Privacy Policy

Last updated: February 2026

Student project notice: TextDefender is a university project designed to analyse message text and estimate whether it resembles a scam while also providing resources to prevent becoming a victim of scams.
This system is operated for educational and academic purposes and is not a commercial service.
Please do not submit sensitive personal data (e.g., bank details, passwords, one-time codes, or medical information).
1. Data Controller

TextDefender is operated as part of a university academic project. For any requests, contact the project owner/administrator via textdefendersupport@protonmail.com.

2. What data we process
  • Account data (if logged-in): email address, password hash, account creation time, and admin flag (if applicable).
  • Message submissions: message text entered by the user, timestamps, and automated analysis outputs (label + confidence score).
  • Optional sender info: phone number submitted for checking and associated validation/fraud data returned by external providers.
  • URL checks: links detected within submitted messages and reputation/indicator results from URL-checking services.
  • Training data (optional): submissions explicitly opted into model improvement storage, including feedback labels provided by users.
  • Usage metrics: limited system event data used to evaluate reliability and prevent misuse.
  • Session data (cookies): essential session cookies used to maintain login state and temporary application functionality.
3. Why we process it
  • To provide scam detection analysis and display user history.
  • To perform optional URL and phone verification checks.
  • To operate community reporting features.
  • To improve the system in the future where users explicitly opt into training storage.
  • To maintain reliability and abuse prevention.
4. Legal basis (GDPR)
  • Contract / service delivery: where processing is required to provide analysis and related features requested by the user.
  • Consent: where users explicitly opt into training storage or feedback collection.
  • Legitimate interests: limited monitoring and security-related processing necessary to maintain system reliability and prevent abuse.

As this is an academic project, a formal documented Legitimate Interests Assessment (LIA) has not been conducted. Any data processing is pertinent and proportionate to academic requirements.

5. Sharing & third parties

When optional verification features are used, limited data may be transmitted to third-party services:

  • Google Safe Browsing – URL reputation checks.
  • IPQualityScore (IPQS) – phone number validation and fraud scoring.
  • NumVerify – phone validation (if configured).

Only the minimum data required to perform the check (e.g., the submitted URL or phone number) is transmitted. We do not sell personal data.

6. Retention
Data type How long we keep it
Account data Until you or an administrator deletes your account.
Submissions & history Until you or an administrator deletes the submission(s) or account.
Training data (opt-in) Until deleted by you or an administrator.
Usage metrics As long as submissions are stored. Once a submission is deleted, the relevant usage metrics are deleted.
Session cookies Expire automatically and are cleared on logout.
7. Your rights

Under GDPR you may have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17)
  • Restrict processing (Art. 18)
  • Object to processing (Art. 21)
  • Data portability (Art. 20)

Within this academic system:

  • You can delete your own submissions, training entries, and account from within the application.
  • You may request a copy of your stored data by contacting the project administrator at textdefendersupport@protonmail.com.
  • An automated structured data export feature is not currently implemented.
  • Formal restriction-of-processing mechanisms beyond deletion or opt-out are not implemented.

Rights are implemented proportionately to the academic and non-commercial scope of this project.

8. Security
  • Passwords are stored using hashing mechanisms (not plaintext).
  • Database credentials and API keys are managed using environment-based configuration in production.
  • Administrative functionality is role-restricted.

While reasonable safeguards are implemented, no internet-based system can guarantee absolute security.

9. Automated analysis

TextDefender uses a machine learning model to generate an informational scam-likelihood estimate. This does not constitute automated decision-making with legal or similarly significant effects under Article 22 GDPR. Users should independently verify suspicious messages.

10. Children

This service is not intended for individuals under 16 years of age. We do not knowingly collect children’s data.

11. Changes to this policy

This policy may be updated to reflect changes in the system or regulatory requirements. The most recent version will always be available on this page.