Privacy Policy
Last updated: 2026-06-20
Seclum is operated by Angstroma, Inc. (“Seclum,” “we,” “us”). We built Seclum because the consumer-security market has a credibility problem. This page is the literal accountability for the promises on our home page.
1. The short version
- We never persist the raw URL, SMS, email body, or password you check — only a hash and the verdict.
- For a URL/SMS/email check, your input is sent to our Cloudflare edge worker, hashed there (SHA-256), and discarded — the raw text is never written to our database.
- For a password check, your password is hashed in your browser (SHA-1) before anything is sent; only the first five characters of that hash ever reach the breach database (k-anonymity). We never receive your password or its full hash.
- Anthropic, our AI provider, does not train on API customer data. Inputs are subject to Anthropic's standard API terms, which provide for short-term retention for safety/abuse review and then deletion. We do not currently hold a zero-retention contract with Anthropic.
- You can export everything we know about you, or delete your account, from settings — no email required.
- We do not sell, rent, or trade your data. We use no advertising or cross-site trackers on this site or in our extension. For product analytics on this site only we use PostHog through a first-party reverse proxy; the extension uses none.
2. Who we are
Data controller: Angstroma, Inc., a Delaware C-corporation operating the Seclum brand. Mailing address: c/o Stripe Atlas registered agent, Wilmington, Delaware, USA. Reach us at privacy@seclum.com.
3. What we collect
Account data
- Email address (via Clerk, our identity provider)
- Authentication factors you set up (password, MFA tokens — Clerk holds these, never us)
- Tenant ID and plan
Check data
- SHA-256 hash of the URL or message you check (NOT the raw input)
- Input type (url / sms / email-text)
- Length of input (a number, not the content)
- The verdict (safe / suspicious / scam / unknown), confidence score, and the reasoning summary the AI generated
- Timestamp and whether the result came from cache
The reasoning summary may quote signal-bearing fragments of your input— for example, “the URL contains ‘paypa1’ instead of ‘paypal’.” That is the product. The full original input is never stored.
Password breach check
- Your password is hashed in your browser (SHA-1) before anything leaves your device.
- Only the first five characters of that hash are sent to the Have I Been Pwned (HIBP) Pwned Passwords API, which returns matches for that prefix — a technique called k-anonymity. HIBP never sees your password or its full hash, and we send no account identifier with the lookup.
- We store only that 5-character prefix, the breach occurrence count, and the severity verdict — never your password, and never the full hash.
Email breach check & monitoring
- When you check whether an email address has appeared in a data breach, that address is sent to Have I Been Pwned (HIBP) to perform the lookup. Unlike the password check, this uses HIBP's direct email search, so the full address — not an anonymized prefix — reaches HIBP. HIBP is a sub-processor under a data-processing agreement and states it does not log these searches.
- On our side, for a one-off check we store only a SHA-256 hash of the email plus the breach result (which breaches, severity, AI reasoning) — never the raw address.
- If you turn on always-on monitoring (Seclum Pro), we must keep the address to re-check it daily, so we store it encrypted at rest (AES-256-GCM) — never in plain text. You can only monitor an address after confirming a link we email to it, and you can remove it at any time.
Billing data (if you buy credits or subscribe)
- Email and country (for tax compliance)
- Purchase records (which credit pack or the Seclum Pro subscription, when, amount, and the Stripe customer / subscription identifiers)
- We never see your card number — Stripe handles all card data on its PCI-DSS Level 1 infrastructure.
Operational telemetry
- IP address, hashed with a 7-day rotating salt, kept only for abuse mitigation
- Browser user-agent family (e.g., “Chrome desktop”) — not the full string
- Error stack traces (Sentry, server-side only — the extension contains no Sentry SDK)
- Aggregate usage events (PostHog, first-party reverse-proxied — no cross-site tracking)
4. What we never collect or store
- The raw URL, SMS body, or email body that you submit for a check
- Your password, or the full hash of your password — only the 5-character hash prefix is processed, via k-anonymity
- Your IP address tied to your account identity (we hash it, with salt rotation)
- Browser fingerprinting data, behavioral profiles, or cross-site activity
- Anything from our browser extension beyond what you explicitly choose to check
5. Why we process what we do (lawful basis under GDPR)
- Article 6(1)(b) contract — for paid-tier check generation and credit-pack purchases
- Article 6(1)(a) consent — for free-tier signup, AI analysis of your submitted content
- Article 6(1)(f) legitimate interest — for fraud prevention, audit log retention, and abuse mitigation
6. How long we keep what we keep
- Verdict history (hash + verdict + reasoning summary): user-controlled in Settings — 30 days, 90 days, 1 year, or kept indefinitely. New accounts default to 90 days in line with GDPR Article 5(1)(e) storage-limitation. The retention cron sweeps daily.
- Hashed verdicts in the global cache: 7 days for “scam”, 24 hours for “safe”, 6 hours for “suspicious”, 1 hour for “unknown”
- Audit log of security-relevant events: up to 2 years across all accounts
- Monitored email addresses (Seclum Pro): stored encrypted until you remove them or delete your account; deleted immediately on either action
- Account record: until you delete it, or 2 years of inactivity (whichever comes first)
- IP hash with rotating salt: 7 days
- Stripe billing records: retained by Stripe per their policy and applicable tax law (typically 7 years)
7. Who else processes your data (sub-processors)
We use the following service providers. Each has a Data Processing Agreement on file with us.
- Vercel — web app hosting (US, multi-region)
- Cloudflare — edge worker, WAF, Turnstile CAPTCHA, DNS
- Neon — Postgres database (US-East)
- Upstash — Redis for rate-limit counters and verdict-cache mirror
- Clerk — authentication (handles your password, MFA factors, sessions)
- Stripe — payments (handles all card data; we never see it)
- Anthropic — Claude API for the AI verdict (does not train on API customer data; transient retention per Anthropic's standard API terms)
- Have I Been Pwned (HIBP) — the breach database. For password checks it receives only an anonymous 5-character hash prefix (k-anonymity) — no password, no full hash. For email breach checks and monitoring it receives the email address you ask us to look up, so it can return which breaches it appears in.
- Resend — transactional email
- Sentry — server-side error tracking
- PostHog — product analytics, first-party reverse-proxied
8. Your rights
If you are in the EU, UK, EEA, Switzerland, California, or any jurisdiction with similar law:
- Access (GDPR Article 15 / CCPA right to know) — export everything we have about you in machine-readable JSON, from your account settings, in under 30 seconds.
- Erasure (Article 17 / CCPA right to delete) — delete your account from settings; we cascade-delete tenant rows and anonymize legitimate-interest audit entries within 30 days.
- Rectification (Article 16) — change your email or name from settings.
- Portability (Article 20) — same JSON export as access.
- Objection (Article 21) — stop using the product; no legitimate-interest processing continues post-erasure.
- Automated decision-making (Article 22) — our verdict is automated, but it is advisory. We do not take any action on you based on it.
- Do Not Sell or Share (CCPA / CPRA) — we do not sell or share your personal information for cross-context advertising. The toggle in settings is provided for transparency.
- Complaint — you may complain to your supervisory authority (e.g., your state attorney general, or the ICO in the UK, or your national DPA in the EU).
9. Children
Seclum is not directed to children under 13. We do not knowingly collect data from anyone under 13. If you believe we have, email privacy@seclum.com and we will delete it.
10. International transfers
Our infrastructure runs primarily in US-East. If you are outside the US, your data is transferred to and processed in the US under Standard Contractual Clauses (SCCs) with each sub-processor named above.
11. Security
All traffic is TLS-encrypted. Secrets at rest are stored in Vercel's encrypted environment variables. The audit log is immutable at the database layer (a Postgres trigger blocks updates and deletes outside of the retention rotation cron). We describe our threat model and mitigations in our internal Data Protection Impact Assessment, available on request to enterprise customers under NDA.
12. Breach notification
If we suffer a breach affecting your data, we will notify you and the relevant supervisory authority within 72 hours of discovery, per GDPR Article 33.
13. Changes to this policy
If we make material changes, we will email you at the address on your account and post a notice at the top of this page for at least 30 days. The “Last updated” date at the top reflects the most recent revision.
14. Contact
Privacy questions, GDPR / CCPA requests, or anything you want clarified: privacy@seclum.com.