Privacy Policy

What we collect. What we don’t. What happens to anything you share.

RealityCheck was built by a victim of fraud. The people who use this site are often in a vulnerable state. Privacy is not a legal formality here. It is a direct commitment to the people this site exists for.

This policy is written in plain language. If something is unclear, it is an error in writing, not a deliberate obscuring of intent.

Last updated: May 2026. This policy applies to all pages on this site.

What we do not collect

We do not run advertising. We do not use tracking pixels. We do not embed third-party social media scripts. We do not sell data. We do not share your information with any third party except as described in this policy.

We do not use analytics tools. There is no Google Analytics, Meta Pixel, or equivalent service on this site. We do not track which pages you visit or how long you spend on them.

We do not store the conversation text you type into the analyzer unless you explicitly check the consent checkbox and click “Save Anonymously” after receiving your result. If you do not opt in, nothing you type is stored anywhere. When you close the page, it is gone.

We do not store copies of files you upload for analysis. Files are processed and then discarded. We do not log file contents. We do not keep a record of what you uploaded.

We do not store your raw IP address. If your IP address is processed for rate-limiting purposes, it is immediately converted to a one-way hash (SHA-256) before storage. The hash cannot be reversed to recover your IP address. See the section below on anonymous sessions for detail.

We do not handle payment card numbers, CVV codes, bank account details, UPI credentials, or any other payment credentials. When you make a payment, you are redirected to a hosted payment page operated by Stripe or Razorpay. Your financial details are entered there and never leave their infrastructure. They do not pass through our servers.

What we do collect

Anonymous session token

When you use the analyzer, your browser receives a short token that identifies your session. This token is stored in your browser’s localStorage under the key rc_anon_session and sent to our server as a header on each analysis request. It is used solely to track your daily and monthly quota so you are not blocked after your first request.

The token contains no personal information. It is a random string signed with a server secret. It is not shared with any third party. You can clear it at any time by clearing your browser’s localStorage. Clearing it resets your quota counter for the current session.

IP address hash

To prevent abuse — specifically, people clearing their session token repeatedly to bypass the daily analysis limit — we record a one-way hash of your IP address when a new anonymous session is created. The hash is computed as SHA-256(IP + server secret). The raw IP address is never written to our database. The hash is stored solely to enforce a limit of five new anonymous sessions per IP per 24 hours. It is not used for any other purpose and is not shared.

Conversation text — opt-in only

After receiving your analysis result, a checkbox appears offering to share the result anonymously to help improve fraud detection for others. This is entirely optional and unchecked by default. If you check it and click “Save Anonymously,” the following happens:

The conversation text is passed through an automatic scrubber that removes email addresses, phone numbers, names, card numbers, cryptocurrency wallet addresses, dates of birth, and other common identifiers before anything is stored. The scrubbed text, the fraud type detected, the risk rating, and the analysis model used are stored in our database. No account, no IP address, no session token, and no identifying information is attached to this record. The record cannot be linked back to you.

You can only store once per analysis result. Storing is irreversible — we have no way to identify which record is yours in order to delete it, because we deliberately do not record that link.

Experience form submissions

Each of the six recovery pages contains an optional form where you can share your experience. Everything in this form is optional. You do not need to submit anything to use this site.

If you submit the form, it is sent directly to our backend server and stored in our database. What is stored: your selected fraud type, platform, amount lost, duration, and current status (all dropdown selections); the text you write in the experience field, if you write anything; and your email address, if you provide one.

The experience text is passed through the same PII scrubber described above before storage. Your email address, if provided, is stored in a separate database column and is never combined with your experience text, never included in any automated notification, and never shared. It is used only if the site owner needs to follow up with you directly and you have implicitly consented to that by providing it.

Form submissions are used for one purpose only: to understand new fraud patterns and improve the content on this site. They are not shared with third parties, law enforcement, government bodies, or any organisation.

Registered accounts

Creating an account is optional. The analyzer works without one. An account gives you a higher daily and monthly analysis limit and access to file uploads and other features.

If you register, we store your email address and a hashed version of your password (bcrypt via Django’s auth system — the original password is never stored). Your email is used to send a password reset link if you request one. It is not used for marketing and is not shared.

Password reset emails are sent via Resend, a transactional email service. Resend receives your email address for the purpose of delivering the reset message. Their privacy policy applies: resend.com/legal/privacy-policy.

Subscription and payment records

If you purchase a plan or buy refill credits, we store a minimal record of the transaction. What is stored:

Your account email address (from your registered account). The plan tier purchased (Personal or Professional), whether it is monthly or annual, and the period start and end date. A reference ID issued by the payment provider — an opaque string such as cs_live_abc123 (Stripe) or order_xyz789 (Razorpay). This is an internal tracking identifier, not your card number or any financial detail. For refill credit purchases: the number of credits added (always 150) and the provider payment reference.

This record is used for one purpose: to determine what access level your account should have and when that access expires.

What the record never contains: card numbers, expiry dates, CVV codes, bank account details, UPI credentials, billing address, or any payment credential. We never see these because Stripe and Razorpay handle them directly on their own infrastructure before confirming the transaction outcome to us.

Analysis requests

When you submit text or a file for analysis, the request is sent to our backend server (hosted on Render), which forwards it to Google’s Gemini API. Our server receives the analysis result and returns it to your browser. Your conversation text passes through our server in transit but is not stored unless you opt in as described above. Files are processed and then discarded.

Third parties

Netlify hosts the frontend of this site — the HTML, CSS, and JavaScript files. Netlify may log standard server access data (IP addresses, page requests, timestamps) as part of their infrastructure. RealityCheck does not control or access this log data. Netlify does not handle any form submissions or user data for this site. Netlify privacy policy: netlify.com/privacy.

Render hosts our backend server and PostgreSQL database. All API requests, account data, form submissions, anonymized analysis records, and subscription records are stored on Render’s infrastructure. Render privacy policy: render.com/privacy.

Google Gemini API processes the text and files you submit for analysis. Your conversation content passes through Google’s infrastructure. Google’s data handling for API requests is governed by their terms: ai.google.dev/gemini-api/terms. API data is not used to train Google’s models under their current API terms.

Resend delivers password reset emails. When you request a password reset, your email address is shared with Resend solely for delivery. Resend privacy policy: resend.com/legal/privacy-policy.

Stripe processes payments made in currencies other than Indian Rupees — primarily USD. When you choose a Global (USD) plan, you are redirected to a Stripe Checkout page hosted on stripe.com. Your card details are entered there and never transmitted to RealityCheck’s servers. We receive only a session reference ID confirming whether the payment succeeded. We do not receive, store, or have access to your card number, expiry date, or CVV. Stripe is a PCI-DSS Level 1 certified payment processor. Stripe privacy policy: stripe.com/privacy.

Razorpay processes payments made in Indian Rupees (INR). When you choose an India (INR) plan, the Razorpay payment SDK opens a payment window in your browser. Your card, UPI, net banking, or wallet credentials are entered in that window and transmitted directly to Razorpay — not to RealityCheck. We receive only an order and payment reference ID. We do not receive, store, or have access to your card number, UPI PIN, or net banking credentials. Razorpay is a PCI-DSS certified payment processor. Razorpay privacy policy: razorpay.com/privacy.

Your rights

Under India’s Digital Personal Data Protection Act 2023 (DPDP Act), and under the UK and EU General Data Protection Regulation (GDPR) for visitors from those regions, you have the right to access, correct, and request deletion of any personal data held about you.

In practical terms, the personal data this site may hold about you is:

If you have an account: your email address and hashed password. To delete your account and all associated data, contact us via the recovery page forms with the subject “Delete My Account.” We will remove it from our database within 30 days.

If you have made a payment: we hold a subscription or refill record containing your account email, the plan tier, the access period, and a provider reference ID. To request deletion of payment records, contact us with the subject “Delete My Payment Record.” We will remove the record within 30 days. Note that deleting a payment record from our database does not constitute a refund — refund requests must be made separately via the contact form.

If you submitted an experience form: your responses and, if provided, your email address. To have a submission deleted, contact us with enough detail to identify it (approximate date, fraud type selected). We will remove it within 30 days.

Anonymized analysis records: if you opted in to anonymous storage, these records contain no identifying information and cannot be linked back to you. We therefore cannot delete a specific record on request because we have no way to identify which one is yours.

To exercise any of these rights or ask any question about this policy, use the recovery page forms with the subject “Privacy Request.” We will respond.

Minors

This site is intended for adults. If you are under 18, please speak to a trusted adult about what you are experiencing rather than using this site alone. Fraud affects people of all ages and there is no shame in asking for help from someone you know.

Changes to this policy

If this policy changes in any meaningful way, the date at the top of this page will be updated. We will not change this policy in ways that reduce your privacy rights without notice.

You came to this site because something felt wrong.
What you do here is yours.
We are not watching.