Skip to main content

Privacy Policy

1. Information We Collect

When you use Ask Arthur, we may process the following information:

  • Submitted text and images — processed by our AI for scam analysis, then immediately discarded. We do not retain the content you submit.
  • IP address — hashed for rate limiting purposes only. Your raw IP address is never stored.
  • Analytics — we use Plausible Analytics, a privacy-first analytics tool that collects no personal data and uses no cookies.
  • Email address — only if you voluntarily subscribe to our mailing list.

2. How We Use Your Information

Your submitted content is sent to our AI (Anthropic Claude API) for scam analysis. The analysis result is returned to you immediately, and your original content is discarded.

Aggregated, PII-scrubbed scam patterns (e.g. verdict counts by region) may be retained for research and to improve the service. These records contain no personal information.

3. Cross-Border Data Transfers (APP 8)

To provide this service, your data may be processed by the following overseas providers:

  • Anthropic (United States) — AI analysis of submitted content
  • Supabase (United States) — database infrastructure for aggregated statistics and subscriber emails
  • Cloudflare (United States / global) — content delivery and security
  • Vercel (United States) — application hosting

We take reasonable steps to ensure these providers handle your information in accordance with the Australian Privacy Principles.

4. Chrome Extension

The Ask Arthur Chrome extension is an optional companion to the web app. This section describes what the extension reads, what it sends to our API, and what it does not.

Permissions and what they are used for:

  • activeTab — reads the URL of the current tab only when you click the popup or trigger the right-click “Check with Ask Arthur” menu.
  • contextMenus — registers the right-click menu item.
  • storage — local, on-device preferences only (daily check count, dismissed warnings). Nothing is synced off-device.
  • alarms — resets the daily check counter once per day.
  • management (optional, opt-in) — requested only when you open the Extension Security Scanner tab. Reads the list of installed extension IDs so they can be audited for known risks. No extension content or user data is transmitted.
  • Facebook host permissions (www.facebook.com, m.facebook.com, web.facebook.com) — used by the Facebook Ads scanner to inspect sponsored posts for scam signals. Posts are reduced to structural fingerprints before being sent to our API. Personal posts, direct messages, and general browsing history are never read or transmitted.

What is sent to https://askarthur.au/api/extension/*:

  • URL or text you explicitly submit via the popup or right-click menu
  • Extension IDs when you run the Security Scanner
  • Ad fingerprints (structural representations, not raw post contents) when Facebook scanning is active
  • A per-install public key (ECDSA P-256) used to authenticate requests

What is not sent:

  • Personal posts, direct messages, private browsing history
  • Full page contents outside the Facebook sponsored-post fingerprinting flow
  • Any identifying information beyond the per-install public key

Authentication model. Each install generates an ECDSA P-256 keypair on first run. The private key is non-extractable and stored in the browser's local IndexedDB — it never leaves your device. All API requests are signed with the private key and verified server-side using the stored public key, with a short-lived nonce to prevent replay attacks.

Retention. Requests to the extension API are processed identically to web-app submissions — the analysed content is discarded after analysis; only aggregated, PII-scrubbed statistics are retained.

5. Data Retention

  • Submitted messages and images are discarded immediately after analysis.
  • PII-scrubbed scam pattern data (verdict counts, region statistics) is retained indefinitely to improve the service.
  • Rate limit keys auto-expire after 24 hours.
  • Subscriber email addresses are stored until you unsubscribe.

6. Cookies & Tracking

Ask Arthur does not use cookies. We use Plausible Analytics, which is a privacy-first analytics platform that does not use cookies, does not collect personal data, and is fully compliant with GDPR, CCPA, and PECR.

7. Your Rights

Under the Privacy Act 1988 (Cth), you have the right to:

  • Request access to any personal information we hold about you
  • Request correction of inaccurate information
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

8. Contact

For privacy inquiries, contact us at brendan@askarthur.au

Last updated: April 2026