Privacy Policy

We believe privacy policies should be readable. Here's ours, in plain English.

Effective Date: April 4, 2026

What information we collect

We collect information only when you give it to us, and only what we need to provide ScamDrill.

From the waitlist:

  • Your email address (that's it)

From active accounts (once you sign up):

  • Guardian information: Name, email, phone number, password (encrypted), billing information (handled by Stripe, not us)
  • Learner information: Name, email or phone number (depending on simulation method), age group, optional notes you add
  • Interaction data: Which simulations were sent, when they were sent, whether the learner clicked or reported it, timestamps

We don't ask for social security numbers, government IDs, or other sensitive personal identifiers. We keep it minimal.

How we use your information

We use your data for exactly what you'd expect:

  • To send simulations: We need your or your learner's email/phone to deliver scam drills
  • To track progress: We record which simulations you've received and how you responded so we can show you your progress dashboard
  • To improve the service: We analyze which scam types are most effective for different age groups so we can keep our simulations current and relevant
  • To send account notifications: Password resets, billing reminders, important security updates—things you need to know
  • To provide customer support: If you contact us, we use your information to help you

That's it. We don't use your data to build profiles, sell to advertisers, or track you across the internet.

What we don't do

  • Never sell your data to third parties or advertisers
  • Never share learner data with advertising networks, data brokers, or marketing companies
  • Never use real scam payloads in our simulations—all our content is created specifically for training purposes
  • Never track you across other websites using cookies or pixels
  • Never sell your contact information to spammers or telemarketers

Data storage and security

Your data is encrypted at rest (when it's stored) and in transit (when it's being sent). We use TLS encryption for all connections.

We host our data on US-based servers through Supabase (for backend data) and Vercel (for the app itself). Both use industry-standard security practices including regular security audits, encrypted backups, and firewalls.

Access to your data is limited to authorized ScamDrill team members who need it to operate the service. We don't grant access to contractors, consultants, or third parties unless required by law.

If we experience a data breach, we'll notify you within 30 days and explain what happened and what we're doing about it.

Special care for learner data

Learners—especially elderly adults and minors—deserve extra protection, and we take that seriously.

We only collect learner data with explicit consent. For guardians managing learners under 13, we require parental consent before collecting any information. For older learners, we require the learner's own consent.

Learners (or their guardians) can request that their data be deleted at any time. We'll remove all personal information within 30 days, though we may keep aggregated, non-identifying data to improve our scam templates.

Learner data is never used for purposes other than training and progress tracking. It's never shared with third parties, sold, or used for marketing.

Cookies

We use minimal cookies, and only ones that are essential for the service to work:

  • Session cookies: To keep you logged in
  • Preference cookies: To remember your timezone or language preference (optional)

We don't use cookies to track your behavior, serve you ads, or follow you across other websites. No Google Analytics. No Facebook Pixel. No advertising trackers.

Your privacy rights

You have the right to:

  • Access your data: Request a copy of all the information we have about you
  • Correct your data: Update or fix any information that's inaccurate
  • Delete your data: Request that we erase your account and all associated information
  • Opt out: Stop receiving simulations or unsubscribe from emails at any time with a single click
  • Export your data: Download your information in a common format (CSV or JSON)
  • Object to processing: Tell us you don't want your data used for a specific purpose

To exercise any of these rights, email privacy@scamdrill.com and we'll respond within 30 days.

CCPA and GDPR compliance

If you're in California: You have rights under the California Consumer Privacy Act (CCPA). We comply with your right to know, delete, and opt-out of data sales (which we don't do). You can submit a request to privacy@scamdrill.com.

If you're in the EU or UK: We comply with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. This includes your rights to access, correct, delete, and port your data. Our legal basis for processing your data is your consent (which you can withdraw) and our legitimate interest in providing the service.

We don't transfer data outside the US without your consent, except where required by law.

Changes to this policy

We may update this policy as our service grows or regulations change. When we make material changes, we'll notify you by email at least 30 days before they take effect. Your continued use of ScamDrill after the update means you accept the new terms.

Contact us

Have questions about your privacy? We're here to help.

  • Privacy concerns: privacy@scamdrill.com
  • Data requests (CCPA/GDPR): privacy@scamdrill.com
  • General inquiries: hello@scamdrill.com