Privacy Policy

1. Information We Collect

When you use Ask Arthur, we may process the following information:

• Submitted text and images — processed by our AI for scam analysis, then immediately discarded. We do not retain the content you submit.
• IP address — hashed for rate limiting purposes only. Your raw IP address is never stored.
• Analytics — we use Plausible Analytics, a privacy-first analytics tool that collects no personal data and uses no cookies.
• Email address — only if you voluntarily subscribe to our mailing list.

2. How We Use Your Information

Your submitted content is sent to our AI (Anthropic Claude API) for scam analysis. The analysis result is returned to you immediately, and your original content is discarded.

Aggregated, PII-scrubbed scam patterns (e.g. verdict counts by region) may be retained for research and to improve the service. These records contain no personal information.

3. Cross-Border Data Transfers

Ask Arthur is operated by Young Milton Pty Ltd, an Australian company. To provide this service, your data may be processed by the following overseas providers:

• Anthropic (United States) — AI analysis of submitted content
• Supabase (United States) — database infrastructure for aggregated statistics and subscriber emails
• Cloudflare (United States / global) — content delivery and security
• Vercel (United States) — application hosting

We take reasonable steps to ensure these providers handle your information in line with the Australian Privacy Principles (APP 8) and equivalent overseas-transfer standards under UK GDPR, EU GDPR, Canadian PIPEDA, and Brazilian LGPD.

4. Chrome Extension

The Ask Arthur Chrome extension is an optional companion to the web app. This section describes what the extension reads, what it sends to our API, and what it does not.

Permissions and what they are used for:

• activeTab — reads the URL of the current tab only when you click the popup or trigger the right-click “Check with Ask Arthur” menu.
• contextMenus — registers the right-click menu item.
• storage — local, on-device preferences only (daily check count, dismissed warnings). Nothing is synced off-device.
• alarms — resets the daily check counter once per day.
• management (optional, opt-in) — requested only when you open the Extension Security Scanner tab. Reads the list of installed extension IDs so they can be audited for known risks. No extension content or user data is transmitted.
• Facebook host permissions (www.facebook.com, m.facebook.com, web.facebook.com) — used by the Facebook Ads scanner to inspect sponsored posts for scam signals. Posts are reduced to structural fingerprints before being sent to our API. Personal posts, direct messages, and general browsing history are never read or transmitted.

What is sent to https://askarthur.au/api/extension/*:

• URL or text you explicitly submit via the popup or right-click menu
• Extension IDs when you run the Security Scanner
• Ad fingerprints (structural representations, not raw post contents) when Facebook scanning is active
• A per-install public key (ECDSA P-256) used to authenticate requests

What is not sent:

• Personal posts, direct messages, private browsing history
• Full page contents outside the Facebook sponsored-post fingerprinting flow
• Any identifying information beyond the per-install public key

Authentication model. Each install generates an ECDSA P-256 keypair on first run. The private key is non-extractable and stored in the browser's local IndexedDB — it never leaves your device. All API requests are signed with the private key and verified server-side using the stored public key, with a short-lived nonce to prevent replay attacks.

Retention. Requests to the extension API are processed identically to web-app submissions — the analysed content is discarded after analysis; only aggregated, PII-scrubbed statistics are retained.

5. Ask Arthur Shield — Shopify Merchant App

Ask Arthur Shield is a forthcoming Shopify app for Australian merchants that adds fraud-prevention and chargeback-defence services to their checkout. This section describes the buyer data handling commitments that apply when a merchant installs the app. The app is currently in development and is not yet available on the Shopify App Store.

What we process:

When an Australian merchant installs Ask Arthur Shield, we process buyer email, phone, billing address, shipping address, and order metadata (line items, browser IP, user-agent).

Why:

To compute a SAFE / UNCERTAIN / SUSPICIOUS / HIGH_RISK trust verdict for each order, and to generate Card Issuer Evidence 3.0–compliant evidence packs when the merchant receives a chargeback.

Where:

Stored in Australia (Supabase Sydney region, separate from our main analysis pipeline), encrypted at rest with pgsodium, accessed by service-role only. Encryption keys live in Supabase Vault; access is service-role only and is logged for audit.

How long:

120 days from order date (matching the standard chargeback window). After 120 days, all personally-identifying buyer data is purged automatically.

Who we share with:

Nobody. The data is processed solely for the installing merchant's fraud-prevention surface. We do not sell, market against, or otherwise commercialise customer PII. Aggregate signal counters (not identifiable) may be retained for corpus enrichment.

Your rights:

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you may request access to or deletion of personal information we hold about you. Contact brendan@askarthur.au.

Our data processor relationship with Shopify merchants:

When the Shopify app processes buyer PII, the merchant is the data controller and Ask Arthur is the data processor. Our data processing agreement (DPA) with merchants is available at /trust/dpa.

6. How We Use Your Feedback

When you rate a check with thumbs-up or thumbs-down, we store: your rating, any reason chips you selected, any optional comment, and a hashed identifier derived from your IP address and browser. We do not store your original submission alongside the rating — only a short content hash so we can link the rating to the verdict you saw.

If you tick “Help Arthur get better — use my de-identified check to train our models”, we retain a PII-redacted copy of the check for up to 24 months to improve the classifier. This checkbox is opt-in and defaults off. Under the Australian Privacy Act 1988 (Cth) — and equivalent reasoning under UK GDPR, EU GDPR, and Canadian PIPEDA — hashing is not anonymisation where re-identification is reasonably possible, so we treat training-consent records as personal information: we redact names, emails, phone numbers, bank details and similar identifiers before retention, and you may request deletion at any time by emailing brendan@askarthur.au. A self-service dashboard is planned.

7. Data Retention

• Submitted messages and images are discarded immediately after analysis.
• PII-scrubbed scam pattern data (verdict counts, region statistics) is retained indefinitely to improve the service.
• Rate limit keys auto-expire after 24 hours.
• Subscriber email addresses are stored until you unsubscribe.

8. Cookies & Tracking

Ask Arthur does not use cookies. We use Plausible Analytics, which is a privacy-first analytics platform that does not use cookies, does not collect personal data, and is fully compliant with GDPR, CCPA, and PECR.

9. Your Rights

You have the right to access, correct, and request deletion of personal information we hold about you. This applies under the Australian Privacy Act 1988 (Cth) and equivalent regimes including UK GDPR, EU GDPR, Canadian PIPEDA, and Brazilian LGPD, depending on your jurisdiction.

• Request access to any personal information we hold about you
• Request correction or deletion of inaccurate information
• Withdraw consent you previously gave
• Lodge a complaint with the relevant privacy regulator for your jurisdiction:
  • Australia — Office of the Australian Information Commissioner (oaic.gov.au)
  • United Kingdom — Information Commissioner's Office (ico.org.uk)
  • European Union — your national Data Protection Authority
  • Canada — Office of the Privacy Commissioner (priv.gc.ca)
  • Brazil — Autoridade Nacional de Proteção de Dados (gov.br/anpd)

10. Contact

For privacy inquiries, contact us at brendan@askarthur.au

Last updated: May 2026