Privacy policy

Last updated: 2026-04-23 · This is a plain-English starting point. Have your own counsel review before launch.

What we collect

• Account data — your email address, password hash, and any name/organization name you provide at signup. We store a bcrypt hash of your password — we never see or store the plaintext.
• Forwarded emails — when you forward a suspicious email to our address, we receive the full message, extract the links, and analyze them. We store the email content and analysis results so you can review them in your dashboard.
• Usage and audit data — login attempts, IP addresses, user-agent strings, and administrative actions are logged for security and abuse prevention.
• Billing data — handled by Stripe. We store a Stripe customer ID and subscription state. We never see your card.

How we use it

• To analyze the links you send us and email you a report.
• To enforce your plan’s scan quota and notify you when you approach or exceed it.
• To detect and block abuse (spoofed senders, credential stuffing, quota abuse).
• To send transactional emails (scan reports, quota notifications, billing receipts). We do not send marketing email without opt-in.

Who can see what

• The person who forwarded an email sees the full scan result in their reply email and, if they’re signed in, in their dashboard.
• Organization admins see aggregated usage — scan counts, dates, risk-level distributions. They do not see the subject lines, email bodies, or specific URLs submitted by their colleagues.
• Our engineers may access production data only to debug specific incidents, under audit log, and never for browsing.

Third-party services we use

To analyze a URL we query public reputation services: Google Safe Browsing, VirusTotal, public WHOIS, and the URL itself (for rendering and redirect analysis). Only the URL is sent — not your email address, subject, or body.

Email delivery is handled by Mailgun. Billing is handled by Stripe. Error tracking may be handled by Sentry. These providers are contractually bound to process data only for the services they provide us.

Where data is stored

LinkShield is operated from the United States. All data — account details, submission content, and analysis results — is stored on servers located in the US. If you use the service from outside the US, your data will be transferred to, stored, and processed in the US. By creating an account or forwarding an email for analysis, you consent to this transfer.

Retention

By default, submission content is retained for 90 days on individual plans and 1 year on organization plans. Aggregate usage counts are retained for the lifetime of your account.

Your rights — and how to exercise them

You can delete your account at any time from your account settings. Deletion is immediate and permanent: we remove your account, any organization you own, and all personally identifying data (email, subject lines, email content) from your scan history. Aggregate risk-score data is retained anonymously.

You can also request a copy of your data, corrections, or deletion by emailing privacy@adams-ai.com. We respond within 30 days. This applies regardless of where you’re located — GDPR, UK-GDPR, and CCPA rights are honored.

Contact

Questions? privacy@adams-ai.com.