Privacy Policy

Seclum is operated by Angstroma, Inc. (“Seclum,” “we,” “us”). We built Seclum because the consumer-security market has a credibility problem. This page is the literal accountability for the promises on our home page.

1. The short version

• We never persist the raw URL, SMS, or email body you check.
• The input is hashed (SHA-256) at the network edge before it reaches our servers.
• Anthropic, our AI provider, does not train on API customer data. Inputs are subject to Anthropic's standard API terms, which provide for short-term retention for safety/abuse review and then deletion. We do not currently hold a zero-retention contract with Anthropic.
• You can export everything we know about you, or delete your account, from settings — no email required.
• We do not sell, rent, or trade your data. We use no advertising or cross-site trackers on this site or in our extension. For product analytics on this site only we use PostHog through a first-party reverse proxy; the extension uses none.

2. Who we are

Data controller: Angstroma, Inc., a Delaware C-corporation operating the Seclum brand. Mailing address: c/o Stripe Atlas registered agent, Wilmington, Delaware, USA. Reach us at privacy@seclum.com.

3. What we collect

Account data

• Email address (via Clerk, our identity provider)
• Authentication factors you set up (password, MFA tokens — Clerk holds these, never us)
• Tenant ID and plan

Check data

• SHA-256 hash of the URL or message you check (NOT the raw input)
• Input type (url / sms / email-text)
• Length of input (a number, not the content)
• The verdict (safe / suspicious / scam / unknown), confidence score, and the reasoning summary the AI generated
• Timestamp and whether the result came from cache

The reasoning summary may quote signal-bearing fragments of your input— for example, “the URL contains ‘paypa1’ instead of ‘paypal’.” That is the product. The full original input is never stored.

Billing data (if you buy credits)

• Email and country (for tax compliance)
• Purchase records (which credit pack, when, how many credits granted)
• We never see your card number — Stripe handles all card data on its PCI-DSS Level 1 infrastructure.

Operational telemetry

• IP address, hashed with a 7-day rotating salt, kept only for abuse mitigation
• Browser user-agent family (e.g., “Chrome desktop”) — not the full string
• Error stack traces (Sentry, server-side only — the extension contains no Sentry SDK)
• Aggregate usage events (PostHog, first-party reverse-proxied — no cross-site tracking)

4. What we never collect or store

• The raw URL, SMS body, or email body that you submit for a check
• Your IP address tied to your account identity (we hash it, with salt rotation)
• Browser fingerprinting data, behavioral profiles, or cross-site activity
• Anything from our browser extension beyond what you explicitly choose to check

5. Why we process what we do (lawful basis under GDPR)

• Article 6(1)(b) contract — for paid-tier check generation and credit-pack purchases
• Article 6(1)(a) consent — for free-tier signup, AI analysis of your submitted content
• Article 6(1)(f) legitimate interest — for fraud prevention, audit log retention, and abuse mitigation

6. How long we keep what we keep

• Verdict history (hash + verdict + reasoning summary): user-controlled in Settings — 30 days, 90 days, 1 year, or kept indefinitely. New accounts default to 90 days in line with GDPR Article 5(1)(e) storage-limitation. The retention cron sweeps daily.
• Hashed verdicts in the global cache: 7 days for “scam”, 24 hours for “safe”, 6 hours for “suspicious”, 1 hour for “unknown”
• Audit log of security-relevant events: up to 2 years across all accounts
• Account record: until you delete it, or 2 years of inactivity (whichever comes first)
• IP hash with rotating salt: 7 days
• Stripe billing records: retained by Stripe per their policy and applicable tax law (typically 7 years)

7. Who else processes your data (sub-processors)

We use the following service providers. Each has a Data Processing Agreement on file with us.

• Vercel — web app hosting (US, multi-region)
• Cloudflare — edge worker, WAF, Turnstile CAPTCHA, DNS
• Neon — Postgres database (US-East)
• Upstash — Redis for rate-limit counters and verdict-cache mirror
• Clerk — authentication (handles your password, MFA factors, sessions)
• Stripe — payments (handles all card data; we never see it)
• Anthropic — Claude API for the AI verdict (does not train on API customer data; transient retention per Anthropic's standard API terms)
• Resend — transactional email
• Sentry — server-side error tracking
• PostHog — product analytics, first-party reverse-proxied

8. Your rights

If you are in the EU, UK, EEA, Switzerland, California, or any jurisdiction with similar law:

• Access (GDPR Article 15 / CCPA right to know) — export everything we have about you in machine-readable JSON, from your account settings, in under 30 seconds.
• Erasure (Article 17 / CCPA right to delete) — delete your account from settings; we cascade-delete tenant rows and anonymize legitimate-interest audit entries within 30 days.
• Rectification (Article 16) — change your email or name from settings.
• Portability (Article 20) — same JSON export as access.
• Objection (Article 21) — stop using the product; no legitimate-interest processing continues post-erasure.
• Automated decision-making (Article 22) — our verdict is automated, but it is advisory. We do not take any action on you based on it.
• Do Not Sell or Share (CCPA / CPRA) — we do not sell or share your personal information for cross-context advertising. The toggle in settings is provided for transparency.
• Complaint — you may complain to your supervisory authority (e.g., your state attorney general, or the ICO in the UK, or your national DPA in the EU).

9. Children

Seclum is not directed to children under 13. We do not knowingly collect data from anyone under 13. If you believe we have, email privacy@seclum.com and we will delete it.

10. International transfers

Our infrastructure runs primarily in US-East. If you are outside the US, your data is transferred to and processed in the US under Standard Contractual Clauses (SCCs) with each sub-processor named above.

11. Security

All traffic is TLS-encrypted. Secrets at rest are stored in Vercel's encrypted environment variables. The audit log is immutable at the database layer (a Postgres trigger blocks updates and deletes outside of the retention rotation cron). We describe our threat model and mitigations in our internal Data Protection Impact Assessment, available on request to enterprise customers under NDA.

12. Breach notification

If we suffer a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours of discovery, per GDPR Article 33.

13. Changes to this policy

If we make material changes, we will email you at the address on your account and post a notice at the top of this page for at least 30 days. The “Last updated” date at the top reflects the most recent revision.

14. Contact

Privacy questions, GDPR / CCPA requests, or anything you want clarified: privacy@seclum.com.