Privacy Policy
1. Who We Are
Befor is a mobile security application that helps you verify the safety of links, QR codes, and images before interacting with them. This Privacy Policy explains what data we collect, how we use it, who we share it with, and what rights you have over your information.
This policy applies to the Befor app available on Google Play and the Apple App Store, and to our backend services.
2. What Data We Collect
Data you provide
- Email address — obtained when you sign in with Google or Apple. Used solely for authentication and account identification.
- Name and profile photo — if you sign in with Google or Apple, your display name and profile photo are received from the provider. Used only to personalise your in-app profile screen. Not stored on our backend.
- Scan inputs — URLs, QR codes, and images you choose to scan. These are sent to our server to perform the safety analysis you requested.
- Clipboard content (optional) — if you enable Auto-Scan Clipboard in Settings, Befor reads the most recent clipboard item while the app is active to detect if it contains a link. Clipboard content is never stored or transmitted; a URL is only sent for analysis if you explicitly choose to scan it.
Data we collect automatically
- Scan history — the URLs and verdicts from your scans, stored against your account so you can review previous results.
- Device locale — your country/region setting, used to search local reputation sources in your language. Not linked to your identity.
- Scan counts and plan status — the number of scans you have used and your plan status, to enforce your plan limits.
- Website identity signals — when you scan a website, we extract and store business identity details published on that site (such as a contact email, company registration number, or physical address) together with the scan's safety verdict. We use this to detect networks of related fraudulent websites operated by the same entity. These are details that businesses publish on their own public pages — they are not your personal information.
Data we do NOT collect
- Your physical address
- Your GPS location
- Your contacts or call history
- Advertising identifiers (IDFA / GAID)
- Data from other apps on your device
3. How We Analyse Your Scans
When you scan a URL, QR code, or image, your input is transmitted over an encrypted HTTPS connection to our secure backend. We use the following third-party AI and security services to perform the analysis:
- Google Gemini AI — analyses the content of the page and searches the web for reviews, complaints, and known risk signals related to the domain you are scanning. Your URL or image is sent to Google's servers for this purpose.
- Google Web Risk — checks the URL against Google's database of known harmful websites.
- URLhaus (abuse.ch) — checks the URL against a real-time database of active malware distribution sites.
- Cloudflare DNS — verifies the domain's DNS health and configuration.
- Trustpilot — your device retrieves publicly available business reviews for the domain directly from Trustpilot. Your IP address is visible to Trustpilot for this single request. We do not relay this data through our servers.
- Domain registry & certificate records (RDAP, crt.sh) — we look up the domain's public registration date and certificate history to assess its age and legitimacy. Only the domain hostname is sent.
Your scan input is shared with these services solely to perform the analysis you requested. None of these services receive your email address or account information.
Connecting to the site you scan: To check a link, your device and our servers connect to that website — the same as opening it in a browser. The site you are checking may therefore see the connecting IP address. We never send that site your account details.
No AI training: The scan inputs we send to Google Gemini (the link, page content, or image) are used only to produce your result. They are not used to train Google's AI models.
Crash reporting: We use Sentry to monitor app crashes and errors. Sentry receives your device model, operating system version, IP address, and crash stack traces. This data is used solely to diagnose and fix bugs.
Images: When you upload a screenshot for scanning, it is sent to Google Gemini AI for visual analysis only. We do not store your images — they are analysed and immediately discarded. Images are never used to train AI models.
4. Data Storage & Location
Your account data and scan history are stored using Supabase, a cloud database platform with SOC 2 Type II compliance and encryption at rest and in transit.
- All data is encrypted at rest using AES-256.
- All data is encrypted in transit using TLS 1.2 or higher.
- API keys and secrets are stored in server-side environment variables — never in the app itself.
5. Data Retention
| Data type | How long we keep it |
|---|---|
| Email address | Until you delete your account |
| Scan history | Until you delete it or close your account |
| Device locale | Not stored — used per-scan only |
| Images | Not stored — discarded immediately after analysis |
| Scan statistics (aggregate) | Up to 24 months |
When you delete your account, all associated data — including your email address and scan history — is permanently deleted within 30 days.
6. In-App Purchases
Befor offers a monthly Befor+ subscription purchasable inside the app. All payments are processed by:
- Google Play Billing — for purchases made on Android devices.
- Apple App Store / StoreKit — for purchases made on iOS devices.
- RevenueCat — a purchase management platform that tracks your purchase status across platforms.
Befor does not process or store your payment card details. All payment information is handled exclusively by Google, Apple, and RevenueCat under their respective privacy policies. We only receive confirmation of whether a purchase was successful and which plan you purchased.
7. Your Rights
Under GDPR (if you are in the EU/EEA) and similar laws worldwide, you have the following rights over your personal data:
- Right to Access — you can request a copy of all personal data we hold about you.
- Right to Deletion — you can request permanent deletion of your account and all associated data. We will fulfil this within 30 days.
- Right to Portability — you can request your data in a structured, machine-readable format (JSON).
- Right to Correction — you can request correction of any inaccurate personal data.
- Right to Restrict Processing — you can ask us to stop using your data in certain ways while a complaint is being investigated.
- Right to Object — you can object to our processing of your data where we rely on legitimate interests.
- Right to Withdraw Consent — where processing is based on your consent, you can withdraw it at any time.
To exercise any of these rights, contact us at the email address in Section 13. We will respond within 30 days. No fee is charged for reasonable requests.
EU/EEA users: If you believe we have handled your data unlawfully, you have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, the CNIL in France, or the BfDI in Germany).
California users (CCPA): You have the right to know what personal information we collect, to request deletion, and to opt out of any sale of personal information. We do not sell personal information.
8. Data Sharing & Third Parties
We do not sell your data. We do not share your personal information with advertisers, data brokers, or any third party for marketing purposes.
We share data only in the following limited circumstances:
- Service providers — the third-party services listed in Section 3 receive only the minimum data needed to perform the analysis (the URL or image you submitted).
- Payment processors — Google, Apple, and RevenueCat receive purchase confirmation as described in Section 6.
- Legal requirements — we may disclose data if required by law, court order, or to protect the rights and safety of our users.
9. Children's Privacy
Befor is not directed at children under the age of 13 (or 16 in the EU under GDPR). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.
10. Security Measures
We take security seriously. Your data is protected by:
- HTTPS/TLS encryption for all data in transit
- AES-256 encryption at rest for all stored data
- API keys and credentials stored exclusively in server-side secure environment variables
- Row-level security policies in our database
- Rate limiting to prevent abuse and brute-force attacks
- No storage of payment card or financial details
11. Third-Party Services & Their Policies
The following third-party services process data on our behalf. Each operates under its own privacy policy:
- Google Gemini AI — policies.google.com/privacy
- Google Web Risk — cloud.google.com/terms/data-processing-terms
- Supabase — supabase.com/privacy
- RevenueCat — revenuecat.com/privacy
- URLhaus / abuse.ch — abuse.ch/privacy-policy
- Trustpilot — legal.trustpilot.com/privacy-policy
- Sentry — sentry.io/privacy
- Cloudflare — cloudflare.com/privacypolicy
12. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will:
- Update the "Last updated" date at the top of this policy
- Send an email notification to users with registered accounts
- Display an in-app notice for material changes
Continued use of Befor after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you may delete your account at any time.
13. Contact Us
If you have questions about this policy, want to exercise your data rights, or need to report a privacy concern, please contact us:
Email: hello@befor.app
Response time: Within 30 days of receipt
For GDPR-related requests, please include "GDPR Request" in the subject line and specify which right you wish to exercise.
This Privacy Policy applies to the Befor mobile application available on Google Play and the Apple App Store, and to the Befor backend services. Effective date: June 16, 2026.
Befor
Terms of Use