← Back to scanner

Privacy Policy

Last updated: March 2026

What happens when you scan

When you paste an email and click Scan, we send the text to our analysis servers. Any URLs in the email are checked against threat databases, and an AI model analyzes the text for phishing patterns. The entire process takes a few seconds. Your email content is never written to disk, never stored in a database, and permanently discarded the moment the response is sent back to your browser.

Third-party services we use

We rely on the following services to make Smells Phishy work. Each processes data on our behalf.

  • Google Gemini AI — analyzes the email text to identify phishing patterns. Google AI Terms & Data Use
  • Google Web Risk — checks URLs in the email against known threat lists. Privacy Policy
  • urlscan.io — looks up URL reputation data. Privacy Policy
  • Cloudflare Turnstile — bot verification on the scan form. May set functional cookies. Privacy Policy
  • PostHog — privacy-friendly product analytics. No email content is included in any analytics event. Session recording is disabled. Privacy Policy
  • Upstash Redis — stores rate limit counters and an aggregate scan count. No email content is stored. Privacy Policy

Analytics and tracking

We use PostHog to understand how the product is used — for example, how many scans are run and which sections visitors read. Session recording is disabled. No email content is included in any analytics event. We may also use Google Analytics for aggregate traffic data. We do not use advertising pixels.

IP addresses

Your IP address is temporarily stored in our rate-limiting system (Upstash Redis) to enforce the daily scan limit of 3 scans per day. It is automatically deleted after 24 hours. IP addresses are never linked to email content.

What we never do

  • Store your email content after a scan completes
  • Create user accounts or track your identity
  • Sell or share your data with advertisers
  • Log the contents of your emails

Your rights

Since we don't store email content or create user accounts, most data subject requests (access, erasure, portability) have nothing to act on — we simply don't hold that data. For questions about analytics data (non-identifying usage metrics), contact us at the address below.

Who is responsible for this service

This service is operated by an independent developer. For privacy questions, contact: help@smellsphishy.app

Disclaimer

This tool provides AI-assisted analysis only and should not be considered definitive security advice. Results may contain errors or omissions. You are responsible for any actions you take based on the analysis. We accept no liability for loss or damage arising from use of this service. When in doubt, contact the sender directly through official channels or consult a security professional.