Privacy Policy

We believe privacy policies should be readable. Here's ours, in plain English.

Effective Date: May 7, 2026

What information we collect

We collect information only when you give it to us, and only what we need to provide ScamDrill.

From your account:

  • Guardian information: Name, email, phone number, password (encrypted), billing information (handled by Stripe, not us)
  • Learner information: Name, email or phone number (depending on simulation method), age group, optional notes you add
  • Interaction data: Which simulations were sent, when they were sent, whether the learner clicked or reported it, timestamps

We don't ask for social security numbers, government IDs, or other sensitive personal identifiers. We keep it minimal.

How we use your information

We use your data for exactly what you'd expect:

  • To send simulations: We need your or your learner's email/phone to deliver scam drills
  • To track progress: We record which simulations you've received and how you responded so we can show you your progress dashboard
  • To improve the service: We analyze which scam types are most effective for different age groups so we can keep our simulations current and relevant
  • To send account notifications: Password resets, billing reminders, important security updates—things you need to know
  • To provide customer support: If you contact us, we use your information to help you

That's it. We don't use your data to build profiles, sell to advertisers, or track you across the internet.

What we don't do

  • Never sell your data to third parties or advertisers
  • Never share learner data with advertising networks, data brokers, or marketing companies
  • Never use real scam payloads in our simulations—all our content is created specifically for training purposes
  • Never track you across other websites using cookies or pixels
  • Never sell your contact information to spammers or telemarketers

Data storage and security

Your data is encrypted at rest (when it's stored) and in transit (when it's being sent). We use TLS encryption for all connections.

We host our data on US-based servers through Supabase (for backend data) and Vercel (for the app itself). Both use industry-standard security practices including regular security audits, encrypted backups, and firewalls.

Access to your data is limited to authorized ScamDrill team members who need it to operate the service. We don't grant access to contractors, consultants, or third parties unless required by law.

If we experience a data breach, we'll notify you within 30 days and explain what happened and what we're doing about it.

Special care for learner data

Learners—especially elderly adults and minors—deserve extra protection, and we take that seriously.

We only collect learner data with explicit consent. For guardians managing learners under 13, we require parental consent before collecting any information. For older learners, we require the learner's own consent.

Learners (or their guardians) can request that their data be deleted at any time. We'll remove all personal information within 30 days, though we may keep aggregated, non-identifying data to improve our scam templates.

Learner data is never used for purposes other than training and progress tracking. It's never shared with third parties, sold, or used for marketing.

SMS messaging and mobile information

ScamDrill operates an opt-in SMS program ("ScamDrill SMS Scam-Simulation Training") that sends simulated phishing/smishing text messages for training purposes plus occasional service messages. This section explains how we handle the phone numbers and consent records associated with that program.

How we collect SMS opt-in information

A learner becomes enrolled in the SMS program only after completing an explicit, web-based opt-in. First, a ScamDrill account holder ("guardian") with a pre-existing personal relationship with the learner adds the learner's name and email address from the dashboard. ScamDrill then sends a single invitation email — never SMS — containing a tokenized link to our consent page. The learner clicks the email link, opens the consent page at app.scamdrill.com/onboard?token={token}, reads the program disclosures (sender, message types, frequency, "Msg & data rates may apply", STOP/HELP keywords, age confirmation, and links to these policies), and affirmatively checks three separate, unchecked-by-default boxes — age, terms/privacy, and explicit SMS consent — before submitting. ScamDrill never sends a text message to a phone number prior to this web-based opt-in. Training SMS are sent only after the explicit SMS-consent checkbox has been ticked and the consent record has been written.

What we record as proof of consent

For every SMS opt-in, we retain: the timestamp of consent, the IP address and user agent of the consenting browser, the version of the consent text the user agreed to, the per-checkbox state (each box recorded individually), and the phone number that consent applies to. We retain this record for as long as the phone number remains opted in and for a reasonable period after opt-out to demonstrate compliance with carrier and regulatory requirements. These records are made available to mobile carriers, The Campaign Registry (TCR), and other authorized parties on request.

How mobile information and SMS opt-in data are shared

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All categories of personal information described in this Privacy Policy exclude text-messaging originator opt-in data and consent; this information will not be shared with any third parties.

Phone numbers and SMS consent records are used solely to operate the SMS program described above — to deliver training and service messages to the consenting recipient, to honor STOP/HELP requests, and to maintain the audit log required by carriers and TCR. They are processed only by service providers strictly necessary to deliver the messages (currently Twilio Inc., our A2P 10DLC messaging carrier) under contractual confidentiality and data-protection terms, and are never sold, rented, or shared with advertisers, data brokers, marketing partners, or affiliates.

Opt-out and help

You can opt out of ScamDrill SMS at any time by replying STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT to any ScamDrill text message. After STOP, you receive one final confirmation message and no further SMS of any kind are sent to that number. You can also opt out by emailing support@scamdrill.com or asking the guardian who enrolled you to switch your simulation channel to "Email only" or remove your number from their dashboard. Reply HELP or INFO to receive program contact details. Both STOP and HELP are free to send on all major US carriers.

Re-consent on contact-information changes

If a guardian later changes a learner's phone number, or enables SMS for a learner who originally opted in to email-only, our system automatically resets the learner to a pending-consent state, generates a fresh consent token, sends a new consent invitation, and clears the prior SMS-consent timestamp. SMS to that learner is blocked at the messaging-engine level until the new opt-in is completed.

Frequency and cost

SMS recipients receive up to 8 ScamDrill messages per month; frequency may vary based on the guardian's training plan. ScamDrill does not charge for SMS, but message and data rates from your wireless carrier may apply. Mobile carriers are not liable for delayed or undelivered messages.

Additional commercial terms governing the SMS program — including the program description, message frequency, support contact, and carrier disclaimer — are available in our Terms of Service, "SMS program terms" section.

Cookies

We use minimal cookies, and only ones that are essential for the service to work:

  • Session cookies: To keep you logged in
  • Preference cookies: To remember your timezone or language preference (optional)

We don't use cookies to track your behavior, serve you ads, or follow you across other websites. No Google Analytics. No Facebook Pixel. No advertising trackers.

Your privacy rights

You have the right to:

  • Access your data: Request a copy of all the information we have about you
  • Correct your data: Update or fix any information that's inaccurate
  • Delete your data: Request that we erase your account and all associated information
  • Opt out: Stop receiving simulations or unsubscribe from emails at any time with a single click
  • Export your data: Download your information in a common format (CSV or JSON)
  • Object to processing: Tell us you don't want your data used for a specific purpose

To exercise any of these rights, email privacy@scamdrill.com and we'll respond within 30 days.

Data deletion

You can request deletion of your ScamDrill account and all associated data — including your account record, learner profiles, simulation history, scam-check submissions, and any analytics derived from your use of the service — at any time.

If you can sign in: go to Settings, scroll to the "Danger Zone" section, and click "Delete My Account." The action is immediate and irreversible.

If you can't sign in: email privacy@scamdrill.com from the email address on your account. We'll verify your identity and complete the deletion within 30 days, and you'll receive an email confirmation when it's done.

What's retained: aggregated, non-identifying analytics (for example, monthly click-through rates summed across all users) may remain in our systems. These cannot be linked back to your account. Backups containing your data are purged within 90 days of deletion.

CCPA and GDPR compliance

If you're in California: You have rights under the California Consumer Privacy Act (CCPA). We comply with your right to know, delete, and opt-out of data sales (which we don't do). You can submit a request to privacy@scamdrill.com.

If you're in the EU or UK: We comply with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. This includes your rights to access, correct, delete, and port your data. Our legal basis for processing your data is your consent (which you can withdraw) and our legitimate interest in providing the service.

We don't transfer data outside the US without your consent, except where required by law.

Changes to this policy

We may update this policy as our service grows or regulations change. When we make material changes, we'll notify you by email at least 30 days before they take effect. Your continued use of ScamDrill after the update means you accept the new terms.

Contact us

Have questions about your privacy? We're here to help.

  • Privacy concerns: privacy@scamdrill.com
  • Data requests (CCPA/GDPR): privacy@scamdrill.com
  • General inquiries: hello@scamdrill.com