phishpond.io ~ /privacy
SECURE • READ-ONLY

Privacy

Last updated: May 18, 2026.

This page explains what PhishPond collects, what third parties may collect, and the rights you have over that data. It is written to be honest first and legally comprehensive second; if anything here is unclear, email privacy@phishpond.io.

1. What we collect directly

  • Heuristic Scanner — nothing. Analysis runs entirely in your browser; the text you paste is never sent to any server.
  • Email Inspector — the .eml file you drop, or the headers you paste, are parsed entirely in your browser. The raw message bytes, body content, attachments, and any embedded links never leave your device. For the optional sender-reputation lookup we send only the sender's domain (e.g. example.com) to a serverless function, which performs DNS queries (MX, SPF, DMARC) and an RDAP age lookup. The domain string is not logged or stored beyond the lifetime of the request.
  • Link Scout — when you submit a URL, that URL is sent to a serverless function which fetches it once on your behalf, returns the result, and discards it. We retain only the IP address of the requester, in volatile memory, for the length of a one-minute rate-limit window. Nothing about a submission is persisted to disk.
  • Domain-age lookups (RDAP) — to help judge whether a destination is a brand-new attacker domain, the scanner asks the relevant domain registry for the registration date of the URL's eTLD+1 (the registered name only — never the full path or query). This uses the standard, free RDAP protocol against data.iana.org (to discover the right server) and the registry's own RDAP endpoint (e.g. Verisign for .com, Public Interest Registry for .org, Identity Digital for .io). Results are cached in-memory for 12 hours. No information about you is sent to these registries — only the bare domain name being scanned.
  • Phishing.Database threat feed — to check whether a scanned domain appears in a known-active phishing list, our server periodically downloads a flat domain list from phish.co.za (the CDN for Phishing.Database). This is a bulk download of a public file — no information about you, your IP, or the URL you are scanning is transmitted to phish.co.za. The downloaded list is cached in-memory for 24 hours and used only for local Set-membership comparisons.
  • Server logs — our hosting provider (Vercel) retains short-lived HTTP request logs (IP, timestamp, path, user-agent, status code) for operational and security purposes. We do not query these logs to profile users.

2. What third parties collect

Vercel Web Analytics

Anonymous, cookieless page-view metrics are collected by Vercel. No personal information, cross-site tracking, or device fingerprinting is performed.

Google AdSense

PhishPond uses Google AdSense to display advertisements on most pages. AdSense and its partners use cookies and similar technologies (including the DoubleClick IDE cookie and Google's advertising IDs) to serve ads, measure ad performance, and — where you have consented — personalize the ads you see based on prior visits to PhishPond and other sites.

Specifically, AdSense may collect or process:

  • IP address and approximate location (country / region).
  • Device, browser, and operating-system information.
  • Cookie identifiers and other on-device storage tokens used for ad attribution.
  • Pages viewed on PhishPond and interactions with ad units.

Google's use of advertising cookies is governed by Google's advertising policy and Privacy Policy. You can manage or opt out of personalized advertising at any time at Google Ads Settings or youradchoices.com (US) / youronlinechoices.eu (EU).

Affiliate links

PhishPond participates in the Hack The Box affiliate program. When you click an affiliate link, an attribution cookie may be set by the destination site so any subsequent purchase can be credited to PhishPond. We receive aggregate commission information only — never your name, email, or payment details.

3. Cookie consent (EEA, UK, Switzerland)

If you visit from the European Economic Area, the United Kingdom, or Switzerland, you will be shown a consent message powered by Google's Funding Choices Consent Management Platform before any non-essential cookies are set. You can choose to:

  • Consent — receive personalized ads.
  • Do not consent — receive non-personalized ads only; no cross-site profiling occurs.
  • Manage options — granular per-purpose and per-vendor control.

You can change your choice at any time by clicking the Privacy options link that Google injects at the bottom of every page after the consent banner is dismissed.

4. California residents (CCPA / CPRA)

PhishPond does not "sell" personal information for money. However, the use of cookie-based advertising may be considered "sharing" for cross-context behavioural advertising under the California Privacy Rights Act (CPRA). California residents have the right to:

  • Know what personal information is collected.
  • Opt out of the sale or sharing of personal information.
  • Request deletion of personal information held about them.
  • Not be discriminated against for exercising these rights.

To opt out of personalized advertising, use the Google Ads Settings link above, or enable the Global Privacy Control signal in your browser; Google AdSense honours this signal where it applies.

5. Data retention

  • Email Inspector .eml contents: never sent off-device.
  • Email Inspector sender-domain lookups: discarded immediately after the response.
  • Link Scout submissions: discarded immediately after fetch.
  • Rate-limit IP cache: 60 seconds, in volatile memory.
  • Vercel server logs: retained per Vercel's policy (typically 1–30 days).
  • AdSense / Google Analytics data: retained per Google's policy.

6. Children

PhishPond is not directed at children under 16 and we do not knowingly collect information from them. If you believe a child has submitted information to us, email privacy@phishpond.io for deletion.

7. Changes to this policy

We will update the Last updated date at the top of this page when this policy changes. Material changes will also be noted in the field-notes blog.

8. What we do not do

  • We do not require an account.
  • We do not store the messages or URLs you analyse.
  • We do not share submissions with third parties.
  • We do not run device-fingerprinting or session-replay scripts.
  • We do not sell personal information.

9. Contact

For privacy questions or data-rights requests (access, deletion, opt-out), email privacy@phishpond.io. See the About page for the full address list.

10. Open-source attributions

PhishPond uses data from the following open-source projects. Where MIT or similar licences require preservation of the copyright notice, it is reproduced here.

Phishing.Database

Active phishing-domain feed used for blocklist scoring.
Repository: github.com/Phishing-Database/Phishing.Database
License: MIT

Copyright © 2018–2025 Mitchell Krog — @mitchellkrogza
Copyright © 2018–2025 Nissar Chababy — @funilrys
Copyright © 2018–2025 Phishing.Database Contributors — @Phishing-Database

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

This page is informational and is not legal advice. If you operate PhishPond from a jurisdiction with additional disclosure requirements, adapt accordingly.

Sponsored space · mobile-anchor