Privacy Policy

Last Updated: May 28, 2026 (v1.1.0 — added subscription billing, optional Family plan, and optional cloud assistant fallback)

SecurityIndeed ("we," "us," or "our") operates the Breach Guardian mobile application and the Breach Guardian web dashboard (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

By downloading, installing, accessing, or using any part of the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this policy, please do not use the Service.

1. Information We Collect

Breach Guardian operates as two distinct components with fundamentally different data models:

1.1 Mobile Application (Breach Guardian App)

Specifically, the mobile app:

• Does not transmit email content to any server
• Does not send device identifiers, advertising IDs, or hardware fingerprints
• Does not collect or transmit usage statistics, diagnostics, or behavioral data
• Does not include any third-party analytics SDKs
• Does not include any advertising frameworks, ad networks, or trackers
• Does not perform crash reporting to external services
• Does not upload your contacts, call logs, or address book
• Does not access your location, camera, or microphone
• Stores all scan results, detection history, and user preferences in local on-device storage only
• Uses on-device machine learning models that run entirely within the app process with no network dependency

1.2 Web Dashboard (Breach Guardian Web)

The web dashboard provides breach monitoring and data broker removal services. To deliver these features, we collect and process: your email address (account creation, breach monitoring via Have I Been Pwned API), your password (stored only as a one-way Argon2 hash; plaintext never stored), breach results (encrypted at rest in our PostgreSQL database), data broker removal requests (processed via a vendor-agnostic scrubbing provider), and session tokens (temporary; expire automatically). All data stored in our database is encrypted at rest. All communication between your browser and our servers is encrypted in transit via TLS 1.2 or higher.

1.3 Optional Connected Email Scanning

Breach Guardian's Connected Email feature scans messages in your Gmail or Microsoft Outlook mailbox so it can warn you about phishing, impersonation, suspicious attachments, and social-engineering patterns before you act on them. We use the standard Google and Microsoft OAuth flows; you grant access through their official consent screens and you can revoke access at any time in your Google account or Microsoft account settings.

Connected Email is being rolled out in two stages, called the Hybrid A→B+A architecture:

• Stage A (on-device OAuth scanner). The first version uses react-native-app-auth on your device to obtain Gmail or Microsoft Graph read-only access. Your refresh token is encrypted and stored only on your device, in the OS keychain. Messages are fetched directly from Google or Microsoft to your phone and scanned by the on-device ML pipeline. Nothing about your email content reaches our servers.
• Stage B (server relay, post-CASA). A later version will offer optional server-side relay scanning so we can warn you about suspicious mail in real time, even when the app is closed. Stage B uses Google Cloud Pub/Sub for Gmail and Microsoft Graph change notifications for Outlook. Stage B will only ship after Breach Guardian completes the Google CASA Tier 2 security assessment and the related Apple/Google store reviews.

1.3.1 Data Collected

When you opt into Connected Email, the following may be collected:

• OAuth identifiers: the email address of the connected mailbox, the provider name (Google or Microsoft), an access token, and a refresh token. Tokens authorise read-only mailbox access.
• Message metadata: message IDs, sender, recipient, subject, date, and selected headers (e.g. authentication-results) for messages we scan.
• Message content: body snippets, or the full body if the risk model needs it, plus URLs and attachment metadata, processed only for the duration of the scan.
• Scan results: verdict (safe, suspicious, scam), risk indicators, your explicit feedback (e.g. "this isn't a scam"), and timestamps.
• Diagnostic logs: minimal app and service health information, scrubbed of message content, sender, recipient, subject, and full URLs.

1.3.2 Purpose

The data above is used solely to detect phishing, spam, impersonation, malicious links, suspicious attachments, and social-engineering patterns in your connected mailbox, and to show you the resulting warnings inside the app. That is the only purpose.

1.3.3 What Connected Email Data Is NOT Used For

We do not use Connected Email data for:

• Advertising, ad targeting, or marketing profiling of any kind.
• Sale, rental, lease, or other transfer to third parties for value.
• Building behavioural profiles of you or anyone you correspond with.
• Sharing with data brokers, marketers, or analytics providers.
• Training general-purpose machine-learning models — we do not use your email content to train any model, with or without your consent. This is a hard prohibition consistent with Google's Limited Use policy.
• Surveillance, monitoring, or any purpose unrelated to detecting security threats in your mailbox.

1.3.4 Google Limited Use Compliance

1.3.5 Human Access

SecurityIndeed staff do not read your email content. The only exceptions are: (1) you have explicitly asked us to look at a specific message; (2) we are investigating a credible security or abuse incident affecting your account or our infrastructure; (3) we are required to do so by valid legal process; or (4) we are operating on aggregated, de-identified data that no longer references any individual mailbox or user. Each break-glass access requires two-person approval and is recorded in our audit log.

1.3.6 Data Retention

• Raw email content: not stored by default. During Stage A, the body is held in memory on your device only for the duration of the scan. During Stage B, raw bodies are processed in our relay's memory and discarded immediately after the scan; if a transient cache is used to retry failed scans, it never exceeds 24 hours and is encrypted at rest.
• Scan results and metadata: retained for up to 90 days, matching the on-device scanner default. You can shorten this in Settings or clear scan history at any time.
• OAuth tokens: retained until you disconnect the mailbox in Breach Guardian or revoke access through your Google or Microsoft account.
• Backups: any data that reaches our servers under Stage B is purged from active systems within 30 days of deletion and from backup copies within 90 days.

1.3.7 Deletion and Disconnect

You can stop Connected Email scanning at any time:

• In the app: Settings → Connected accounts → tap the mailbox → Disconnect. We immediately revoke the OAuth token at the provider, wipe the encrypted token from your device, and delete scan history and derived data for that mailbox.
• From your provider account: visit myaccount.google.com/permissions for Gmail or myaccount.microsoft.com for Outlook and revoke Breach Guardian's access. The next scan attempt will fail and we will treat it as a disconnect.
• Full account deletion: contact support@securityindeed.org to delete your SecurityIndeed account and all associated data. Active-system deletion within 30 days; backups within 90 days.

1.3.8 Subprocessors

If and only if you opt into Connected Email, the following service providers may process Connected Email data on our behalf:

• Google LLC — Gmail API, Google Cloud Pub/Sub (Stage B only), GCP infrastructure (Stage B only). Data category: OAuth identifiers; message metadata and content during scan. DPA.
• Microsoft Corporation — Microsoft Graph API for Outlook and Microsoft 365 (when Outlook support ships). Data category: OAuth identifiers; message metadata and content during scan. DPA.
• Hostinger International, Ltd. — VPS hosting for our self-managed relay infrastructure (Stage B only). Data category: encrypted OAuth refresh tokens at rest; scan-result records.
• Functional Software, Inc. (Sentry) — diagnostic and crash logs, PII-scrubbed. No message content reaches Sentry. DPA.
• TAC Security — independent CASA Tier 2 assessor reviewing our Stage B controls. No production user data is shared during the assessment.

If we add or remove a subprocessor with access to Connected Email data, we will update this list and, for material changes, notify users at least 30 days before the change takes effect.

1.3.9 Security Controls

Connected Email data is protected by the controls described in our Security Practices — Email Controls page, including:

• OAuth tokens encrypted at rest with KMS-backed envelope encryption (Stage B); device keychain encryption (Stage A).
• Scope minimisation to gmail.readonly and Microsoft Graph Mail.Read only.
• Pub/Sub and Microsoft Graph webhook authentication, replay protection, and durable enqueue before acknowledgement (Stage B).
• No human read access without break-glass approval, logging, and where applicable user notification.
• A documented mailbox-data incident response plan with 72-hour user notification commitment.

1.4 Optional iOS SMS Filter Extension

This section applies only on iPhone, and only when you have explicitly turned Breach Guardian on as your SMS filter in iOS Settings — Messages — Unknown & Spam — Filter. The filter is opt-in and disabled by default. Apple does not allow apps to enable this on your behalf; you must toggle it on yourself.

1.4.1 What iOS Sends Us

When the filter is on, iOS hands Breach Guardian's filter extension the following information about an incoming SMS, only if the sender is not in your iPhone Contacts:

• The full message body
• The sender phone number or alphanumeric short code
• Sub-action context (a hint such as "transaction" or "promotion") supplied by iOS

iOS does not hand the filter extension messages from senders in your Contacts, nor any iMessage (the blue-bubble service is end-to-end encrypted by Apple and not exposed to filter apps). The filter sees nothing about messages you have already received before turning the filter on.

1.4.2 What We Do With It

The filter extension runs Breach Guardian's offline classifier on the message body and returns a category to iOS — one of Promotion, Junk, or pass-through to your normal Inbox. iOS routes the message to the matching folder. The classifier runs entirely on your device. The message body and sender are never written to disk outside iOS's own Messages storage, and they are never sent to our servers.

1.4.3 What We Do NOT Do

• We do not log SMS bodies, sender numbers, or filter verdicts to any analytics or crash-reporting service.
• We do not retain SMS data after the filter extension has returned its verdict to iOS.
• We do not share SMS data with any third party.
• We do not read iMessage. The filter is structurally incapable of seeing iMessage content.
• We do not read messages from people in your Contacts.

1.4.4 Disabling the Filter

You can disable the filter at any time from iOS Settings — Messages — Unknown & Spam — Filter (toggle off, or select "None"). Once disabled, iOS stops handing any messages to Breach Guardian. No on-device data deletion step is required because no SMS data persists outside the filter call itself.

1.5 Optional Call Protection

This section applies on iPhone and Android, and only when you have explicitly turned Breach Guardian on as your call-screening helper in the device's Settings. Call protection is opt-in and disabled by default. Apple and Google do not allow apps to enable this on your behalf; you must grant the role yourself.

1.5.1 What the Operating System Sends Us

On iPhone, when the Call Directory extension is enabled (Settings — Phone — Call Blocking & Identification — Breach Guardian), iOS does not call our code on every incoming call. Instead, iOS asks our extension once at install time (and again when you update the app or refresh the list) for two sorted arrays:

• A list of phone numbers to block outright
• A list of phone numbers to label (e.g., "Suspected Scam") in the incoming-call UI

iOS handles the actual block/label inline; our extension is not invoked on the call path itself and cannot see who is calling you or when.

On Android, when you grant Breach Guardian the Call Screening role (Settings — Apps — Default apps — Caller ID & spam app), Android hands Breach Guardian's screening service the following for incoming calls only:

• The caller's phone number (or "private/unknown" if hidden)
• The carrier's STIR/SHAKEN verification status (passed, failed, or not verified) — this is the FCC-mandated authentication signal that confirms whether the caller ID has been cryptographically validated by the originating carrier

Android does not share the caller's name, your contact list, your call log, or any other identifying information with the screening service.

1.5.2 What We Do With It

The screening logic runs entirely on your device. We compare the caller's number against:

• Your in-app blocklist (numbers you have explicitly added, stored in app-private storage on your device)
• The STIR/SHAKEN signal (failed verification is a strong indicator of caller-ID spoofing)

Based on these signals, the service tells the operating system to allow, silence-and-warn, or block the call. The decision is returned to the OS within five seconds. No call metadata is recorded after the decision is returned.

1.5.3 What We Do NOT Do

• We do not log phone numbers, caller identities, or block verdicts to any analytics or crash-reporting service. (Logcat diagnostics show only the last four digits of any number, never the full handle.)
• We do not access your call log, your contacts, or your phone state. Breach Guardian declares none of READ_CALL_LOG, READ_PHONE_STATE, READ_CONTACTS, or any SMS permission on Android.
• We do not record, intercept, transcribe, or transmit any voice audio.
• We do not share your blocklist or any call data with any third party, ever. The blocklist never leaves your device.
• We do not read or modify your default dialer or messaging app.

1.5.4 Disabling Call Protection

On iPhone, disable from Settings — Phone — Call Blocking & Identification (toggle off Breach Guardian, or select a different app). On Android, change the Caller ID & spam app to "None" or a different app under Settings — Apps — Default apps. Once disabled, the OS stops invoking Breach Guardian for incoming calls. To delete your blocklist, use the in-app "Clear blocked numbers" control, or uninstall the app.

2. Information We Do NOT Collect

To be absolutely clear, the following data is never collected, transmitted, stored, or accessed by SecurityIndeed from either the mobile app or web dashboard:

• Message content: SMS, MMS, email body text, or any communication content. The on-device scanner processes the content you submit. The message body stays on your device — except when you have Help Improve Detection enabled (on by default in Settings) AND you explicitly mark a specific message as scam, in which case a PII-redacted copy of that message is sent to our threat-intelligence backend so we can improve detection for everyone (phone numbers, names, emails, SSN, card numbers stripped on-device before upload; anonymous device ID only). URLs found inside the content are extracted on-device; if URL Reputation Checking is enabled in Settings (off by default), the extracted URLs — and only the URLs — are sent to our threat-intelligence proxy for reputation checking. With both settings off, nothing about your messages leaves the device. See Browsing history below for the URL flow.
• Call recordings or audio: We do not record, intercept, or transmit any voice calls
• Contact lists or address books: We never upload or access your contacts
• Location data: We do not access GPS, Wi-Fi, or cell tower location information
• Browsing history: We do not observe or track the websites you visit. URLs extracted from content you submit to the app (via paste, share, or screenshot OCR) are sent to our threat-intelligence proxy — to be checked against PhishTank, URLhaus, and Google Safe Browsing — only when “URL Reputation Checking” is enabled in Settings. That setting is off by default. When off, only on-device databases are used for URL checks and no URL data leaves your phone during scanning. You can opt in or opt out at any time.
• Photos, videos, or files: We do not access your media library or file system
• Biometric data: We do not collect fingerprints, face data, or voice prints
• Financial information: We do not collect bank account numbers, credit card numbers, or financial data (except via third-party payment processors if you purchase a paid plan)
• Social Security numbers or government IDs: We never collect government identification numbers
• Device advertising identifiers: We do not read or transmit your IDFA, GAID, or similar
• Keystroke data: We do not log keystrokes or input patterns
• Installed applications: We do not scan or report what other apps are on your device

3. How We Use Your Information

We use the information collected through the web dashboard exclusively to:

• Check your email address against known data breaches via the HIBP API
• Display breach results and notify you of new exposures
• Process and track data broker removal requests through our scrubbing provider
• Authenticate your identity and secure your account
• Respond to your support requests
• Comply with applicable legal obligations

4. How We Do NOT Use Your Information

Additionally, we do not:

• Use your data for advertising, ad targeting, or marketing profiling
• Share your data with advertisers or data brokers
• Use your email address for unsolicited marketing without your explicit opt-in consent
• Mine, analyze, or aggregate your data for purposes unrelated to providing the Service
• Train machine learning models on your personal data on our servers
• Create behavioral profiles or track you across services
• Share your data with law enforcement or government agencies unless required by valid legal process

5. Third-Party Services

5.1 Account & Detection

The web dashboard integrates with Have I Been Pwned (HIBP) for checking if your email appears in known data breaches (privacy policy), and a vendor-agnostic data scrubbing provider for automated removal of your personal data from data broker websites.

5.2 Subscription Billing

If you purchase a subscription inside the mobile app, the transaction is handled by the operating system's billing system — Apple In-App Purchase on iOS (Apple privacy policy) and Google Play Billing on Android (Google privacy policy). We use RevenueCat (privacy policy) to validate purchase receipts, manage entitlements, and notify our server when your subscription state changes. RevenueCat receives an anonymous user identifier and the purchase metadata returned by Apple or Google (product ID, period, transaction ID); it does not receive your email, name, or scan content. You can cancel any subscription at any time from Settings → Account inside the app, which deep-links to the platform's subscription management screen (Apple: Settings → [Your Name] → Subscriptions; Google: Play Store → Profile → Payments & subscriptions). If you purchase a Family plan, the invitations you send (an email address and a single-use token) are stored only to grant access to the invited members; invited members' personal data is not shared with you, and they remain separately covered by this Privacy Policy.

5.3 Optional Cloud Assistant Fallback

The Maggie voice assistant runs entirely on-device by default. v1.1.0 adds an explicit, off-by-default toggle (Settings → Maggie → "Use cloud explanations") that, when you turn it on, routes the de-identified summary of a specific scan you choose to explain to Google Vertex AI (privacy notice) to generate a longer-form explanation. We never enable this toggle for you. When enabled, only the text you specifically ask Maggie to explain is sent — never your message inbox, scan history, contacts, or device identifiers — and the request is processed in Google's standard no-training, no-logging-for-product-improvement configuration. Turn the toggle off at any time and all subsequent explanations revert to on-device generation.

5.4 What We Do NOT Use

We do not integrate any advertising networks, social media trackers, social login providers, behavioral analytics services, attribution SDKs, or similar third-party tracking technologies in any part of the Service.

6. Data Retention

6.1 Mobile App

Scan history and detection results stored on your device are automatically deleted after 90 days by the app. You may also manually clear all data at any time from Settings. Since this data never leaves your device, deletion is immediate, permanent, and irreversible.

6.2 Web Dashboard

Your account data, breach results, and removal request history are retained for as long as your account is active. Upon receiving a deletion request, we will remove all personal data from active systems within 30 days; backup copies will be purged within 90 days.

7. Data Security

We implement administrative, technical, and physical security measures including:

• Encryption at rest: AES-256 via Google Cloud KMS envelope encryption for PII columns
• Encryption in transit: TLS 1.2 or higher for all web traffic
• Password security: Argon2id hashing, never plaintext
• On-device processing: Message content never reaches any server
• Minimal data collection: Only what is strictly necessary to provide the Service
• Access controls: Principal of least privilege on all service accounts; audit logging on Secret Manager access

8. Your Rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under GDPR including access, rectification, erasure, portability, and the right to lodge a complaint with your local supervisory authority. California residents have rights under CCPA/CPRA including the right to know, delete, correct, and non-discrimination. We do not sell or share personal information as defined by any U.S. state privacy law. To exercise any of these rights, contact support@securityindeed.org.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA/UK/Switzerland). We do not knowingly collect personal information from children under these ages.

10. Data Breach Notification

In the unlikely event that a security breach affects your personal data, we commit to notifying affected users by email within 72 hours of becoming aware of the breach, and to the relevant supervisory authority where required by law. Because the mobile app stores all data exclusively on your device and never transmits data to our servers, a breach of our infrastructure cannot expose your mobile app data.

11. Do Not Track

The Service does not track you. We do not use cookies, web beacons, pixel tags, or similar tracking technologies in the mobile app. The web dashboard uses only essential session cookies required for authentication.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email (if you have a web dashboard account) and by prominent notice within the Service, at least 30 days before the changes take effect.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise any of your data rights, or have concerns about how your information is handled, please contact us at support@securityindeed.org. SecurityIndeed is operated by Reddy LLC, a limited liability company registered in the State of Minnesota, United States.