Privacy Policy

1. Overview

KinSentry ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your information when you use the KinSentry Chrome and Edge browser extension, the kinsentry.com website, and the KinSentry user dashboard (collectively, the "Service").

By using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and a hashed password. If you sign up with Google, we receive your Google profile information — specifically your name, email address, profile picture, and Google account ID. We do not access your contacts, calendar, Gmail, Drive, or any other Google services through your Google account or Google APIs. (Separately, our on-page phishing detection reads the email you have open in your webmail tab, locally on your device only — see Section 2.8.)

2.2 Payment Information

If you subscribe to a paid plan, payment is processed entirely by our PCI-DSS-compliant payment processor. We never see, store, or transmit your full credit card number, CVV, or banking details. We retain only the processor’s transaction reference, the last 4 digits of your card, and billing metadata required for invoicing and tax purposes.

2.3 Extension Activity Data

KinSentry blocks scam websites in real-time. URL pattern matching is performed locally inside the extension against a blocklist downloaded to your device. When a URL appears suspicious or matches a high-confidence pattern, it is also transmitted to our servers for manual verification. If a URL is confirmed harmful by our review process, it is added to our shared blocklist database to protect all KinSentry users.

We do not track, log, or transmit your general browsing history. The only URLs we process server-side are those flagged by the local extension as potentially harmful.

2.4 Blocked Event Data

When a scam site is blocked, we log the event (timestamp, blocked URL, device identifier, plan tier) to power your dashboard and family alerts. This data is encrypted in transit (TLS 1.3) and at rest (AES-256).

2.5 Family Contact Information

If you configure family alerts, we store the contact details (email address, phone number) you provide so we can send notifications when a scam is blocked. You are responsible for ensuring you have permission from your family members to share their contact information with us.

2.6 Voice Alerts

Voice warnings are generated locally on your device using your operating system's built-in text-to-speech engine. We do not capture, transmit, or store any audio or microphone input.

2.7 Technical & Diagnostic Data

We may collect basic technical information such as browser type, operating system, extension version, anonymized IP address, and crash logs. This is used solely for troubleshooting, security, and improving the Service.

2.8 Phishing Email Detection (Webmail Scanning)

If you use the phishing email detection feature, the extension analyses the email you currently have open in supported webmail services (Gmail, Outlook, Yahoo Mail, and AOL Mail). This analysis — covering the sender, subject line, and message body — happens entirely locally on your device. The contents of your emails are never transmitted to, stored by, or readable by KinSentry or anyone else.

When an email is flagged as a likely phishing attempt, only minimal detection metadata leaves your device: the sender’s domain (for example, example.com) and the detection category. This is logged as a protection event in the same way as a blocked website (see Section 2.4) and, on a Family plan, may be visible to the plan administrator on their dashboard. We never receive the email itself, the sender’s full address, the subject, any attachments, or any other message content.

Your personal “safe senders” list is stored locally in your browser and is never uploaded. You can turn phishing email detection off at any time in the extension settings.

2.9 Download Guard

The Download Guard feature checks files you download against a list of known remote-support and remote-access software commonly abused by scammers. This check happens entirely locally on your device: the extension may pause a matching download and ask you to confirm before it continues. The names, URLs, and contents of your downloads are never transmitted to our servers.

2.10 Family Plan Monitoring (Member Devices)

The Family plan is designed to let a trusted family member (the plan administrator) help protect other members of their household. If you use KinSentry on a device that was activated with a Family invite code, the following applies:

• No account required for members. Member devices are not linked to an email address or password. Each device is identified by a randomly generated device token and a display name chosen by the administrator (for example, “Mom’s laptop”).
• The administrator can see protection activity. Protection events from member devices — blocked scam sites, detected scam pages, flagged phishing sender domains, and the associated URLs, timestamps, and counts — are visible to the plan administrator on their dashboard. General browsing history is not collected or visible; only events where a protection feature was triggered.
• The administrator controls protection settings remotely. The administrator can enable or disable individual protection features (such as scam-page detection, phishing email detection, download guard, voice warnings, and notifications) for each member device, and can remove a device from the household at any time.
• Member devices know who the administrator is. The administrator’s display name is shown on the member device so household members can see who manages their protection.

If you are a plan administrator, you are responsible for ensuring that the people who use member devices are aware of, and have agreed to, this monitoring. When a device is removed from a household (or the household is dissolved), its protection stops and the device disconnects from the plan.

2.11 Support Requests & Website Forms

If you contact support through the extension or website, we collect the email address you provide, the issue category, your message, and — if you are signed in — your account email and plan tier, so that we can respond to your request. If you join a product waiting list on our website (for example, for an upcoming mobile app), we store the email address you submit so that we can notify you when the product launches. Waiting-list emails are used for that notification only unless you separately opt in to marketing.

3. Cookies & Tracking Technologies

The kinsentry.com website and dashboard use a small number of essential cookies and similar technologies for authentication, session management, and security (e.g., CSRF protection). These cookies are strictly necessary for the Service to function and cannot be disabled without breaking core features.

We do not use third-party advertising cookies, behavioural-tracking cookies, retargeting pixels, or cross-site analytics tags such as Google AdSense, Google Tag Manager, Google Analytics, or Meta Pixel. We do not set any non-essential cookies on your device.

As our European user base grows, we plan to introduce a cookie consent banner to give EEA, UK, and Swiss visitors clear and granular controls over any non-essential cookies, in line with the ePrivacy Directive. Until that banner is in place, we will continue to set only strictly necessary cookies that do not require prior consent.

3.5 Affiliate Advertising (Free and Free-Trial tiers only)

To help fund the Service for users who do not pay a subscription, we display a small number of first-party affiliate advertisements within the KinSentry dashboard and new-tab page. These ads are shown only to users on our Free and Free-Trial tiers. Paid Guardian and Family subscribers do not see any advertising.

How affiliate advertising works on KinSentry:

• First-party only. Ad creatives (images and text) are stored on our own servers and served by us directly. We do not embed any third-party ad network, ad exchange, real-time-bidding script, or programmatic advertising code.
• No behavioural targeting. Which ad you see is determined by a simple weighted rotation per slot, not by your browsing history, demographics, interests, location, or any profile built from your activity.
• Aggregate counters only. When an ad is shown to you, we increment an anonymous impression counter on the ad itself. When you click an ad, we increment an anonymous click counter and then redirect you to the partner's website. We do not associate impressions or clicks with your user account, email address, IP address, device identifier, or any other personal identifier.
• Click-through redirect. Affiliate clicks pass briefly through a KinSentry redirect URL (api.kinsentry.com/api/ads/…/click) so that the click counter can be incremented before you reach the partner. This redirect is server-side only and does not set any tracking cookie on your browser.
• Partner referral parameters. The destination URLs we redirect to may contain affiliate-reference parameters supplied by the partner (e.g., a partner-specific campaign code). These parameters identify KinSentry as the referring publisher; they do not identify you personally.
• Partner privacy policies apply on partner sites. Once you leave KinSentry by clicking an affiliate ad, you are subject to the partner's own privacy policy and cookie practices, which are outside our control. We recommend reviewing the partner's policy before providing any personal information on their site.

We do not sell or share your personal information with advertisers, partners, or any third party for advertising or marketing purposes.

4. How We Use Your Information

• To provide, maintain, and secure the KinSentry Service
• To send family alerts when scam sites are blocked
• To detect phishing emails in your webmail (analysed locally on your device — see Section 2.8)
• To provide Family plan monitoring and remote protection management (see Section 2.10)
• To power your activity dashboard and block history
• To send you transactional emails (account, billing, security)
• To send you product updates and weekly digests (only if you have opted in)
• To improve our scam-detection capabilities and update our blocklist database
• To process payments and manage subscriptions
• To comply with legal obligations and enforce our Terms of Service

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR):

• Contract — to provide the Service you signed up for (account, blocking, alerts)
• Consent — for optional marketing emails and any future use of non-essential cookies. You may withdraw consent at any time.
• Legitimate Interest — to secure the Service, prevent fraud and abuse, and improve our scam-detection capabilities, balanced against your privacy rights.
• Legal Obligation — to comply with tax, accounting, and law-enforcement requirements.

6. Data Sharing & Third-Party Processors

We do not sell, rent, or share your personal information with third parties for advertising or marketing purposes. We share data only with the following service providers, each bound by a data-processing agreement:

• Payment processor — secure payment processing and subscription management (PCI-DSS-compliant)
• Supabase — primary database and authentication
• Railway — API and infrastructure hosting
• Twilio — SMS and WhatsApp delivery for family alerts
• SendGrid — transactional email delivery

We may also use anonymous analytics and error-tracking tools to monitor performance and reliability. Where used, these tools are configured to collect only aggregated, non-identifying data.

When you click an affiliate advertisement on a Free or Free-Trial tier, your browser is redirected to the partner's website through a KinSentry redirect URL that increments an anonymous click counter. We do not transmit your personal information to the partner; any affiliate-reference parameters in the destination URL identify KinSentry as the referring publisher, not you. See Section 3.5 for details.

We may also disclose information when required by law, court order, or to protect the rights, property, or safety of KinSentry, our users, or the public.

7. International Data Transfers

KinSentry and several of our service providers (including our payment processor, Supabase, Railway, Twilio, and SendGrid) are based in or process data in the United States and other countries outside the EEA, UK, and Switzerland. Where such transfers occur, we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK and Swiss safeguards to ensure your data receives an adequate level of protection.

8. Data Retention

We keep your personal data only for as long as necessary for the purposes described in this policy:

• Account data — retained while your account is active, plus 90 days after deletion to allow recovery
• Blocked-event history — retained per your plan tier (Free: 7 days, Guardian: 30 days, Family: 90 days)
• Family contact details — retained until you remove them or delete your account
• Family member device data — deleted when the device is removed from the household or the household is dissolved
• Payment records and invoices — retained for up to 7 years to comply with tax, accounting, and audit obligations
• Server logs and diagnostic data — retained for up to 90 days, then automatically purged
• Confirmed-harmful URLs in our blocklist — retained indefinitely as part of our shared protection database (no personal identifiers attached)

9. Data Security

We use industry-standard safeguards to protect your information, including TLS 1.3 encryption for all data in transit, AES-256 encryption for data at rest, hashed passwords (bcrypt), strict role-based access controls, and continuous security monitoring on our hosting infrastructure.

No method of transmission or storage is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.

10. Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, where required by applicable law (including GDPR Art. 33). If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay via the email address associated with your account.

11. Your Rights

Depending on where you live, you may have the following rights regarding your personal data:

• Right of access — to request a copy of the personal data we hold about you
• Right to rectification — to correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — to request deletion of your personal data
• Right to restrict processing — to limit how we use your data
• Right to data portability — to receive your data in a structured, machine-readable format
• Right to object — to processing based on legitimate interest or for direct marketing
• Right to withdraw consent — at any time, where processing is based on consent
• Right to lodge a complaint — with your local data protection authority

To exercise these rights, you may use the self-service options in your dashboard where available, or email us at privacy@kinsentry.com. We will respond within 30 days. We may need to verify your identity before processing certain requests.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information:

• The right to know what categories of personal information we collect, use, and disclose
• The right to request deletion of your personal information
• The right to correct inaccurate personal information
• The right to opt out of the sale or sharing of your personal information
• The right to limit the use of sensitive personal information
• The right to non-discrimination for exercising your rights

We do not sell or share your personal information for cross-context behavioural advertising, and we have not done so in the past 12 months. Our first-party affiliate advertising program (described in Section 3.5) does not transmit your personal information to advertisers and is not considered "selling" or "sharing" under the CCPA/CPRA. To exercise any CCPA right, email privacy@kinsentry.com.

13. Children's Privacy

The Service is not intended for, and we do not knowingly collect personal data from, anyone under the age of 16. If you are under 16, please do not use the Service or send us any personal information. If we become aware that we have collected personal data from a child under 16 without verified parental consent, we will delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@kinsentry.com.

14. Account Deletion

You may request deletion of your account and associated personal data at any time. Where available, you can use the "Delete Account" option in your dashboard for self-service deletion. Otherwise, email privacy@kinsentry.com with the subject line "Delete My Account". We will confirm and complete the deletion within 30 days, subject to any data we are legally required to retain (such as tax records).

15. Chrome Web Store Limited Use Disclosure

KinSentry's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google account information solely to authenticate you and provide the Service. We do not transfer this information to third parties except as necessary to provide the Service, and we do not use it for advertising or any unrelated purpose.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a banner in your dashboard before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

17. Contact Us

For privacy-related questions, requests, or complaints, contact us at privacy@kinsentry.com. We aim to respond to all enquiries within 30 days.