ScamShield AI
Contact us Start free trial
← Back to home
Legal

Privacy Policy

Last updated: 5 June 2026  ·  ScamShield AI Pvt Ltd, Ahmedabad

ScamShield AI is built DPDP Act 2023 compliant by architecture, not just by policy. The most important thing to know: we never read, store, or process your email bodies. Only metadata is accessed. All analysis happens in memory and is discarded immediately.

What we collect

We collect the minimum data necessary to provide fraud detection services:

  • Account data: Name, email address, phone number, company name, and GSTIN (if provided) for account creation and GST invoicing.
  • Gmail metadata: Email sender addresses, subject lines, header fields, and attachment file names. Never email body text or attachment contents.
  • Threat detection output: Detected threat categories, confidence scores, IOC URLs and timestamps, stored per-customer in encrypted database.
  • Usage data: Login events, dashboard actions, and feature usage for product improvement (anonymised).

Email data handling

This is our most important commitment. We connect to Gmail via secure sign-in using the minimum required scopes. We use the Gmail History API for incremental sync: we only see what has changed since the last scan, not your full inbox history.

Email metadata is processed by our Detection Engine v2 in memory only. It is never written to disk, logged, or transmitted outside the classification pipeline. The result (threat category + confidence score) is stored. The input metadata is discarded after classification.

We hold the following Google API scopes: gmail.readonly and gmail.metadata only.

How we use data

  • To provide real-time fraud detection and threat alerts
  • To generate GST-compliant invoices for paid accounts
  • To improve our ML models (using anonymised, aggregated threat patterns, never personal data)
  • To send transactional emails (alerts, invoices, account notifications) via email notification
  • We never sell, share, or license your data to third parties

Storage & data residency

All production data is stored on Azure Central India (Mumbai). We do not transfer personal data outside India except where explicitly required for transactional email delivery (our email service, which is GDPR compliant).

Your rights under DPDP Act 2023

Under India's Digital Personal Data Protection Act 2023, you have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Correction: Correct inaccurate personal data
  • Erasure: Request deletion of your account and all associated data
  • Nomination: Nominate a person to exercise your rights in case of death or incapacity
  • Grievance: File a complaint with our Data Protection Officer

To exercise these rights, email darshil@scamshieldai.in or use the deletion request feature in your dashboard settings.

Retention periods

Account data is retained for the duration of your subscription plus 90 days after cancellation. Threat detection records are retained for 12 months. Audit logs are retained for 24 months for security purposes. You may request earlier deletion via the DPO contact below.

Contact our Data Protection Officer

Darshil Thummar, Co-Founder & CTO
ScamShield AI Pvt Ltd, Ahmedabad, Gujarat
Email: privacy@scamshieldai.in