Privacy Policy

Last Updated: March 30, 2026

Legal Entity and Service Scope

This Privacy Policy (the "Policy") applies to services provided by Vigilcode, Inc., a Delaware corporation ("Vigilcode," "we," "us," or "our"), including:

- Our website at vigilcode.com and all subdomains

- The Vigil mobile application for iOS and Android

- Our API services at api.vigilcode.com

- All related online services and features

This Policy does not apply to third-party websites, services, or applications, even if accessed through our Services.

Overview

Vigil provides AI-powered threat detection and security analysis services to help users identify potential digital security risks. This Privacy Policy explains how we collect, use, and protect your information when you use our services.

On-Device Processing

Vigil's core threat detection engine (Sentinel) runs entirely on your device using on-device machine learning models. This means:

- Your messages stay on your device: Text and email content you scan is analyzed locally and is never transmitted to our servers for threat detection

- No cloud dependency for scanning: Threat analysis works offline without an internet connection

- Privacy by design: On-device processing ensures your sensitive content remains under your control at all times

Types of Data We Collect

We categorize the information we collect into three distinct types to provide transparency about how your data is used:

Service Data (Required for Operation)

- Email addresses for authentication and account management

- Session identifiers and device tokens for secure access

- Account settings and preferences you configure

- Authentication logs for security monitoring

- Usage quota tracking (scan counts per period) to manage service limits

Analysis Data (Your Submitted Content)

- Text and URLs you submit for security analysis

- Content metadata necessary for threat detection

- Analysis results and recommendations we generate

- Processed on-device with privacy-preserving techniques

Diagnostic Data

- App performance metrics

- Error reports (collected automatically to improve app stability)

- Usage analytics to improve service quality (anonymized, opt-in)

Information We Collect

Email Addresses

- Required for account creation and magic link authentication

- Used for service communications including authentication, account recovery, and important service updates

- Not shared with third parties for marketing or other purposes

Content Data ("Vigilize Data")

- Text, URLs, and other content you submit for security analysis

- Collected when you use our threat detection services through the mobile app

- Analyzed on your device to provide security recommendations, threat assessments, and safety insights

- May include message content, email headers, and website URLs

Technical Information (Mobile App)

- Device identifiers for secure session management (not for tracking)

- App usage analytics to improve service performance (anonymized)

- Authentication tokens for secure access (automatically expired)

- Crash reports collected automatically to improve app stability

- App version and device model for compatibility support

Mobile Application Data Collection

Our mobile app collects minimal data necessary for functionality:

- Session management: Secure tokens that automatically expire

- Performance monitoring: App crashes and performance issues (optional)

- Feature usage: Which features are used to prioritize improvements (anonymized)

- Security logs: Authentication attempts for fraud prevention

Important: We do not track your location, access your contacts, read your messages, or monitor your other apps. We do not use Apple's IDFA or participate in ad tracking.

Optional Account Connections

You may choose to connect email accounts (such as Google Gmail, Microsoft Outlook, or Yahoo Mail) to enable email scanning features. When you do:

- We use industry-standard OAuth 2.0 to authenticate with the provider

- We never see or store your third-party account passwords

- Your email access tokens and email content remain on your device and are analyzed locally by our on-device threat detection engine

- Our servers receive only a cryptographic identity token to verify your account ownership, and score metadata (threat level, risk category) after analysis

- You can revoke access at any time through your account settings or the third-party provider's settings

Email Provider Data

When you connect an email account (Google Gmail, Microsoft Outlook, Yahoo Mail, or other supported providers), we request read-only access to your messages to enable on-device email threat scanning. Here is how we handle your email provider data:

- What we access: Email message headers and content, accessed directly from the provider's servers to your device

- How it is used: Analyzed entirely on your device by our on-device threat detection engine to identify potential security threats. Your email content is never transmitted to Vigilcode servers

- What our servers receive: Only an identity token (to verify your account) and score metadata after analysis (threat level and risk category — not email content)

- Storage: Email headers are cached on your device for up to 30 days. Email content is cached on your device for up to 24 hours. Neither is sent to or stored on our servers

- Sharing: Your email provider data is not shared with, transferred to, or disclosed to any third party

- Permitted uses only: We only use email provider data to provide or improve user-facing features that are prominent in our app's user interface. We do not use or transfer email provider data for serving ads, including retargeting, personalized, or interest-based advertising, nor for sale to third parties, training AI models, or any other purpose unrelated to providing you with on-device email threat scanning

Google API Limited Use Disclosure: Vigil's use and transfer of information received from Google APIs adheres to the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements

Automatically Collected Information

- IP addresses for security and fraud prevention

- Usage patterns to improve service quality

- Error logs for technical support and debugging

How We Use Your Information

Primary Service Functions

- Threat Detection: Analyze submitted content for security risks

- Authentication: Provide secure, password-less login via magic links

- Service Delivery: Generate personalized security recommendations

- Account Management: Maintain your account and service preferences

- Quota Management: Track usage to enforce service tier limits

Service Improvement

- Product Development: Enhance threat detection capabilities and user experience using aggregated, non-identifiable usage analytics

- Research: Understand emerging security threats and develop better protections through analysis of threat landscape trends

- Voluntary Feedback: If you choose to report a misclassified message through our in-app feedback feature, we may review that specific submission to understand and correct detection errors. This is entirely opt-in and only occurs when you explicitly share a message for this purpose

Data Anonymization and Voluntary Feedback

When you voluntarily submit feedback about a misclassified message:

- We review only the specific message you explicitly chose to share

- Personal identifiers are removed before any internal analysis

- Feedback is used exclusively for human review to understand why a threat was missed or misidentified, so we can improve our product

- We do not retain your email content beyond what is needed to resolve the reported issue

- You are never required to share any message — this is entirely opt-in

Your Data Ownership

You retain full ownership of all content you submit to Vigil. We process your data solely to provide security analysis services and improve our threat detection capabilities.

What This Means

- You own your content: We never claim ownership of your personal communications, files, or other submitted content

- Limited processing rights: We only process your data to deliver the services you requested

- No permanent claims: Our processing rights end when you delete your account or withdraw consent

- Exportable data: You can request a copy of your data and analysis history at any time

Our Commitment

We act as a data processor for your submitted content, not a data owner. Your trust in sharing potentially sensitive content for analysis is fundamental to our service, and we honor that trust through strict data ownership respect.

Information Sharing and Disclosure

We Do Not Sell Your Data

**ABSOLUTE COMMITMENT**: We do not and will never:

- Sell your personal data to advertisers, data brokers, or marketing companies

- Share data with third parties for their own commercial purposes

- Use your data for advertising to third parties

- Create marketing profiles from your submitted content

- Monetize your information beyond providing you our security services

This is a core principle that will never change, regardless of business pressures or opportunities.

What We Don't Do

- No data sales: We do not and will never sell your personal data

- No advertising partnerships: We do not share data with advertisers or data brokers

- No marketing databases: We do not use your data for marketing to third parties

- No unencrypted storage: We do not store unencrypted sensitive content

- No cross-selling: We do not share your information for others to market to you

Limited Disclosure Scenarios

We may disclose information only when:

- Required by law or legal process

- Protecting user safety in emergency situations

- Preventing fraud or security threats to our services

- With your explicit consent for specific purposes

Service Providers

We use the following categories of trusted service providers to deliver our services. Each provider is contractually bound to protect your information and may not use your data for their own purposes:

- Cloud Infrastructure (Amazon Web Services): Hosts our backend services, API endpoints, and securely stores account and quota data

- Authentication (Firebase Authentication): Provides secure sign-in and account management

- Subscription Management (RevenueCat): Processes in-app purchase transactions and manages subscription entitlements. RevenueCat receives purchase receipts and anonymous user identifiers but not your personal content

- Email Providers (Google, Microsoft, Yahoo): When you choose to connect an email account, the respective provider handles authentication. Your email access tokens remain on your device and are never sent to our servers. We receive only a cryptographic identity token to verify your account ownership

- Analytics and Crash Reporting (Firebase): Collects anonymized app performance data and crash reports to help us improve reliability

Data Security

Protection Measures

- Industry-standard encryption for data transmission and storage

- Access controls limiting data access to authorized personnel only

- Regular security audits and vulnerability assessments

- Secure authentication using modern cryptographic methods

Data Retention

- Account data: Retained while your account is active

- Submitted content: Temporarily processed during analysis and automatically deleted within 24 hours. Only score metadata (threat level, risk category) is retained for up to 30 days

- On-device history: Paste history stored locally on your device for up to 7 days, never sent to our servers

- Anonymized analytics: May be retained indefinitely for service improvement and threat research

- Deletion requests: Honored in accordance with applicable law

Your Rights and Choices

Account Control

- Access your data through account settings

- Update information including email preferences

- Delete your account and associated personal data

- Request a copy of your data in portable formats

Communication Preferences

- Opt out of non-essential communications

- Authentication emails cannot be disabled (required for service)

- Security alerts recommended but can be customized

Data Processing Rights

- Request data deletion (subject to legal and operational requirements)

- Correct inaccurate information in your account

- Object to processing for certain purposes

- Data portability for information you've provided

Children's Privacy

Vigil is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.

International Data Transfers

Your information may be processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data when transferred internationally, including:

- Standard contractual clauses approved by regulatory authorities

- Adequacy decisions recognizing equivalent protection levels

- Additional security measures as required by applicable law

California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA):

- Right to know what personal information is collected and how it's used

- Right to delete personal information (with certain exceptions)

- Right to opt-out of sale of personal information (we don't sell data)

- Right to non-discrimination for exercising privacy rights

Changes to This Policy

Vigilcode reserves the right to modify this Privacy Policy at any time. When we make changes:

- We will update the "Last Updated" date at the top of this document

- For material changes, we will provide additional notice via email or prominent website notification

- Your continued use of our Services after changes constitutes acceptance of the updated Policy

- We encourage you to review this Policy periodically for updates

Third-Party Services and Websites

This Policy does not cover third parties or their products, actions, or services. Vigilcode is not responsible for:

- Third-party websites, applications, or services you may access through our Services

- Cookies, pixels, and tracking technologies used by third-party advertisers

- Social media platforms, email providers, or other external services you may connect to

- Privacy practices of companies that provide services to us

For information about third-party privacy practices, please consult their respective privacy policies.

Contact Information

For privacy-related questions, concerns, or requests:

Email: <privacy@vigilcode.com>

Effective Date

This Privacy Policy is effective as of March 30, 2026 and replaces all previous versions.

*By using Vigil services, you acknowledge that you have read and understood this Privacy Policy and agree to our data practices as described herein.*