Privacy you can understand

We collect only what we need to keep you protected.

1. Introduction and Scope

  • Data Controller: Andreas Thun, Sweden.
  • This Privacy Policy describes how Vorasense processes personal data under the EU General Data Protection Regulation (GDPR) and Swedish data protection laws.
  • For privacy inquiries, contact the Swedish Data Protection Authority (IMY) at imy.se.
  • We collect and process personal data only to deliver Vorasense and comply with legal obligations.

2. Data We Collect

  • Account Data: Account Data: Email address, name, and profile information from the identity provider you use to sign in.
  • Device Data: Device Data: Device ID, app or extension version, platform type, browser type where relevant, and last activity.
  • Usage Data: Usage Data: Number of analyses performed, quota usage, feature usage patterns.
  • Technical Data: Technical Data: IP address, user agent, timestamps, error logs.
  • Chat Data: Chat Data: Incoming chat fragments needed for analysis. Recent conversations and analysis results may be cached locally in your browser until the extension is removed. For the Android app, incoming message text is stored locally on the device (up to 500 messages per conversation) for conversation history review.

3. Legal Basis for Processing

  • Contract (GDPR Art. 6.1.b): We process data necessary to deliver the Service and manage your subscription.
  • Legitimate Interest (GDPR Art. 6.1.f): We process data for security, fraud prevention, and service improvement.
  • Legal Compliance (GDPR Art. 6.1.c): We process data as required by law (e.g., accounting records).

4. How We Use Data

  • Deliver fraud detection analysis on your incoming messages.
  • Manage your account, authentication, and subscription.
  • Process billing through Paddle and generate invoices for accounting purposes.
  • Detect fraud, prevent abuse, and secure the Service.
  • Comply with legal and regulatory obligations.
  • Respond to support requests and troubleshoot issues.

5. Processing Architecture

  • Local Processing: Local (Your Browser): Message extraction, recent-conversation caching, and result rendering happen in your browser. Vorasense keeps recent conversations and risk results locally so you can review them later. For the Android app, message extraction and local pre-filtering happen on the device. Recent conversations and analysis results are stored locally in an encrypted database.
  • Server Storage: Server (Our API): Authentication tokens, subscription data, and audit logs are stored securely.
  • AI Processing: AI Processing: Incoming chat fragments may be sent through the Vorasense API to contracted AI processors for fraud analysis. The exact processor, region, and retention controls depend on the infrastructure selected by Vorasense for the relevant analysis route.
  • Encryption: All data in transit is sent over HTTPS/TLS. The Android app local message database is encrypted with SQLCipher, and security-sensitive local preferences use encrypted storage.

6. Data Retention

  • Session Tokens: Session tokens: 15 minutes (short-lived). Auth tokens: 30 days maximum.
  • Local Cache: Local cache on your device: The browser extension keeps recent conversations locally. The Android app keeps up to 500 messages per conversation in an encrypted local database. Local data can be cleared in the app and is removed when the app or extension is uninstalled.
  • Audit Logs: Server audit logs: 7 years (for legal/accounting compliance).
  • AI Analysis: AI Processing and Server Retention: Vorasense aims not to retain full chat content on its own servers after a request completes, except where temporary logging or troubleshooting is required. The service does retain usage metrics and analysis metadata such as category, score, confidence, and red flags. Contracted AI processors may apply their own documented retention settings.
  • Account Data: Account data: Retained until you request deletion or close your account.

7. Third Parties and Data Sharing

We share your data only as necessary to deliver the Service:

See the current subprocessor page

  • Contracted AI processors: Receive chat fragments for fraud analysis when analysis is required.
  • Paddle: Receives billing and account data for payment processing.
  • Identity providers you choose for sign-in: Receive auth requests needed to verify your identity.
  • Cloudflare Turnstile: Processes limited anti-abuse metadata when public forms are protected from spam and automated attempts.
  • Email and push providers: May process email addresses, delivery metadata, FCM/APNS tokens, and synthetic test notifications when service emails, proof-of-life, or Android test notifications are sent.
  • We do NOT sell your data to third parties.
  • We do NOT share your data with advertisers or marketing partners.
  • We may disclose data if required by law or court order.

8. International Data Transfers

  • Vorasense aims to keep primary service data in the European Union where practical, but some processing may involve infrastructure outside the EU/EEA depending on the provider path and regional configuration in use.
  • Chat analysis may involve processing outside the EU/EEA depending on the AI provider, endpoint, and regional setup used for the relevant analysis route.
  • Transfers outside the EU are protected by Standard Contractual Clauses (SCC) approved by the European Commission.
  • Where processing involves providers outside the EU/EEA, Vorasense relies on contractual, technical, and organizational safeguards appropriate to the provider relationship.

9. Automated Decision-Making

  • Vorasense uses automated AI scoring to assess message risk on a 0-100 scale.
  • AI scoring is advisory. Optional protection features, such as browser lock prompts, may interrupt high-risk flows when enabled; the AI score does not suspend accounts or make legal decisions.
  • You can see the AI risk score and explanation for any message.
  • If you believe an analysis result is incorrect or have questions about automated analysis, contact support to request review. Requests are handled through our support and data-rights process.
  • You may object to processing based on legitimate interests and may contact us with questions about automated analysis under GDPR.

10. Your GDPR Rights

  • Right of Access (Art. 15): You can request a copy of server-side personal data we hold about you. Local Android and browser data is handled on each device.
  • Right to Rectification (Art. 16): You can correct inaccurate data.
  • Right to Erasure (Art. 17): You can request deletion of server-side personal data, subject to local-device limits and legal retention requirements.
  • Right to Restriction (Art. 18): You can limit how we process your data.
  • Right to Data Portability (Art. 20): You can receive your data in a portable format.
  • Right to Object (Art. 21): You can object to processing based on legitimate interest.
  • Right to Withdraw Consent: You can withdraw consent at any time (does not affect past processing).
  • To exercise these rights, contact [email protected].

11. Data Security

  • Browser: API keys, linked-device credentials, and auth tokens are encrypted with AES-256-GCM before local storage. Chat cache and analysis history are stored locally in the browser.
  • Server: Communication uses HTTPS/TLS. Server access is restricted through authentication, role controls, logging, and infrastructure protections for data at rest.
  • Auth tokens use SHA-256 hashing and are time-limited.
  • Rate limiting protects against unauthorized access and brute-force attacks.
  • All communication uses HTTPS with modern SSL/TLS standards.
  • Access to databases is restricted and logged.
  • Personal-data incidents are handled under our incident runbook. If an incident must be notified, we notify IMY without undue delay and, where feasible, within 72 hours after becoming aware of it. If the incident is likely to create high risk, we inform affected data subjects without undue delay.

12. Children's Privacy

  • Vorasense is intended for users 16 years and older.
  • We do not knowingly collect data from children under 16.
  • If we discover we have collected data from a child, we will delete it immediately.
  • Parents or guardians who believe their child's data was collected may contact support.

13. Cookies and Tracking

  • No cookies in the browser extension. The extension uses local storage only.
  • The Vorasense website uses session-only cookies for authentication.
  • We do not use Google Analytics or third-party analytics tracking.
  • We do not use any advertising or retargeting pixels.
  • No persistent tracking across websites.
  • The Android app does not use cookies. All data is stored locally in an encrypted database on the device.

14. Policy Changes

  • Material changes to this Privacy Policy will be notified 30 days in advance via email.
  • Your continued use of Vorasense after changes constitutes acceptance.
  • Previous versions of this policy are available upon request.

15. Contact and Complaints

  • Data Controller: Andreas Thun, Sweden.
  • For privacy questions: [email protected]
  • You have the right to lodge a complaint with the Swedish Data Protection Authority (IMY) at imy.se.
  • Complaints can also be filed with any EU data protection authority.

16. Android App — Additional Disclosures

  • Notification Access: The Vorasense Android app uses Android's NotificationListenerService to read incoming notifications from messaging apps (WhatsApp, Messenger, SMS, Telegram, and others). This permission is required for the app's core fraud detection functionality. The app only processes incoming messages — it does not read, modify, or send messages on your behalf.
  • Local Message Storage: Message text extracted from notifications is stored locally on your device in an encrypted database. Up to 500 messages are retained per conversation, with older messages automatically pruned. This local storage enables conversation history review and improved analysis accuracy. When analysis is needed, relevant message content may also be sent through the Vorasense API for fraud analysis.
  • AI Analysis: Message content may be sent to contracted AI processors through the Vorasense platform API for fraud detection. Depending on the protection mode, some messages may be filtered, delayed, or escalated locally before server-side analysis. Provider retention and training controls depend on the selected production infrastructure and its documented settings.
  • No Advertising: The Android app contains no advertisements, no advertising SDKs, and no tracking pixels.
  • No Data Selling: We do not sell, trade, or share your notification data or message content with any third party for marketing, analytics, or any purpose other than fraud detection.
  • Trusted Contacts: You can mark contacts as trusted (whitelisted). When active and the contact can be identified, the whitelist is used to exclude trusted-contact notifications from automatic analysis. Notifications may still be read and messages may still be stored locally in the encrypted history. The whitelist is stored locally on your device.
  • Data Removal: All locally stored data (messages, analysis results, preferences, whitelist) is deleted when you uninstall the app. Server-side account, device, billing, security, and analysis metadata follow the retention periods described in this policy.

17. Google Play Data Safety

  • Data Collected: Data collected: Notification content (for fraud detection), device identifier (for licensing).
  • Data Shared: Data shared: Message content is sent to AI analysis provider for fraud detection only. No data is shared for advertising, marketing, or analytics.
  • Data Security: Data security: Data is sent over HTTPS. Local message history is stored in an encrypted database, and security-sensitive preferences use encrypted storage.
  • Data Deletion: Data deletion: The app can clear local conversation history. Uninstalling the app removes all local data. Contact [email protected] for server-side data deletion.
Back to home