Privacy Policy

Effective Date: May 15, 2026 • Version 1.1

Chrome Extension — Personal & Sensitive User Data Practices

Chrome Web Store Disclosure: This section is provided in accordance with the Chrome Web Store Developer Program Policies and explicitly describes how the SIRDOZ Chrome extension collects, handles, stores, and shares personal and sensitive user data.

Data Collection

The SIRDOZ Chrome extension may access and collect the following personal and sensitive user data solely for the purpose of performing email security analysis:

Email content: Sender address and display name, subject line, email body (plain text and HTML), email headers (authentication records, routing data, timestamps), and URLs and links contained within the email
Gmail inbox data (Inbox Scan and Full Auto modes only): When you grant Gmail API access, the extension reads a list of recent inbox message IDs and retrieves the content of those messages for batch security scanning. This access is limited to reading messages; the extension never sends, deletes, or modifies emails.
OAuth tokens: A Gmail OAuth access token is stored locally in the extension's chrome.storage.local to maintain your Gmail API connection between sessions. This token is never transmitted to SIRDOZ servers; all Gmail API calls are made directly from your browser to Google.
Account credentials (login only): Your SIRDOZ email and password are transmitted over HTTPS to authenticate with the SIRDOZ service. Passwords are never stored in the extension; only a session token is retained in chrome.storage.local.

Data Handling

All email content accessed by the extension is transmitted over encrypted HTTPS connections to the SIRDOZ analysis API. The data is used exclusively to:

Perform real-time phishing, scam, and social engineering detection
Calculate a risk score and generate security recommendations
Match senders against your personal trusted contacts and verified domains lists
Check URLs against Google Web Risk for malicious link detection

Email content is never used for advertising, profiling, or any purpose unrelated to email security analysis. The extension does not perform any background processing, keylogging, screenshot capture, or monitoring of browsing activity outside of Gmail.

Data Storage

Extension local storage (chrome.storage.local): Stores your SIRDOZ session token, Gmail OAuth token (if connected), scan mode preference, reminder settings, and a local cache of recent scan results to avoid redundant API calls. This data remains on your device and is never synced to third parties.
SIRDOZ servers: Scan results (risk score, verdict, flagged indicators, and a reference copy of key email metadata) are stored in your SIRDOZ account for your Scan History. Complete raw email body content is not permanently stored unless explicitly saved. Temporary analysis data is purged within 24 hours.
Retention: Scan history is retained until you delete it or close your account. Session tokens expire upon logout or after a defined inactivity period. Gmail OAuth tokens are stored only in your browser's local extension storage and can be revoked at any time via your Google Account permissions.

Data Sharing

Personal and sensitive user data accessed by the extension is shared only as follows:

SIRDOZ analysis API: Email content is sent to our secure backend API for threat analysis. Our servers are operated on Railway cloud infrastructure.
Google Web Risk API: URLs extracted from emails are checked against Google's Web Risk service to detect malicious links. Only the URLs themselves are transmitted — no email body, sender details, or personal information.
OpenAI API: Email content is sent to OpenAI's GPT-4.1-mini model for AI-powered analysis. OpenAI's data handling is governed by OpenAI's API usage policies; data submitted via the API is not used to train OpenAI's models.
We do not sell, rent, or share personal data with advertisers, data brokers, or any third parties for purposes unrelated to email security analysis.

Google API Limited Use Disclosure

SIRDOZ's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Gmail data is accessed solely to provide the email security scanning features described in this policy
Gmail data is not transferred to third parties except as necessary to provide the service (e.g., URL checks via Google Web Risk)
Gmail data is not used or transferred for serving advertisements
Gmail data is not used or transferred to determine creditworthiness or for lending purposes
Humans at SIRDOZ do not read your Gmail data unless you explicitly report an issue and provide consent for review

1. Introduction

This Privacy Policy ("Policy") governs the collection, use, storage, and disclosure of information by SIRDOZ ("Company," "we," "us," or "our") in connection with our email security scanning service (the "Service"), including our web application and Chrome browser extension (collectively, the "Platform"). By accessing or using our Service, you ("User," "you," or "your") acknowledge that you have read, understood, and agree to be bound by this Policy and our Terms of Service.

IF YOU DO NOT AGREE WITH THIS PRIVACY POLICY, YOU MUST NOT USE OUR SERVICE. Your continued use of the Service constitutes your acceptance of this Policy and any updates thereto.

Important Disclaimer: Our Service is provided for informational purposes only and does not constitute professional security advice. The Service is provided "AS IS" and "AS AVAILABLE" without any warranties of any kind. You are solely responsible for all decisions regarding email security and any actions you take based on our analysis.

2. Information We Collect

2.1 Email Content for Analysis

When you voluntarily submit an email for scanning or activate our Chrome extension within an open email, we temporarily process the following information for analysis purposes only:

Email sender address and display name
Email subject line
Email body content (text and HTML)
Email headers (including authentication data, routing information, timestamps)
Links and URLs contained within the email
Attachment metadata (file names, types, sizes we do not store actual attachment files)
Domain information associated with the sender

Important: Email content is processed in real-time for scanning purposes. We do not permanently store the complete email content unless explicitly saved by you as part of a scan result for your reference. Email content is never shared with third parties except as required to perform the security analysis (e.g., checking URL safety through Google Web Risk API).

2.2 User Account Information

When you create an account or use our Service, we collect and store:

Email address (for account creation and communication)
Password (encrypted and hashed)
Account creation date and last login timestamp
Usage statistics (number of scans performed, dates of scans)
User preferences and settings

2.3 User-Configured Data

You have the option to save certain information to enhance the Service's accuracy. This information is stored in your account and includes:

Trusted Contacts List: Email addresses and names of contacts you designate as trusted
Verified Domains List: Domain names you identify as legitimate and trusted
Scan Results History: Previous email scans you have performed, including the analysis results, risk scores, and flagged indicators. This may include portions of the scanned email content for your reference.
Custom Settings: Your preferences for notification thresholds, display options, and other customizations

2.4 Technical Information

We automatically collect certain technical information when you use our Service:

IP address
Browser type and version
Operating system
Device information
Chrome extension version (if applicable)
Access times and dates
Pages visited on our web application
Referring website addresses
Error logs and diagnostic information

2.5 Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to enhance user experience, maintain sessions, and analyze Service usage. You can control cookie settings through your browser, but disabling cookies may limit Service functionality.

3. How We Collect Information

3.1 Direct Collection

We collect information directly from you when you:

Create an account on our web application
Submit an email for manual scanning through our web interface
Activate our Chrome extension within an open email in your email client
Configure your trusted contacts or verified domains lists
Contact our support team
Update your account settings or preferences

3.2 Chrome Extension Data Access

User-Initiated Access Only: Our Chrome extension accesses email content ONLY when you explicitly activate the extension within an open email. The extension does not:

Automatically scan your inbox without your permission
Access emails you have not specifically chosen to scan
Read or monitor your emails in the background
Access your email account credentials or authentication tokens
Modify, delete, or send emails on your behalf
Access emails in other browser tabs or windows without explicit activation

Explicit User Control: You maintain complete control over what emails are scanned. Each scan requires your deliberate action to activate the extension or submit an email through our web application. The extension cannot and does not access your email inbox, folder structure, or any emails you have not explicitly selected for analysis.

3.3 Automatic Collection

We automatically collect technical information (as described in Section 2.4) through server logs, cookies, and analytics tools when you interact with our Service.

4. How We Use Your Information

We use the collected information for the following purposes:

Provide Security Analysis: To analyze emails for phishing, scams, malware, domain impersonation, and other security threats
Verify Domains and Senders: To check sender authenticity against your trusted contacts and verified domains lists
Generate Risk Assessments: To calculate risk scores and provide recommendations (deliver, flag, or quarantine)
Maintain Analysis History: To store your previous scan results for your reference and to improve analysis accuracy over time
Improve Our Service: To enhance detection algorithms, identify new threat patterns, and improve overall Service performance
Communicate With You: To send service-related notifications, respond to inquiries, and provide customer support
Ensure Security: To detect, prevent, and address technical issues, fraud, abuse, or security threats
Comply With Legal Obligations: To comply with applicable laws, regulations, legal processes, or governmental requests
Aggregate Analytics: To create anonymized, aggregate statistics about Service usage for internal business purposes

4.1 Third-Party API Services

To perform comprehensive security analysis, we may transmit limited email data (such as sender domains, URLs, and IP addresses) to third-party security API services including but not limited to:

Google Web Risk API (for malicious domain detection)
WhoisXML API (for domain registration verification)
Google Web Risk API (for URL safety checks)
Other security intelligence providers

Data Minimization: We only transmit the minimum necessary information to these services (e.g., domain names, URLs, IP addresses) and do not share complete email content, personal communications, or sensitive information with third-party APIs unless absolutely required for analysis.

5. Data Storage and Security

5.1 Data Security Measures

We implement reasonable administrative, technical, and physical security measures designed to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include:

Encryption of data in transit using SSL/TLS protocols
Encryption of sensitive data at rest
Secure password hashing using industry-standard algorithms
Regular security audits and vulnerability assessments
Access controls and authentication requirements
Secure cloud infrastructure with reputable service providers
Regular data backups and disaster recovery procedures

No Absolute Security: Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information. You acknowledge and accept the inherent risks of transmitting information over the Internet. We are not liable for any unauthorized access, hacking, data loss, or other security breaches beyond our reasonable control.

5.2 Data Storage Location

Your data is stored on secure servers provided by reputable cloud service providers. By using our Service, you consent to the transfer and storage of your information in the locations where our servers operate.

5.3 Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes outlined in this Policy:

Account Information: Retained for the duration of your account plus 30 days after account closure
Scan Results and History: Retained until you delete them or close your account, whichever comes first
Trusted Contacts and Verified Domains: Retained until you remove them or close your account
Email Content for Analysis: Processed in real-time and not permanently stored unless saved as part of scan results. Temporary processing data is deleted within 24 hours
Technical Logs: Retained for 90 days for security and diagnostic purposes
Backup Data: May persist in backup systems for up to 30 days after deletion from production systems

After retention periods expire, we will delete or anonymize your information unless required by law to retain it longer.

6. Information Sharing and Disclosure

6.1 We Do Not Sell Your Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6.2 Service Providers

We may share your information with trusted third-party service providers who assist us in operating our Service, including:

Cloud hosting and infrastructure providers
Security API services (for threat intelligence and domain verification)
Payment processors (if applicable)
Analytics and monitoring services
Customer support tools
Email delivery services

These service providers are contractually obligated to use your information only as necessary to provide services to us and to protect your information consistent with this Policy.

6.3 Legal Requirements and Protection

We may disclose your information if required to do so by law or if we believe in good faith that such action is necessary to:

Comply with legal obligations, court orders, or governmental requests
Enforce our Terms of Service or other agreements
Protect and defend our rights, property, or safety
Protect the rights, property, or safety of our users or the public
Detect, prevent, or address fraud, security, or technical issues
Respond to claims that content violates third-party rights

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

6.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. For example, we may publish statistics about phishing trends or threat patterns based on aggregate data from our Service.

7. Your Rights and Choices

7.1 Access and Correction

You have the right to access, review, and update your account information at any time through your account settings. You can also update your trusted contacts and verified domains lists at any time.

7.2 Data Deletion

You may delete specific scan results, trusted contacts, or verified domains from your account at any time. You may also request complete account deletion, which will result in the permanent removal of your account and associated data, subject to our data retention policies and legal obligations.

To request account deletion, use the Delete Account feature in your account settings or contact us at info@sirdoz.com. Account deletion is typically processed within 14 business days.

7.3 Data Portability

You may request a copy of your personal information in a structured, commonly used, and machine-readable format. Contact us at info@sirdoz.com to submit a data portability request.

7.4 Marketing Communications

You may opt out of receiving promotional emails from us by following the unsubscribe instructions in those emails. Note that you cannot opt out of service-related communications necessary to provide the Service (e.g., security alerts, account notifications).

7.5 Cookie Controls

You can control cookies through your browser settings. Please note that disabling cookies may affect Service functionality.

7.6 Chrome Extension Permissions

You can disable or uninstall our Chrome extension at any time through your browser's extension management interface. Disabling the extension will prevent email scanning but will not affect your web application access or account data.

8. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

9. International Users

If you are accessing our Service from outside the country where our servers are located, please be aware that your information may be transferred to, stored, and processed in countries where our servers operate. Data protection laws may differ from those in your country of residence.

By using our Service, you consent to the transfer of your information and to the processing of your information in accordance with this Policy.

9.1 European Union Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have certain rights under the General Data Protection Regulation (GDPR) and equivalent laws, including:

Right to access your personal data
Right to rectification of inaccurate personal data
Right to erasure ("right to be forgotten") under certain circumstances
Right to restriction of processing under certain circumstances
Right to data portability
Right to object to processing based on legitimate interests
Right to withdraw consent at any time (where processing is based on consent)
Right to lodge a complaint with a supervisory authority

To exercise these rights, please contact us at info@sirdoz.com. We will respond to your request within the timeframes required by applicable law.

9.2 California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information held by businesses (subject to exceptions)
Right to opt-out of the sale of personal information (Note: We do not sell personal information)
Right to non-discrimination for exercising your CCPA rights

To exercise these rights, contact us at info@sirdoz.com. We will verify your identity before processing requests.

10. Limitation of Liability and Disclaimers

Important Please Read Carefully:

No Warranty: The Service is provided "as is" and "as available" without warranties of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, or accuracy. We do not warrant that the Service will be uninterrupted, error-free, secure, or free from viruses or other harmful components.

No Guarantee of Accuracy: We do not guarantee that our analysis, risk scores, or recommendations are accurate, complete, or reliable. Email security threats are constantly evolving, and no automated system can detect all threats with 100% accuracy. You acknowledge that our Service may produce false positives (legitimate emails flagged as threats) and false negatives (malicious emails not detected).

Not Professional Advice: Our Service is for informational purposes only and does not constitute professional security, legal, or financial advice. You should not rely solely on our Service for critical security decisions. You are solely responsible for evaluating the security of your emails and taking appropriate actions.

User Responsibility: You are solely responsible for all decisions made based on our Service's analysis. You acknowledge that you will use your own judgment and discretion when determining whether to trust, open, or respond to any email. We are not responsible for any consequences arising from your reliance on our analysis.

No Liability for Damages: To the maximum extent permitted by applicable law, we shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data, or use, arising out of or in connection with the Service, whether based on warranty, contract, tort (including negligence), statute, or any other legal theory, even if we have been advised of the possibility of such damages.

Limitation of Liability: In no event shall our total liability to you for all damages, losses, or causes of action exceed the amount paid by you, if any, for accessing the Service during the twelve (12) months preceding the claim, or $100, whichever is less.

No Liability for Security Breaches: We are not liable for any unauthorized access to your account, data breaches, hacking, or security incidents beyond our reasonable control. You acknowledge that use of the Internet and electronic communications involves inherent security risks.

No Liability for Third-Party Content: We are not responsible or liable for any content, accuracy, or reliability of emails analyzed through our Service or for any third-party websites, services, or content linked from emails.

Force Majeure: We shall not be liable for any failure or delay in performance due to circumstances beyond our reasonable control, including but not limited to acts of God, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, pandemics, network infrastructure failures, strikes, or fuel shortages.

Indemnification: You agree to indemnify, defend, and hold harmless the Company, its officers, directors, employees, agents, licensors, and suppliers from and against all claims, losses, expenses, damages, and costs, including reasonable attorneys' fees, arising out of or relating to: (a) your use or misuse of the Service; (b) your violation of this Policy or Terms of Service; (c) your violation of any rights of another party; (d) your negligence or willful misconduct.

Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitations may not apply to you. In such jurisdictions, our liability shall be limited to the maximum extent permitted by law.

11. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. When we make changes, we will:

Update the "Effective Date" at the top of this Policy
Notify you via email (if you have provided an email address) for material changes
Display a prominent notice on our website or within the Service
Require your acceptance of the updated Policy before continued use (for significant changes)

Your continued use of the Service after any changes constitutes your acceptance of the revised Policy. If you do not agree with the changes, you must discontinue use of the Service and may delete your account.

We encourage you to review this Policy periodically to stay informed about how we protect your information.

12. Third-Party Links and Services

Our Service may contain links to third-party websites, services, or content (including links found within emails you scan). We are not responsible for the privacy practices, content, or security of these third-party sites. This Privacy Policy applies only to our Service. We encourage you to review the privacy policies of any third-party sites you visit.

Disclaimer: We do not endorse, verify, or guarantee the safety of any third-party websites or services. Clicking on links within analyzed emails is done at your own risk.

13. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify you as required by applicable law. Notification will be provided via email to the address associated with your account and/or through a prominent notice on our website. We will also notify relevant regulatory authorities as required by law.

While we implement security measures to protect your data, you acknowledge that no security system is impenetrable and that we cannot guarantee prevention of all security breaches. By using our Service, you accept this risk.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

SIRDOZ

Email: info@sirdoz.com

For requests related to your privacy rights (access, deletion, correction, data portability), please include "Privacy Rights Request" in your email subject line. We will respond to verified requests within the timeframes required by applicable law.

15. Acceptance of This Policy

By using our Service, you acknowledge that you have read this Privacy Policy, understand it, and agree to be bound by its terms. If you do not agree with this Policy, you must not use our Service.

Acknowledgment: You specifically acknowledge and agree that you have read and understood Section 10 (Limitation of Liability and Disclaimers) and that you accept all risks associated with using our Service, including but not limited to risks of inaccurate analysis, false positives, false negatives, data breaches, and any other risks inherent in email security services.

16. Entire Agreement

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and the Company regarding the collection, use, and disclosure of your information in connection with the Service. If there is any conflict between this Policy and our Terms of Service, the Terms of Service shall prevail.

17. Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

18. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with applicable laws, without regard to conflict of law provisions. Any disputes arising out of or relating to this Policy shall be resolved exclusively in the appropriate courts of jurisdiction, and you consent to the personal jurisdiction of such courts.

19. Language

This Privacy Policy may be translated into other languages for your convenience. In the event of any discrepancy between the English version and any translated version, the English version shall prevail.

Last Updated: May 15, 2026

Back to SIRDOZ