Privacy Policy

We believe privacy policies should be readable. Here's ours, in plain English.

Effective Date: May 15, 2026  ·  Last updated: June 19, 2026

What information we collect

We collect information only when you give it to us, and only what we need to provide ScamDrill.

From your account:

  • Guardian information: Name, email, phone number, password (encrypted; only when you sign up with email and a password), social-login provider identifier (if you sign up with Google, Microsoft, or another supported provider), billing information (handled by Stripe, not us)
  • Learner information: Name, email or phone number (depending on simulation method), age group, optional notes you add
  • Interaction data: Which simulations were sent, when they were sent, whether the learner clicked or reported it, timestamps

If you sign up using a third-party identity provider (Google, Microsoft, etc.), we receive the basic profile information that provider passes us — typically your name and email address. We do not receive your password or any other account data from that provider. We confirm your agreement to these terms and your age on your first sign-in, before you can use the service.

We don't ask for social security numbers, government IDs, or other sensitive personal identifiers. We keep it minimal.

How we use your information

We use your data for exactly what you'd expect:

  • To send simulations: We need your or your learner's email/phone to deliver scam drills
  • To track progress: We record which simulations you've received and how you responded so we can show you your progress dashboard
  • To improve the service: We analyze which scam types are most effective for different age groups so we can keep our simulations current and relevant
  • To send account notifications: Password resets, billing reminders, important security updates—things you need to know
  • To provide customer support: If you contact us, we use your information to help you

That's it for your account and learner data: we never use it to build advertising profiles, sell it, or hand it to advertisers. Our public website and app do use advertising and analytics cookies (Google and Meta) to measure our ad campaigns — that's covered in Cookies and advertising below, and you can turn it off in Your privacy choices.

What we don't do

  • Never sell your account or learner data to data brokers, advertisers, or anyone else
  • Never share learner data — contact details, progress, or how someone responded to a drill — with advertising networks, data brokers, or marketing companies
  • Never use real scam payloads in our simulations—all our content is created specifically for training purposes
  • Never use learner training activity for advertising—how a learner responds to a drill is never fed to ad networks or used to target ads
  • Never sell your contact information to spammers or telemarketers

Data storage and security

Your data is encrypted at rest (when it's stored) and in transit (when it's being sent). We use TLS encryption for all connections.

We host our data on US-based servers through Supabase (for backend data) and Vercel (for the app itself). Both use industry-standard security practices including regular security audits, encrypted backups, and firewalls.

Access to your data is limited to authorized ScamDrill team members who need it to operate the service. We don't grant access to contractors, consultants, or third parties unless required by law.

If we experience a data breach, we'll notify you within 30 days and explain what happened and what we're doing about it.

Special care for learner data

Learners—especially elderly adults and minors—deserve extra protection, and we take that seriously.

We only collect learner data with explicit consent. For guardians managing learners under 13, we require parental consent before collecting any information. For older learners, we require the learner's own consent.

Learners (or their guardians) can request that their data be deleted at any time. We'll remove all personal information within 30 days, though we may keep aggregated, non-identifying data to improve our scam templates.

Learner data is never used for purposes other than training and progress tracking. It's never shared with third parties, sold, or used for marketing.

SMS messaging and mobile information

ScamDrill operates an opt-in SMS program ("ScamDrill SMS Scam-Simulation Training") that sends simulated phishing/smishing text messages for training purposes plus occasional service messages. This section explains how we handle the phone numbers and consent records associated with that program.

How we collect SMS opt-in information

A learner becomes enrolled in the SMS program only after completing an explicit, web-based opt-in that the learner themselves submits. First, a ScamDrill account holder ("guardian") with a pre-existing personal relationship with the learner adds the learner's name and email address from the dashboard. The guardian does not provide a phone number — the dashboard form has no phone field for the learner. ScamDrill then sends a single invitation email (never SMS) containing a tokenized link to our consent page at app.scamdrill.com/onboard?token={token}.

On the consent page the learner reads the program disclosures (sender, message types, frequency, "Msg & data rates may apply", STOP/HELP keywords, age confirmation, and links to these policies) and, if the program includes SMS, sees an empty mobile-phone-number input field that the learner fills in themselves, alongside an unchecked-by-default SMS-consent checkbox carrying the disclosure "By providing my phone number and checking this box, I agree to receive recurring automated SMS messages from ScamDrill regarding scam-recognition training — frequency varies up to 8 msgs/month, msg & data rates may apply, reply STOP to opt out. Consent is not a condition of any purchase." The submit button is disabled until the learner has entered a valid mobile number, ticked the SMS-consent box, and ticked the age + terms boxes (all separate, all unchecked by default).

The mobile phone number enters ScamDrill exclusively through this learner-self-entry step. It is written to the learner record only at the moment of consent submission — never before. ScamDrill never sends a text message to any phone number prior to this web-based opt-in.

What we record as proof of consent

For every SMS opt-in, we retain: the timestamp of consent, the IP address and user agent of the consenting browser, the version of the consent text the user agreed to, the per-checkbox state (each box recorded individually), and the phone number that consent applies to. We retain this record for as long as the phone number remains opted in and for a reasonable period after opt-out to demonstrate compliance with carrier and regulatory requirements. These records are made available to mobile carriers, The Campaign Registry (TCR), and other authorized parties on request.

How mobile information and SMS opt-in data are shared

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All categories of personal information described in this Privacy Policy exclude text-messaging originator opt-in data and consent; this information will not be shared with any third parties.

Phone numbers and SMS consent records are used solely to operate the SMS program described above — to deliver training and service messages to the consenting recipient, to honor STOP/HELP requests, and to maintain the audit log required by carriers and TCR. They are processed only by service providers strictly necessary to deliver the messages (currently Twilio Inc., our A2P 10DLC messaging carrier) under contractual confidentiality and data-protection terms, and are never sold, rented, or shared with advertisers, data brokers, marketing partners, or affiliates.

Opt-out and help

You can opt out of ScamDrill SMS at any time by replying STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT to any ScamDrill text message. After STOP, you receive one final confirmation message and no further SMS of any kind are sent to that number. You can also opt out by emailing support@scamdrill.com or asking the guardian who enrolled you to switch your simulation channel to "Email only" or remove your number from their dashboard. Reply HELP or INFO to receive program contact details. Both STOP and HELP are free to send on all major US carriers.

Re-consent on contact-information changes

If a guardian later changes a learner's phone number, or enables SMS for a learner who originally opted in to email-only, our system automatically resets the learner to a pending-consent state, generates a fresh consent token, sends a new consent invitation, and clears the prior SMS-consent timestamp. SMS to that learner is blocked at the messaging-engine level until the new opt-in is completed.

Frequency and cost

SMS recipients receive up to 8 ScamDrill messages per month; frequency may vary based on the guardian's training plan. ScamDrill does not charge for SMS, but message and data rates from your wireless carrier may apply. Mobile carriers are not liable for delayed or undelivered messages.

Additional commercial terms governing the SMS program — including the program description, message frequency, support contact, and carrier disclaimer — are available in our Terms of Service, "SMS program terms" section.

Cookies and advertising

Essential cookies. These keep the service working — they sign you in, protect forms against cross-site request forgery, and remember preferences like your timezone. They're always on.

Advertising & analytics cookies. On our public website (scamdrill.com) and app (app.scamdrill.com) we use Google Ads and the Meta (Facebook) pixel to measure how well our ads work — for example, to learn that someone who clicked an ad later started a trial or subscribed. These tools set cookies and may capture click identifiers (Google's gclid, Meta's fbclid) and share them with Google and Meta so a conversion can be attributed to an ad. We also keep our own first-party analytics (basic page views and session counts) to understand site traffic. We do not use these tools to profile learners, and learner drill activity is never sent to ad networks.

Your control. Where the law requires opt-in consent — the EU/EEA, the UK, and Switzerland — we show a cookie banner and these advertising and analytics cookies stay off until you accept. Elsewhere (including the United States) they're on by default under an opt-out model, and you can switch them off at any time in Your privacy choices below.

Your privacy choices

Use the control below to opt out of (or back into) advertising and analytics cookies, including Google Ads and the Meta pixel. This is also how California residents exercise the right to opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising. Your choice is saved on this browser, so if you use another browser or device — or clear your cookies — please set it again there too.

Advertising & analytics cookies are currently: checking…

Your privacy rights

You have the right to:

  • Access your data: Request a copy of all the information we have about you
  • Correct your data: Update or fix any information that's inaccurate
  • Delete your data: Request that we erase your account and all associated information
  • Opt out: Stop receiving simulations or unsubscribe from emails at any time with a single click
  • Export your data: Download your information in a common format (CSV or JSON)
  • Object to processing: Tell us you don't want your data used for a specific purpose

To exercise any of these rights, email privacy@scamdrill.com and we'll respond within 30 days.

Data deletion

You can request deletion of your ScamDrill account and all associated data — including your account record, learner profiles, simulation history, scam-check submissions, and any analytics derived from your use of the service — at any time.

If you can sign in: go to Settings, scroll to the "Danger Zone" section, and click "Delete My Account." The action is immediate and irreversible.

If you can't sign in: email privacy@scamdrill.com from the email address on your account. We'll verify your identity and complete the deletion within 30 days, and you'll receive an email confirmation when it's done.

What's retained: aggregated, non-identifying analytics (for example, monthly click-through rates summed across all users) may remain in our systems. These cannot be linked back to your account. Backups containing your data are purged within 90 days of deletion.

CCPA and GDPR compliance

If you're in California: You have rights under the California Consumer Privacy Act, as amended by the CPRA — including the rights to know, delete, correct, and opt out of the “sale” or “sharing” of personal information. We don't sell your data for money, but our use of advertising cookies (Google and Meta) can count as “sharing” for cross-context behavioral advertising. You can opt out at any time in Your privacy choices, or email privacy@scamdrill.com.

If you're in the EU or UK: We comply with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. This includes your rights to access, correct, delete, and port your data. Our legal basis for processing your data is your consent (which you can withdraw) and our legitimate interest in providing the service.

We don't transfer data outside the US without your consent, except where required by law.

Changes to this policy

We may update this policy as our service grows or regulations change. When we make material changes, we'll notify you by email at least 30 days before they take effect. Your continued use of ScamDrill after the update means you accept the new terms.

Contact us

Have questions about your privacy? We're here to help.

  • Privacy concerns: privacy@scamdrill.com
  • Data requests (CCPA/GDPR): privacy@scamdrill.com
  • General inquiries: hello@scamdrill.com