Privacy Policy
How Oversight handles your data across the Chrome & Edge extension, the iOS app, the Android app, and our web service — together, as one product.
Effective date: June 14, 2026 · Last updated: June 16, 2026
Oversight is operated by Renderwise ("Renderwise", "we", "us"). Contact: admin@renderwise.net · Website: oversightscan.com
Privacy at a glance
- Quick Scans run entirely on your device — nothing leaves it.
- AI Deep Scans send only the screenshot or text you chose to scan; images are processed, then discarded, never stored.
- We store scan results (scores and short explanations), not the email messages or images you scan.
- You can delete your account and all associated data in-app at any time.
- We don't sell your data or use it for advertising.
- Our website sets no cookies and runs no analytics or ad trackers.
1. Information we collect
We collect only what we need to detect scams and run the service. "Transient" means it is processed and then discarded; "Stored" means it is retained until you delete it (see Retention & Deletion).
| Category | What it is | Handling |
|---|---|---|
| Account data | Your email address, your password (kept only as a scrypt hash — never in plain text), and your subscription tier. | Stored |
| Scan content | The screenshot or text you submit for an AI Deep Scan. It is analyzed in memory to produce a result and is never written to disk. | Transient |
| Scan metadata | Risk score, verdict, detection engine, a short summary (≤200 characters), the top reasons, the risk factors, and a message fingerprint. Only stored when result storage is enabled (storeRiskMetadata, on by default for your own history). Sender and subject signals — a one-way hashed sender address, the sender domain, and an 80-character subject snippet — are stored only when you turn on the matching sharing options (shareSenderMetadata / shareSubjectSnippet), which are off by default. | Stored |
| Waitlist sign-up (website) | If you join the waitlist on our website, we store the email address you submit (and an optional company name) so we can notify you about availability. The website sets no cookies and runs no analytics or ad trackers. | Stored until launch / opt-out |
| Payment data | Handled entirely by Stripe (web) or Apple / Google (in-app purchases). We never receive or store full card numbers. | Stored by processor |
| Family / guardian data | Relationship links between a guardian and a protected person, and alerts shared according to the protected person's privacy settings (off by default). | Stored |
| Phone numbers | Crowd-reported scam numbers used by Call Shield / Call Directory to warn you about known scam callers. On Android, when the call shield screens a call the incoming number is sent to our servers to check its reputation; we don't store these lookups. On iOS, labeling happens entirely on-device from a downloaded list — no number is sent per call. When you report a number, we record that you reported it (linked to your account); the aggregate scam list itself is not tied to your identity. | Stored (aggregate); lookups transient |
| SMS content (iOS) | Filtered on your device. Only messages the on-device filter is unsure about are sent for a check, with no account identity attached. | Transient |
| Photos / screenshots | Only images you actively scan, or ones the opt-in screenshot watcher captures. The watcher is off by default. | Transient |
| IP address | Read transiently to rate-limit requests and prevent abuse (e.g. on sign-in and the SMS-filter check). Not stored in our application database, though it may appear in infrastructure server logs. | Transient (logs ~30 days) |
| Diagnostics | Server logs and extension heartbeats used for reliability, security, and abuse prevention. | ~30 days |
Note the difference between processed and retained: we always read the sender and subject of a message to compute its risk score, but we only keep them afterward if you've turned on the sharing options above. The message body and the screenshot are never retained.
2. How we use your data
- Detect scams and phishing in the messages you choose to scan.
- Show you your results and scan history.
- Send family / guardian alerts when enabled by the protected person.
- Process and manage your subscription and billing.
- Prevent abuse and enforce rate limits.
- Improve our detection (using results and your feedback — never your stored emails or images).
We do not use your data for advertising, and we never sell it.
3. Third-party processors
We share data with the service providers below only as needed to run Oversight. Each processes data under its own privacy policy.
| Processor | What they do |
|---|---|
| OpenAI | AI vision/text analysis of the content you submit for a Deep Scan. Content sent via OpenAI's API is not used to train their models. |
| Stripe | Payment processing for web subscriptions |
| Apple | In-app purchases on iOS |
| Google Play | In-app purchases on Android |
| Google Cloud Platform | Hosting — Cloud Run + Cloud SQL (us-central1 region) |
| Resend | Transactional and guardian-alert emails |
| Upstash | Rate limiting (listed for completeness; activated only if/when enabled) |
4. Data sharing
- With guardians: consent-based and controlled by the protected person, who decides what (if anything) is shared.
- Within teams / organizations: admins can see alerts for the members they manage.
- With the processors listed above.
We do not sell your data and do not share it for advertising.
5. Data retention & deletion
- Screenshots & images: discarded immediately after analysis — never stored.
- Scan metadata: retained until you delete your account (or for the retention window your organization sets, if any).
- Server logs: retained for about 30 days.
- Account deletion: delete your account in-app (Settings → Delete account) at any time. This permanently removes your account and cascades deletion of your scans, alerts, team memberships, and guardian links. You can also email admin@renderwise.net or use our data deletion page.
6. Your rights
Depending on where you live, you have rights over your data, including the right to access, correct, delete, and port it. Under the GDPR (EEA/UK) and the CCPA/CPRA (California), you also have the right to know what we collect, to request deletion, and to opt out of the sale of personal information — and we do not sell personal information. We will not discriminate against you for exercising these rights.
To exercise any of these, delete your account in-app or email admin@renderwise.net.
7. Security
- All data is encrypted in transit with HTTPS/TLS.
- Passwords are hashed with scrypt; sessions use signed JWTs.
- Sender email addresses are stored only as HMAC (one-way) hashes.
- Authentication tokens are stored securely on each platform — the iOS Keychain, Android EncryptedSharedPreferences, and chrome.storage.local in the extension.
- Internal access is limited to authorized staff, who may view account and scan metadata only as needed to operate, support, and secure the service. We never access the message bodies or screenshots you scan — they are never stored.
8. Children's privacy
Oversight is not directed to children under 13 (or under 16 in the EEA/UK), and we do not knowingly collect their personal data. Family Overwatch is a tool for guardians to help protect family members from scams — it is not a service that targets or profiles children.
9. Per-platform permissions
Why each sensitive permission is requested on each platform.
iOS & iPadOS
| Permission | Why we need it |
|---|---|
| Photo Library | So you can pick a screenshot to scan for a Deep Scan. |
| Messages / SMS Filter | To filter scam texts on-device; uncertain messages are checked without your identity attached. |
| Call Directory | To label known scam numbers before you answer. |
| Screenshot watcher (opt-in) | Background screenshot scanning. Off by default; turned on only after an explicit consent screen. |
Android
| Permission | Why we need it |
|---|---|
| Photos & media (READ_MEDIA_IMAGES) | So you can select a screenshot to scan. |
| Call screening (CallScreeningService) | To flag or silence known scam callers. |
| Screen capture (MediaProjection) | Powers the Quick Settings "scan screen" tile — captures the current screen only when you tap to scan. |
| Screenshot watcher (opt-in) | Background photo access for the optional watcher. Off by default, with a prominent in-app consent screen. |
| Notifications | To deliver scam alerts and guardian alerts. |
Chrome & Edge extension
| Permission | Why we need it |
|---|---|
| activeTab / tabs | To capture a screenshot of the visible tab when you run a scan. |
| scripting | To display the risk-score panel inside the page (Gmail / Outlook). |
| Host access (Gmail, Outlook, and <all_urls>) | Needed to read the message you choose to scan and to use captureVisibleTab for in-page Deep Scans. |
| storage | Keeps your settings and session locally (chrome.storage.local). |
Chrome Web Store — single purpose & Limited Use
Oversight has a single purpose: detecting scams and phishing in the messages you choose to scan.
Oversight's use of information received from Google APIs and from your browser adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically: we use the data only to provide and improve this single scam-detection purpose; we do not sell this data; we do not use or transfer it for advertising, personalized ads, or creditworthiness/lending purposes; and we do not allow humans to read the data except (a) with your consent, (b) as necessary for security, abuse prevention, or legal reasons, or (c) where the data has been aggregated or anonymized for internal operations.
10. Changes to this policy
We may update this policy from time to time. When we do, we'll revise the "Last updated" date above, and for material changes we'll notify you by email or in-app.
11. Contact
Questions about this policy or your data? Contact Renderwise at admin@renderwise.net.