Privacy Policy

Last updated: March 18, 2026

1. What We Collect

When you create an account, we collect:

  • Email address — for account verification and security notifications
  • Display name — shown publicly on your reports and profile
  • Password — stored as a bcrypt hash, never in plaintext

When you use the platform, we collect:

  • IOC submissions — phishing URLs, domains, IPs, emails you report
  • Votes — your confirm/reject votes on reports
  • IP address — for rate limiting and abuse prevention (not stored long-term)
  • API usage — request counts for rate limiting

2. What We Don't Collect

  • We do not use cookies for tracking or advertising
  • We do not use third-party analytics (no Google Analytics, no trackers)
  • We do not sell or share your personal data with third parties
  • We do not track your browsing activity outside of vspam.org

3. How We Use Your Data

  • Email — account verification, password reset, security alerts only
  • Display name — shown publicly alongside your reports and votes
  • IOC submissions — published in our threat database, feeds, and DNSBL
  • Votes — aggregated to determine report consensus status
  • IP addresses — rate limiting only, automatically purged from Redis

4. Public Information

The following information is publicly visible:

  • Your display name and trust tier
  • Reports you submit (IOC value, category, evidence text)
  • Your vote history (confirm/reject, visible on report pages)
  • Your reputation score and report statistics

Your email address is never publicly visible.

5. Data Storage

  • Data is stored on servers in Germany (Contabo/Hetzner)
  • Passwords are hashed with bcrypt (cost factor 12)
  • API keys are stored as SHA-256 hashes
  • All connections use TLS/HTTPS encryption
  • Database backups are encrypted at rest

6. Browser Extension

The vspam browser extension:

  • Only accesses the URL of the active tab when you click the extension icon
  • Does not collect browsing history
  • Stores your API key locally in browser storage (never transmitted except to api.vspam.org)
  • Screenshots are captured only when you explicitly submit a report

7. Data Retention

  • Account data — retained until you request deletion
  • IOC reports — retained indefinitely as part of the threat database
  • Rate limit data — automatically purged hourly
  • Verification tokens — expire after 24 hours

8. Your Rights

You may request:

  • Export of your personal data
  • Deletion of your account and personal data
  • Correction of inaccurate information

Contact privacy@vspam.org for any privacy-related requests.

9. Changes

We may update this policy. Significant changes will be announced on the platform. Continued use after changes constitutes acceptance.