Privacy Policy
Last updated: May 2026
ScamLens, operated by Wayjet Limited Liability Company ("we", "our", "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our website and services.
Information We Collect
Automatically Collected
When you use ScamLens, we may collect: IP address (immediately anonymized via SHA-256 hashing with a daily-rotating salt — never stored in plaintext or in identifiable form), browser type and version, pages visited and features used, domain queries submitted for analysis, approximate geolocation (country, city, and ASN derived from request headers), and time-series telemetry stored in Cloudflare Analytics Engine for up to 90 days.
Account Information
If you create an account: email address, display name, hashed password (we never store plaintext passwords), OAuth profile data if you sign in with Google or Microsoft.
Community Contributions
If you submit reports or comments: domain reported, report content and type, display name (chosen by you), timestamp.
OrangeDuck Extension
If you use our OrangeDuck Chrome extension: bookmark URLs, page titles, page content (truncated to 4,000 characters) for AI analysis, encrypted cloud backups, domain lookups via RDAP servers, and embedding vectors for semantic search. In default proxy mode, this data is processed through our backend API. Embedding generation occurs automatically when logged in and can be disabled in extension settings.
How We Use Your Information
We use your information to: provide domain safety analysis services, prevent abuse and enforce rate limits, improve our threat detection accuracy, display community reports and comments, send account-related notifications (if you have an account).
Legal Basis for Processing (GDPR)
We process personal data on the following lawful bases under GDPR Article 6: (a) Performance of a contract — when delivering account services, paid features, and trace results; (b) Legitimate interests — when operating rate limiting, threat detection, and abuse prevention (anti-fraud purposes constitute a recognized legitimate interest); (c) Consent — for marketing emails and non-essential cookies (you can withdraw at any time); (d) Legal obligation — when responding to lawful requests from authorities or complying with sanctions screening.
Information Sharing
We do not sell your personal information. We may share anonymized, aggregated statistics (e.g., total scans performed). We share data with the third-party service providers listed below strictly as needed to deliver our services, subject to GDPR-compliant Data Processing Agreements. We may also disclose information when legally required (court order, lawful subpoena, sanctions compliance) or to prevent imminent harm.
Third-Party Service Providers
We engage the following processors to deliver our services: Cloudflare (hosting, security, KV storage, D1 database, Analytics Engine, R2 object storage), Stripe (payment processing for paid services — PCI DSS Level 1 certified), Brevo (transactional and marketing email), Resend (email dispatch), Anthropic and OpenAI (AI analysis of submitted content; queries are processed but not used for model training under our enterprise agreements), Google (Gemini AI fallback, Google Analytics 4 with cookie consent, Search Console, Places API), and Sentry (error monitoring). Each processor is contractually bound to GDPR-compliant data handling under signed Data Processing Agreements.
Cookies
We use minimal cookies for: authentication tokens (if logged in), language preference, essential site functionality. We do not use advertising or tracking cookies.
Data Retention
Domain analysis results are cached for up to 24 hours for performance. Time-series telemetry (queries, page views, health checks, audit events) is retained in Cloudflare Analytics Engine for approximately 90 days, then automatically purged. Account data is retained until you delete your account. Community reports and comments are retained indefinitely as part of our threat intelligence database, but any personally identifying fields associated with deleted accounts are anonymized.
Analytics Data & Time-Series Storage
Our anti-fraud platform uses Cloudflare Analytics Engine to store time-series records of domain queries, page views, health checks, and audit events. IP addresses are anonymized at write time via SHA-256 hashing with a daily-rotating salt (the same IP on different days produces different hashes, preventing cross-day correlation). Analytics Engine records are retained for approximately 90 days and are then automatically purged. When you delete your account, your user ID is immediately added to a server-side blocklist that filters your data from all live queries while the underlying records expire within the 90-day window.
Your Rights
Under GDPR and applicable privacy laws, you have the right to: access your personal data, request deletion of your account and associated data, opt out of community features, export your data in a portable format, and lodge a complaint with your local supervisory authority. When you request account deletion, we (1) immediately add your user ID to a server-side blocklist so it is filtered from all live queries; (2) anonymize personally identifying fields in our long-term audit archive; (3) allow Analytics Engine time-series records to expire naturally within ~90 days. Self-service deletion and data export are available via your account settings (Delete Account, Export Data). For other requests contact us at privacy@safescan.com.
Security
We use industry-standard security measures including encryption in transit (HTTPS), hashed passwords, and secure infrastructure on Cloudflare Workers.
Changes to This Policy
We may update this policy from time to time. We will notify registered users of significant changes via email.
Contact Us
For privacy-related inquiries, please contact us at privacy@safescan.com.
Crypto Fund Flow Trace Service
Data Collection
When you use our Crypto Fund Flow Trace service, we collect: the wallet address you submit for analysis, your email address (for delivering trace results), payment information (processed securely by Stripe — we do not store card details), and your IP address (for rate limiting and fraud prevention).
OFAC Sample Match (Limited)
As part of trace analysis, addresses are matched against ~14 high-profile hardcoded OFAC SDN entities (Tornado Cash, Lazarus Group, etc.). This is NOT full OFAC SDN screening — full sanctions list screening (OFAC SDN, UN, EU, OFSI) is on our v2 roadmap. For compliance use cases, perform an independent OFAC check via Chainalysis Free Sanctions API or OpenSanctions.
Data Processing & Retention
Trace results are stored for 90 days after completion, after which they are automatically deleted. During this period, you may request deletion of your trace data by contacting hello@scamlens.org. Your email address is used solely for delivering trace results and is not used for marketing purposes.
Legal Basis (GDPR)
Legal basis for processing (GDPR): Performance of a contract (Article 6(1)(b)) — processing is necessary to deliver the trace service you purchased.
PCI Compliance
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. ScamLens does not store, process, or transmit credit card data on our servers.
Geographic Restrictions
This service is not available to users in countries subject to comprehensive U.S. sanctions (including but not limited to North Korea, Iran, Cuba, Syria, and the Crimea region). By using this service, you confirm that you are not located in or ordinarily resident in a sanctioned jurisdiction.