1. Introduction & Data Controller
ScamBuster AI is operated by Marek Mach, with a registered office at Hudečkova 2036/1a, Krč, 14000 Praha 4, Czech Republic, Identification Number (IČO: 02508516).
Under the General Data Protection Regulation (GDPR), we act as the Data Controller. This Privacy Policy explains what information we process, for what purposes, and your rights regarding your data.
2. Information We Process
- Contact details you provide voluntarily (such as your waitlist sign-up email before app availability, or account email once registered).
- Service usage telemetry needed for security, reliability, and abuse prevention.
- Support communication data submitted via support channels.
- De-identified Threat Metadata: Anonymized technical indicators derived from analysis requests.
3. Privacy by Design & Threat Intelligence
ScamBuster AI is built with user privacy at its core. Screen captures submitted for analysis are transmitted over a secure, encrypted connection, processed strictly in-memory to generate a risk verdict, and are never permanently stored in their original form.
To continuously protect our users and strengthen our defenses against digital fraud, we may extract fully anonymized threat patterns and indicators of compromise (attack vectors) from analyzed samples. This data contains absolutely no personal identifiers or context, and is used exclusively to generate security intelligence, develop defensive countermeasures, and improve global fraud detection.
4. How We Use Information & Legal Basis
Under the GDPR, we only process your data when we have a valid legal basis:
- Performance of a Contract: To provide and maintain ScamBuster AI functionality, and to manage your waitlist or user registration.
- Legitimate Interest: To protect users and platform integrity (fraud and security controls), to collect essential telemetry, to analyze anonymized threat intelligence to preemptively block cyber threats, and to communicate important product updates.
- Legal Obligation: To comply with applicable legal and regulatory obligations.
5. Sharing, Service Optimization, and International Transfers
We do not sell personal data. We may share limited data with vetted processors that operate infrastructure, AI API services, support tooling, and subscription management platforms (such as RevenueCat) to process your transactions and manage your access to premium features. For website upgrades, payment checkout may be initiated through RevenueCat Web Billing and linked processors. ScamBuster AI does not store full payment card details on its own systems.
To optimize our analysis engine and improve detection accuracy, we may also evaluate fully anonymized, non-personally identifiable technical data using AI infrastructure partners (such as OpenAI). Because all personal identifiers are stripped prior to transmission, it cannot be linked back to any user.
For our core infrastructure, we utilize service providers located outside the European Economic Area (EEA), primarily in the United States. We ensure all data transfers are protected by appropriate legal safeguards, such as the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs).
6. Data Retention
We retain personal data only for as long as required for service delivery, legal compliance, security, and dispute resolution. Waitlist sign-up data is held until you request deletion or the waitlist is dissolved following the app's public availability. Usage telemetry is retained for up to 24 months. Fully anonymized and aggregated technical threat data (attack vectors) may be retained indefinitely for security research.
7. Your Rights
Under the GDPR, you have the right to request access, correction, deletion, restriction, objection, and export of your personal data. Right to complain: You also have the right to lodge a complaint with a supervisory authority regarding how we handle your data. In the Czech Republic, this is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů).