Privacy you can understand

We collect only what we need to keep you protected.

1. Introduction and Scope

  • Data Controller: Andreas Thun, Sweden.
  • This Privacy Policy describes how Vorasense processes personal data under the EU General Data Protection Regulation (GDPR) and Swedish data protection laws.
  • For privacy inquiries, contact the Swedish Data Protection Authority (IMY) at imy.se.
  • We collect and process personal data only to deliver Vorasense and comply with legal obligations.

2. Data We Collect

  • Account Data: Account Data: Email address, name, and profile information from the identity provider you use to sign in.
  • Device Data: Device Data: Device ID, extension version, browser type, last activity.
  • Usage Data: Usage Data: Number of analyses performed, quota usage, feature usage patterns.
  • Technical Data: Technical Data: IP address, user agent, timestamps, error logs.
  • Chat Data: Chat Data: Incoming chat fragments needed for analysis. Recent conversations and analysis results may be cached locally in your browser until the extension is removed. For the Android app, incoming message text is stored locally on the device (up to 500 messages per conversation) for conversation history review.

3. Legal Basis for Processing

  • Contract (GDPR Art. 6.1.b): We process data necessary to deliver the Service and manage your subscription.
  • Legitimate Interest (GDPR Art. 6.1.f): We process data for security, fraud prevention, and service improvement.
  • Legal Compliance (GDPR Art. 6.1.c): We process data as required by law (e.g., accounting records).

4. How We Use Data

  • Deliver fraud detection analysis on your incoming messages.
  • Manage your account, authentication, and subscription.
  • Process billing through Paddle and generate invoices for accounting purposes.
  • Detect fraud, prevent abuse, and secure the Service.
  • Comply with legal and regulatory obligations.
  • Respond to support requests and troubleshoot issues.

5. Processing Architecture

  • Local Processing: Local (Your Browser): Message extraction, recent-conversation caching, and result rendering happen in your browser. Vorasense keeps recent conversations and risk results locally so you can review them later. For the Android app, message extraction and local pre-filtering happen on the device. Recent conversations and analysis results are stored locally in an encrypted database.
  • Server Storage: Server (Our API): Authentication tokens, subscription data, and audit logs are stored securely.
  • AI Processing: AI Processing: Incoming chat fragments may be sent through the Vorasense API to contracted AI processors for fraud analysis. The exact processor, region, and retention controls depend on the infrastructure selected by Vorasense for the relevant analysis route.
  • Encryption: All data in transit uses TLS 1.3 encryption. Server data is encrypted at rest using AES-256-GCM.

6. Data Retention

  • Session Tokens: Session tokens: 15 minutes (short-lived). Auth tokens: 30 days maximum.
  • Local Cache: Local cache on your device: Up to the most recent 100 conversations plus recent risk results. Cleared when the extension is uninstalled.
  • Audit Logs: Server audit logs: 7 years (for legal/accounting compliance).
  • AI Analysis: AI Processing and Server Retention: Vorasense aims not to retain full chat content on its own servers after a request completes, except where temporary logging or troubleshooting is required. The service does retain usage metrics and analysis metadata such as category, score, confidence, and red flags. Contracted AI processors may apply their own documented retention settings.
  • Account Data: Account data: Retained until you request deletion or close your account.

7. Third Parties and Data Sharing

We share your data only as necessary to deliver the Service:

See the current subprocessor page

  • Contracted AI processors: Receive chat fragments for fraud analysis when analysis is required.
  • Paddle: Receives billing and account data for payment processing.
  • Identity providers you choose for sign-in: Receive auth requests needed to verify your identity.
  • We do NOT sell your data to third parties.
  • We do NOT share your data with advertisers or marketing partners.
  • We may disclose data if required by law or court order.

8. International Data Transfers

  • Vorasense aims to keep primary service data in the European Union where practical, but some processing may involve infrastructure outside the EU/EEA depending on the provider path and regional configuration in use.
  • Chat analysis may involve processing outside the EU/EEA depending on the AI provider, endpoint, and regional setup used for the relevant analysis route.
  • Transfers outside the EU are protected by Standard Contractual Clauses (SCC) approved by the European Commission.
  • Where processing involves providers outside the EU/EEA, Vorasense relies on contractual, technical, and organizational safeguards appropriate to the provider relationship.

9. Automated Decision-Making

  • Vorasense uses automated AI scoring to assess message risk on a 0-100 scale.
  • AI scoring is advisory only. No automatic blocking or account suspension is triggered.
  • You can see the AI risk score and explanation for any message.
  • If you believe an analysis result is incorrect or have questions about automated analysis, contact support and we will review your request.
  • You may object to processing based on legitimate interests and may contact us with questions about automated analysis under GDPR.

10. Your GDPR Rights

  • Right of Access (Art. 15): You can request a copy of all data we hold about you.
  • Right to Rectification (Art. 16): You can correct inaccurate data.
  • Right to Erasure (Art. 17): You can request deletion of your data, subject to legal retention requirements.
  • Right to Restriction (Art. 18): You can limit how we process your data.
  • Right to Data Portability (Art. 20): You can receive your data in a portable format.
  • Right to Object (Art. 21): You can object to processing based on legitimate interest.
  • Right to Withdraw Consent: You can withdraw consent at any time (does not affect past processing).
  • To exercise these rights, contact [email protected].

11. Data Security

  • Browser: API keys, linked-device credentials, and auth tokens are encrypted with AES-256-GCM before local storage. Chat cache and analysis history are stored locally in the browser.
  • Server: Data is encrypted at rest and TLS 1.3 in transit.
  • Auth tokens use SHA-256 hashing and are time-limited.
  • Rate limiting protects against unauthorized access and brute-force attacks.
  • All communication uses HTTPS with modern SSL/TLS standards.
  • Access to databases is restricted and logged.

12. Children's Privacy

  • Vorasense is intended for users 16 years and older.
  • We do not knowingly collect data from children under 16.
  • If we discover we have collected data from a child, we will delete it immediately.
  • Parents or guardians who believe their child's data was collected may contact support.

13. Cookies and Tracking

  • No cookies in the browser extension. The extension uses local storage only.
  • The Vorasense website uses session-only cookies for authentication.
  • We do not use Google Analytics or third-party analytics tracking.
  • We do not use any advertising or retargeting pixels.
  • No persistent tracking across websites.
  • The Android app does not use cookies. All data is stored locally in an encrypted database on the device.

14. Policy Changes

  • Material changes to this Privacy Policy will be notified 30 days in advance via email.
  • Your continued use of Vorasense after changes constitutes acceptance.
  • Previous versions of this policy are available upon request.

15. Contact and Complaints

  • Data Controller: Andreas Thun, Sweden.
  • For privacy questions: [email protected]
  • You have the right to lodge a complaint with the Swedish Data Protection Authority (IMY) at imy.se.
  • Complaints can also be filed with any EU data protection authority.

16. Android App — Additional Disclosures

  • Notification Access: The Vorasense Android app uses Android's NotificationListenerService to read incoming notifications from messaging apps (WhatsApp, Messenger, SMS, Telegram, and others). This permission is required for the app's core fraud detection functionality. The app only processes incoming messages — it does not read, modify, or send messages on your behalf.
  • Local Message Storage: Message text extracted from notifications is stored locally on your device in an encrypted database. Up to 500 messages are retained per conversation, with older messages automatically pruned. This local storage enables conversation history review and improved analysis accuracy. When analysis is needed, relevant message content may also be sent through the Vorasense API for fraud analysis.
  • AI Analysis: Message content may be sent to contracted AI processors through the Vorasense platform API for fraud detection. Depending on the protection mode, some messages may be filtered, delayed, or escalated locally before server-side analysis. Provider retention and training controls depend on the selected production infrastructure and its documented settings.
  • No Advertising: The Android app contains no advertisements, no advertising SDKs, and no tracking pixels.
  • No Data Selling: We do not sell, trade, or share your notification data or message content with any third party for marketing, analytics, or any purpose other than fraud detection.
  • Trusted Contacts: You can mark contacts as trusted (whitelisted). Notifications from trusted contacts are not read, stored, or analyzed. The whitelist is stored locally on your device.
  • Data Removal: All locally stored data (messages, analysis results, preferences, whitelist) is deleted when you uninstall the app. Server-side account, device, billing, security, and analysis metadata follow the retention periods described in this policy.

17. Google Play Data Safety

  • Data Collected: Data collected: Notification content (for fraud detection), device identifier (for licensing).
  • Data Shared: Data shared: Message content is sent to AI analysis provider for fraud detection only. No data is shared for advertising, marketing, or analytics.
  • Data Security: Data security: All data in transit uses HTTPS encryption. Local data is stored in an encrypted database. API keys are encrypted using Android Keystore.
  • Data Deletion: Data deletion: Uninstalling the app removes all local data. Contact [email protected] for server-side data deletion.
Back to home