legal

Privacy Policy

How we handle data — and our commitment not to sell your browsing. This policy explains what we collect, why, and the choices you have.

Last updated: June 2, 2026

On this page

  1. What this policy covers
  2. Information we collect
  3. How we use information
  4. How we disclose information
  5. Your rights (GDPR & CCPA)
  6. Data security
  7. Data retention
  8. No guarantee of detection
  9. Children’s privacy
  10. International transfers
  11. Changes
  12. Contact

At SafeToOpen, we respect your privacy and are committed to protecting your personal and business information. This Privacy Policy explains how we collect, use, disclose, and safeguard information across our products and services, including our website and dashboard, the SafeToOpen browser extension (Browser Security & Privacy), our email security add-ins for Outlook and Gmail, our brand protection service, and our developer API.

1. What this policy covers

This Policy applies to all personal and business information we collect through SafeToOpen’s websites and dashboard, the browser extension (managed and unmanaged versions), our email security add-ins, our brand protection service, our developer API, and any backend components you deploy in your own cloud environment.

2. Information we collect

We collect only the information necessary to provide, improve, and support our products. The types vary by product.

2.1 Account and contact information

  • Name, email address, and phone number
  • Billing information, where applicable
  • Account credentials, where relevant
  • Corporate details (business name, role) for business accounts

2.2 Email Security (Outlook & Gmail add-ins)

Depending on version, we may process your email address, IP address and country, and a SHA-2 hash of fully-qualified domain names (FQDNs) from links in analysed emails. We design our email analysis to minimise data and, where used, emails analysed for verification are deleted from our processing servers once analysis is complete.

2.3 Browser Security & Privacy extension

For the unmanaged/free version we may process your IP address, a SHA-2 hash of the FQDNs and domain names you visit, the extension version, and the reasons a URL was flagged. Payment-card (PCI) detection and redaction performed by Paste Guard happens locally on your device and is not transmitted to us. Managed/business deployments may be configured to send detection events to your own administrators and security tools.

2.4 PII / Paste Guard protection

Paste Guard helps detect when sensitive information is about to be pasted, uploaded, typed, or submitted into a website. Card-data detection runs locally. For optional PII detection, content may be analysed in real time to perform detection, but is not stored or sold; for organisations, this analysis can be configured to run within your own private network.

2.5 Backend components you deploy

If you deploy a SafeToOpen component in your own cloud environment, credentials and configuration may reside on your infrastructure, under your control. We collect only what is described in your applicable agreement.

3. How we use your information

  • Detect phishing, malicious websites, and potential data-leakage events
  • Provide and manage your account, subscriptions, and entitlements
  • Process transactions and provide support
  • Improve detection quality and product performance
  • Communicate service and security information, and (with consent where required) marketing you can opt out of
  • Meet legal, regulatory, and security obligations

4. How we disclose your information

We do not sell, rent, or lease your personal information. We disclose information only to trusted service providers who process it on our behalf under contract (for example, payment processors and cloud hosting), where required by law or to protect our legal rights, or in connection with a corporate transaction, subject to this Policy.

5. Your rights (GDPR & CCPA/CPRA)

We are committed to compliance with the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA) where they apply to you.

5.1 If you are in the EEA or UK

You may have rights of access, rectification, erasure, restriction, objection, and portability, and the right to withdraw consent and to lodge a complaint with a supervisory authority.

5.2 If you are a California resident

You may have rights to know, delete, correct, and opt out of the “sale” or “sharing” of personal information (we do not sell or share it), and the right not to be discriminated against for exercising these rights.

5.3 How to exercise your rights

Contact us at [email protected]. We may request information to verify your identity before acting on a request.

6. Data security

We implement appropriate physical, technical, and organisational safeguards designed to protect information from unauthorised access, alteration, disclosure, or destruction — including encrypted transmission (TLS/SSL), access controls, and an information-security programme aligned to ISO/IEC 27001:2022.

No method is perfectly secure. While we work hard to protect your information, no method of transmission or storage is completely secure, and we cannot and do not guarantee absolute security. You use the services and transmit information at your own risk, to the extent permitted by law.

7. Data retention

We retain information only as long as necessary to provide the services, meet legal obligations, resolve disputes, and enforce our agreements. For example, emails analysed for verification are deleted from our processing servers once analysis is complete. We then delete or anonymise information unless a longer retention period is required by law.

8. No guarantee of detection or prevention

Important — please read. SafeToOpen’s products are designed to help reduce risk, but no security product can detect or prevent all threats. We do not warrant or guarantee that our products will detect every phishing page, malicious site, malware, or zero-day attack, or that they will prevent every instance of sensitive information being exposed, transmitted, or leaked. Our products are one layer of protection and are not a substitute for your own security practices, judgement, backups, and controls. To the maximum extent permitted by law, SafeToOpen is not liable for threats that are not detected or prevented, or for any resulting loss. Your use of the products is governed by our Terms of Use, including the limitation of liability and disclaimer of warranties set out there.

9. Children’s privacy

Our services are not directed to children under 13, and we do not knowingly collect their information. If we learn we have collected information from a child under 13, we will delete it promptly.

10. International data transfers

As a global company, we may process and store information in multiple regions, with appropriate safeguards such as Standard Contractual Clauses where required. If you have specific data-residency requirements, contact us at [email protected].

11. Changes to this policy

We may update this Privacy Policy from time to time. Changes will be posted here with a revised “Last updated” date; significant changes may also be communicated by email or in-product notice.

12. Contact us

Questions about this Privacy Policy or your rights? Email [email protected].

© 2026 SafeToOpen Limited and its subsidiaries. All rights reserved. SafeToOpen is ISO/IEC 27001:2022 certified.