity monitoring (breach detection)
- Storage:
- Temporary verification codes stored for 10 minutes during email verification
- Email addresses are hashed using SHA-256 before storage for identity monitoring
- Plain-text email addresses are NOT stored after verification
- Retention: Verification codes expire automatically after 10 minutes; hashed emails retained for breach monitoring
Password Information (k-Anonymity)
- Purpose: Check if your password has been compromised in data breaches
- How It Works: We use k-anonymity protocol with Have I Been Pwned API – only the first 5 characters of your password hash are sent, never the full password or hash
- Storage: We do NOT store your passwords or password hashes
- Privacy Protection: Your actual password never leaves your device. FraudAce password checks are performed locally on your device; users are not prompted to re-enter credentials for any external accounts.
2.2 Email Content (In-Memory Processing Only)
User-Initiated Email Access: FraudAce does not have continuous access to your inbox. Email scanning is performed only when the user explicitly connects their email account and manually initiates a scan by selecting “Scan Emails for Threats.” When a scan is initiated, the app analyzes only a limited set of recent emails (e.g., the last 24 hours) to identify potential security threats. FraudAce only accesses the minimum necessary email data required to perform security analysis. No full email content or attachments are transmitted or stored by FraudAce. Only extracted security indicators (such as URLs and file hashes) may be securely transmitted for analysis.
What Happens During a Scan:
- What We Process: Links, attachments, sender domains, and metadata from emails you choose to scan
- How We Process: All email content is processed in-memory only and is never stored
- What We Extract:
- URLs from email body (which may be securely transmitted to trusted threat intelligence providers for analysis)
- File hashes from attachments (we do NOT store the actual attachments)
- Sender domain information
- Storage: Email content is NOT stored. Scan results (which do not contain email content) may be temporarily cached for performance.
Important Privacy Protections:
- Only security indicators such as URLs and file hashes are shared with trusted threat intelligence providers for analysis. No full email content is shared. URLs extracted from emails are securely transmitted to threat intelligence providers using encrypted connections.
- File attachments are converted into secure cryptographic hashes (SHA-256, MD5, SHA-1) before being checked against malware databases. The actual file contents are never transmitted or stored.
- Email content is processed temporarily in-memory for security analysis only and is never stored by FraudAce.
- This access is used solely for security purposes and is not used for advertising, profiling, or any unrelated activity.
2.3 Usage Data & Quota Tracking
We collect minimal usage information to enforce subscription limits:
- User ID: A randomly generated identifier used to track app usage and enforce quotas
- Quota Counters: Number of scans performed per day (email scans, link scans, attachment scans, password checks)
- Retention: Quota data resets automatically every 24 hours (UTC midnight)
- What We DON’T Store: We do not store the actual content of what you scanned, only the count
What We DON’T Store
- ❌ Email content or bodies (processed in-memory only)
- ❌ Email attachments (only file hashes are checked)
- ❌ Your passwords (never sent to our servers)
- ❌ Full password hashes (only first 5 characters via k-anonymity)
- ❌ Plain-text email addresses (hashed with SHA-256 after verification)
- ❌ Personal messages or communications
- ❌ Device identifiers or location data
3. How We Use Your Information
3.1 Primary Services
We use your information to provide and improve our core services:
- Email Security Scanning – Scan links and attachments in emails for threats, detect phishing, malware, and scams, analyze sender domain reputation
- Manual Threat Scanner – User-initiated URL scanning, file hash verification, domain reputation checks
- Identity Monitoring – Check if your email appears in known data breaches (using hashed email), verify if your passwords have been compromised (using k-anonymity), alert you to security risks
- Security Awareness – Educational security alerts and latest scam trends and warnings
- Subscription Management – Enforce daily usage limits based on subscription tier, track quota usage, manage trial periods
We do not use your data for advertising, profiling, or behavioral tracking.
4. Third-Party Services & Data Sharing
Important: FraudAce integrates with third-party security services to provide comprehensive threat intelligence. Your data is shared with these services only as necessary to perform security scans.
4.1 Threat Intelligence Providers
| Service | Data Shared | Purpose | Privacy Policy |
|---|---|---|---|
| Google Web Risk | URLs you scan | Detect malware, phishing, and malicious websites | View Policy |
| APIVoid | URLs, domains, IP addresses | Reputation checks | View Policy |
| MalwareBazaar | File hashes (SHA-256, SHA-1, MD5) | Identify known malware | View Policy |
| VirusTotal | URLs and file hashes (manual scans only) | Enhanced malware detection | View Policy |
| Have I Been Pwned | Hashed email (SHA-256), partial password hash (5 chars) | Breach detection, password compromise checking | View Policy |
| Brevo | Email address, verification codes | Send email verification codes | View Policy |
Data Processing by Third Parties: Third-party providers may process and store submitted indicators (URLs, file hashes, domains) in accordance with their own privacy policies. We recommend reviewing their privacy policies linked above for complete information about how they handle data.
We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.
5. Data Storage & Security
5.1 Storage Duration
| Data Type | Storage Duration | Auto-Deletion |
|---|---|---|
| Verification Codes | 10 minutes | ✅ Yes (TTL) |
| Hashed Emails | Until the user removes the email from monitoring | ❌ Manual |
| Quota Counters | 24 hours | ✅ Yes (resets at UTC midnight) |
| Subscription Cache | 30 minutes | ✅ Yes (TTL) |
| Scan Results Cache | Varies by risk level (maximum 24 hours) | ✅ Yes (TTL) |
5.2 Data Security Measures
We implement industry-standard security practices:
- Encryption in Transit: All data transmitted using HTTPS/TLS
- Encryption at Rest: All stored data in Cloudflare KV is encrypted
- Authentication: Bearer token authentication for all API requests
- Hashing: Email addresses hashed using SHA-256 before storage
- k-Anonymity: Password checks use partial hash matching (HIBP protocol)
- Auto-Expiry: Temporary data automatically deleted
- Edge Network: API hosted on Cloudflare’s secure global network
6. Your Rights & Data Control
6.1 Access & Portability
You have the right to:
- Request a copy of your personal data
- Export your data in a machine-readable format
- Request information about which data we have collected
6.2 Correction & Deletion
You have the right to:
- Update your email address
- Remove your data and monitored emails from the app
- Request deletion of specific data (e.g., monitored email addresses)
To exercise these rights, contact us at: [email protected]
7. Subscription Tiers & Usage Limits
FraudAce offers three subscription tiers with different daily usage limits:
| Feature | Free | Trial (3 days) | Premium |
|---|---|---|---|
| Cost | Free forever | Free trial (then requires Premium) | $8.99/mo or $79.99/yr |
| Email Scans | 3/day | 30/day (same as Premium) | 30/day |
| Link Scans | 5/day | 50/day (same as Premium) | 50/day |
| Attachment Scans | 2/day | 15/day (same as Premium) | 15/day |
| Password Checks | 2/day | 20/day (same as Premium) | 20/day |
Note: Usage quotas reset daily at UTC midnight. We only store usage counts, not the content of what you scanned.
Subscription Management: Subscriptions are managed through your App Store or Google Play account. You can cancel at any time through your account settings. Subscriptions automatically renew unless canceled at least 24 hours before the end of the current period. No charges will apply during the trial period.
8. Children’s Privacy
FraudAce is not intended for use by children under the age of 13 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children.
If you are a parent or guardian and believe your child has provided personal information to us, please contact us immediately at [email protected] so we can delete the information.
9. International Data Transfers
FraudAce uses Cloudflare’s global edge network, which means your data may be processed in data centers located in various countries around the world. By using FraudAce, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence.
We ensure that appropriate safeguards are in place, including:
- Encryption in transit and at rest
- Compliance with GDPR and international data protection standards
- Contractual protections with third-party service providers
- Data transfers outside the EU/EEA are protected through the use of Standard Contractual Clauses (SCCs) and industry-standard encryption, ensuring your data remains secure regardless of processing location.
10. Contact Information
Get in Touch
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: [email protected]
Company Name: Infosectitans Inc.
Address: Infosectitans Inc., 99 Wall Street #237, New York, NY 10005
Website: https://infosectitans.com
For GDPR-related inquiries:
Data Protection Officer: [email protected]
Response Time: We will respond to privacy-related inquiries within 30 days.
Data Processing Summary
Data We Collect
| Data Type | Purpose | Storage Duration | Encryption |
|---|---|---|---|
| Email (plain) | Verification | 10 minutes | ✅ In transit |
| Email (hashed) | Identity monitoring | Until the user removes the email from monitoring | ✅ At rest |
| Verification codes | Account setup | 10 min (TTL) | ✅ At rest |
| User ID | Identification | Account lifetime | ✅ At rest |
| Quota counters | Usage tracking | 24 hours | ✅ At rest |
| Email content | Threat analysis | NOT STORED | ✅ In transit only |
Compliance
This privacy policy complies with:
- ✅ General Data Protection Regulation (GDPR)
- ✅ California Consumer Privacy Act (CCPA)
- ✅ Children’s Online Privacy Protection Act (COPPA)
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the “Last Updated” date at the top
- For material changes, we will notify you via email or in-app notification
- Continued use of FraudAce after changes constitutes acceptance of the updated policy
We encourage you to review this Privacy Policy periodically.
Your Consent
By using FraudAce, you consent to:
- Collection and processing of data as described in this policy
- Sharing data with third-party security providers for threat analysis
- International data transfers via Cloudflare’s global network
You can withdraw consent at any time by:
- Deleting your FraudAce account
- Uninstalling the mobile application
- Contacting us to request data deletion
This Privacy Policy is provided in good faith to ensure transparency about how FraudAce handles your data. If you have any questions or concerns, please don’t hesitate to contact us.