Suracode Web Scam Checker — Privacy Addendum
This addendum supplements the Dignity Labs Base Privacy Policy. It details what data the Suracode web scam checker at suracode.co.uk specifically collects and how it is handled. For the Suracode mobile app, see the Suracode App Privacy Addendum.
We collect the minimum data necessary to provide the service. The web scam checker runs entirely in your browser. No data is transmitted when you run a scan. Pattern matching, text extraction, email domain checks, and PII redaction all happen on your device. We have no visibility into what you scan.
Pro features (coming soon) will require sending limited, specific data to external services. Before any data leaves your browser, you will review exactly what will be transmitted and must confirm.
When you paste a message or upload a screenshot and run a scan, the following happens entirely in your browser:
None of this data is transmitted anywhere. No network requests are made. The scan runs offline once the page has loaded.
Pro features are not yet available. When launched, they will transmit limited data to external services via Supabase Edge Functions hosted in the European Union (Frankfurt, Germany). There will be two Pro paths:
Your message text is stripped of personal information in your browser before transmission. Names, phone numbers, email addresses, postcodes, card numbers, National Insurance numbers, sort codes, account numbers, dates of birth, and reference numbers are replaced with placeholder tags (e.g. [NAME], [PHONE], [EMAIL]). A secondary safety check in the Supabase Edge Function catches any personal data the browser redaction missed — if residual personal data is detected, the request is rejected and no data is forwarded.
The redacted text is sent to Anthropic's Claude API for analysis. The original unredacted text never leaves your browser. See WP6 for Anthropic's data handling.
URLs, email addresses, and phone numbers extracted from the message are shown to you for review. Each item has a "This is mine — skip" option so you can exclude any item that belongs to you. Only the items you approve are sent to external threat intelligence services via a Supabase Edge Function. These are the scammer's contact details, not yours. No message content is transmitted. See WP5 for the full list of services.
If you create a web account on suracode.co.uk, authentication is handled by Supabase Auth using email and password. When you register:
Supabase acts as our data processor for authentication data. Their handling of this data is governed by their privacy policy and our data processing agreement (signed 17 March 2026, ref DFST6-4GVXN-YZ7U2-XPRNF, UK Addendum).
| Data Type | Stored By | Dignity Labs Access | Purpose |
|---|---|---|---|
| Email address (plaintext) | Supabase Auth | Required by Supabase for login and password reset | Authentication |
| Email address (encrypted) | Our application database | Decryptable only with keys held outside the database | Breach-resilient communication, receipts |
| Email address (HMAC hash) | Our application database | Irreversible — supports lookups without decryption | Support, breach notification |
| Password hash | Supabase Auth | We cannot access or read this | Authentication |
| Anonymous UUID | Our application database | Cannot be linked to your identity without Supabase Auth access | Account identification |
When Pro features launch and you approve items for database checking, they will be sent to external threat intelligence services via a Supabase Edge Function. The specific services queried will depend on the type of item.
URLs are checked against: Google Safe Browsing (malware, phishing, social engineering), URLhaus by abuse.ch (malware distribution), PhishTank (confirmed phishing URLs), PhishDestroy (domain threat scoring), ScamAdviser (trust scoring), API Ninjas (domain age via WHOIS), and Trustpilot (business reviews). Not all services are active at all times — if a service is unavailable or not configured, that check is silently skipped.
Email addresses are checked against: EmailRep (reputation and suspicion scoring).
Phone numbers: Premium-rate prefix detection only. No external service receives your phone number data.
Each service receives only the specific item being checked (a URL, an email address, or a phone number). No message content, no personal information, and no account identifiers are transmitted to any threat intelligence service.
| Service | Data Received | Privacy Policy |
|---|---|---|
| Google Safe Browsing | URLs | policies.google.com/privacy |
| URLhaus (abuse.ch) | URLs | abuse.ch/privacy |
| PhishTank | URLs | phishtank.org |
| PhishDestroy | Domains | phishdestroy.com |
| ScamAdviser | URLs | scamadviser.com/privacy-policy |
| API Ninjas | Domains | api-ninjas.com/privacy |
| Trustpilot | Domains | legal.trustpilot.com/privacy |
| EmailRep | Email addresses | emailrep.io |
When you use the AI tactics analysis feature, PII-redacted text is sent to Anthropic, PBC via their Claude API. Anthropic acts as a data processor for this data.
Anthropic's privacy policy: anthropic.com/privacy
No payment processing is currently active. When Pro features launch, any payment processing will be handled by a PCI-compliant third party — Dignity Labs will never receive or store your card details. This section will be updated before any payment functionality goes live.
If you create a web account, the following data is stored in our Supabase database (Frankfurt, Germany, EU):
| Data Type | Purpose | Personal Data? |
|---|---|---|
| Anonymous UUID | Identify your account | No |
| Encrypted email (AES-256-GCM) | Breach-resilient communication | Yes (encrypted — decryptable only with keys held outside database) |
| Email hash (HMAC-SHA256) | Lookup without decryption | No (irreversible) |
We do not store: message content, screenshots, extracted text, scam check results, URLs checked, emails checked, phone numbers checked, or any content you submit to the scam checker. The transaction metadata column is explicitly prohibited from containing any user-submitted content.
If you upload a screenshot, the Tesseract.js library is loaded from jsDelivr CDN to extract text. All text extraction happens in your browser — no image data is transmitted to any service. Loading the script exposes your IP address to jsDelivr's CDN. jsDelivr's privacy policy: jsdelivr.com/privacy-policy-jsdelivr
Font files are loaded from Google's servers, which exposes your IP address to Google. Google Fonts privacy: developers.google.com/fonts/faq/privacy
Both suracode.co.uk and dignitylabs.co.uk are hosted on Cloudflare Pages. Cloudflare processes your IP address and request metadata as part of hosting. Cloudflare's privacy policy: cloudflare.com/privacypolicy
Our application database and Edge Functions are hosted on Supabase (Frankfurt, Germany, EU). Supabase complies with GDPR and maintains SOC 2 Type II certification. All connections use HTTPS/TLS. Our data processing agreement with Supabase was signed 17 March 2026. Supabase's privacy policy: supabase.com/privacy
We use IP address hashing (SHA-256 with a secret salt) to enforce rate limits on Pro features. Your raw IP address is never stored — only an irreversible hash. Rate limit records are purged after 24 hours. Authenticated users receive higher rate limits than anonymous users.
The web scam checker stores a usage counter in your browser's localStorage under the key sc_usage. This contains only a date and a usage count. No personal information or message content is stored. You can clear this data at any time via your browser settings.
If you create a web account, your email address is stored in both Supabase Auth (plaintext, required for login and password reset) and in our application database in encrypted form (AES-256-GCM ciphertext with HMAC-SHA256 hash for lookups). The encryption keys are stored outside the database in Supabase Edge Function secrets and backed up in an offline vault. In the event of a database breach affecting our application tables, your email address would remain protected.
This does not protect against a compromise of the Supabase Auth auth.users table, which Supabase manages. A breach of that table would expose email addresses stored by Supabase Auth for authentication purposes.
| Data Type | Retention Period |
|---|---|
| Rate limit records | Purged after 24 hours |
| Encrypted email record | Deleted on account deletion |
| Supabase Auth record | Deleted within 30 days of account deletion request |
| localStorage data | Persists until you clear browser data |
| Support correspondence | 2 years from last contact |
To delete your web account and all associated data: Contact [email protected]. Deletion removes your encrypted email record and Supabase Auth record.
To delete localStorage data: Clear your browser's site data for suracode.co.uk or dignitylabs.co.uk.
We process deletion requests within 30 days.
We explicitly do not collect or store: message content you submit for scanning, screenshots you upload, extracted text from screenshots, URLs checked via Pro lookup, email addresses checked via Pro lookup, phone numbers checked via Pro lookup, your browsing history, advertising identifiers, cookies (beyond Cloudflare's essential hosting cookies), analytics data, or your location.
| Question | Answer |
|---|---|
| Do you sell my data? | No, never |
| Can you see what I scan? | No. Scans run entirely in your browser. When Pro features launch, AI analysis will receive only PII-redacted text and lookups will receive only user-approved URLs, emails, and phone numbers. |
| Do you store my scan results? | No. We do not store any scan results, message content, or checked items. |
| Where is my data stored? | EU (Frankfurt, Germany) via Supabase. |
| Can I delete my data? | Yes — contact [email protected] |
| Do you track me? | No cookies, no analytics, no tracking. Rate limiting uses an irreversible hash of your IP address, purged after 24 hours. |
| Who can I complain to? | The ICO (ico.org.uk) |
This addendum was last updated on 31 March 2026.
© 2026 Dignity Labs Ltd · Company 16954194 · Registered in England and Wales · All rights reserved