AntiSpoof

Privacy Policy

Last updated: March 2026

1. Data Controller

AntiSpoof (antispoof.app) is an independent civic project. For the purposes of the General Data Protection Regulation (GDPR — EU Regulation 2016/679), the data controller can be contacted at: [email protected].

2. Data Collected

AntiSpoof operates on the principle of data minimisation. We do not store identifiable personal data. Specifically:

  • Reported phone numbers: these are public domain data collected from public sources or voluntarily submitted by users. They do not belong to the reporting user.
  • IP addresses: we store only a one-way cryptographic hash (SHA-256) of IP addresses to prevent spam, making it impossible to identify the reporter.
  • Cookies: we use a language preference cookie (NEXT_LOCALE). We do not use tracking or advertising cookies.
  • Supabase session data: if you create an account, Supabase manages authentication securely. Please see Supabase's privacy policy for details.

Authority report generation happens entirely on your device (client-side). No personal data contained in those reports reaches our servers.

3. Legal Basis for Processing

Processing by AntiSpoof is based on the following GDPR legal bases:

  • Article 6(1)(f) — Legitimate Interests: processing is necessary for our legitimate interests in protecting citizens from fraud and abusive calls, and does not override the fundamental rights and freedoms of data subjects.
  • Article 6(1)(e) — Public Interest: communicating fraud information to competent authorities constitutes a task in the public interest.

4. Data Sharing

AntiSpoof does not sell, share or transmit data to third parties for commercial purposes.

Spam phone number data is shared in aggregated, anonymised form with collaborative security platforms, under legitimate interests of citizen protection.

5. Your Rights

Under GDPR, you have the following rights:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)

To exercise your rights, contact: [email protected]

6. Data Retention

Phone number data is retained as long as it remains relevant for citizen protection. Individual reports are linked to anonymised IP hashes and can be deleted on justified request.

7. Security

We implement appropriate technical and organisational measures to protect data, including in-transit encryption (TLS 1.3), cryptographic hashing of identifiers, and strict database access controls.