Privacy Policy
Suracode
Effective Date: 7 February 2026 Last Updated: 7 February 2026
1. Introduction
Suracode ("the App", "we", "us", "our") is operated by Dignity Labs Ltd, a company registered in England and Wales (Company Number: 16954194).
We are committed to protecting your privacy and handling your data responsibly. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your personal data.
Our core principle: We collect the minimum data necessary to provide the service. Your family's code word is encrypted on your device before it ever leaves — we cannot read it. Screenshots you scan never leave your device. We do not store your name, email address, or any personally identifying information in our application database.
2. Data Controller
Dignity Labs Ltd Company Number: 16954194 Registered in England and Wales
Email: [email protected] Website: https://dignitylabs.co.uk
For data protection enquiries, contact us at the email address above.
3. Information We Collect
3.1 Our Application Database
Our application database contains no personally identifying information. All user references are anonymous unique identifiers (UUIDs) that cannot be linked to your real identity without access to the authentication system (see Section 3.2).
| Data Type | Purpose | Storage | Personal Data? |
|---|---|---|---|
| Anonymous User ID | Identify you within the App | Our servers (a random UUID) | No |
| Family Name | Label for your family group (you choose this) | Our servers | Only if you choose to include personal information |
| Family Code Word | Core functionality — sync across family devices | Our servers (end-to-end encrypted — we cannot read this) | No (encrypted) |
| Family Region | Provide region-appropriate alerts and contacts | Our servers (UK, US, or AU) | No |
| Membership Role | Track admin/member status | Our servers | No |
| Timestamp Data | Track when code words are changed, check-ins recorded | Our servers | No |
3.2 Authentication Data (Managed by Supabase Auth)
The App uses Google Sign-In (or Apple Sign-In where available) to verify your identity. Authentication is handled entirely by Supabase Auth, our backend infrastructure provider. When you sign in:
- Your Google or Apple credentials are verified by the respective provider
- Supabase Auth stores your email address, display name, and provider identifier in its managed authentication system
- Dignity Labs Ltd does not store your email, name, or authentication credentials in our application database
- Your identity within our application tables is represented solely by an anonymous UUID
Supabase acts as our data processor for authentication data. Their handling of this data is governed by their privacy policy and our data processing agreement. See Section 16 for details.
| Data Type | Stored By | Dignity Labs Access | Purpose |
|---|---|---|---|
| Email address | Supabase Auth (not our tables) | We do not query or display this | Authentication |
| Display name | Supabase Auth (not our tables) | We do not query or display this | Authentication |
| Google/Apple unique ID | Supabase Auth (not our tables) | We do not query or display this | Authentication |
3.3 Pro Feature Data
| Data Type | Purpose | Storage | Personal Data? |
|---|---|---|---|
| Family Votes | Record Scam/Unsure/Safe votes on suspicious messages | Our servers (linked to anonymous UUID) | No |
| Vote Descriptions | User-written label for the vote session | Our servers | Only if you choose to include personal information |
| Check-in Records | Track family protection streak | Our servers (anonymous UUID + date) | No |
3.4 Data NOT Collected by Pro Features
| Feature | What We Do NOT Collect |
|---|---|
| Scam Pattern Checker | Screenshots, images, extracted text — all processing is on-device |
| Family Voting | Screenshots you share externally (via WhatsApp, etc.) |
| Deepfake Check | Video call content, recordings, or images |
3.5 Data Stored Only on Your Device
The following data never leaves your device and is never transmitted to our servers:
- Your PIN (hashed, in secure hardware storage)
- Your biometric preference
- Trusted contact names and phone numbers
- Encryption keys (in secure hardware storage)
- Cached scam alerts
- Scam checker images and extracted text (discarded after use)
- Disclaimer acknowledgement state
- Session tokens (in secure hardware storage)
3.6 Optional Analytics (Opt-In Only)
If you choose to enable "Help improve Suracode" in Settings, we collect:
| Data Type | Purpose | Storage |
|---|---|---|
| Anonymous usage statistics | Understand which features are used | Our servers (aggregated, no identifiers) |
| Crash reports | Fix bugs and improve stability | Our servers |
| App and OS version | Ensure compatibility | Our servers |
This data: - Contains no personal information - Cannot identify you or your family - Is never sold or shared with advertisers - Can be disabled at any time in Settings
Default: Analytics is OFF. We only collect this data if you explicitly opt in.
3.7 Information We Do NOT Collect
We explicitly do not collect:
- Your name (not stored in our application database)
- Your email address (not stored in our application database)
- Your phone number (trusted contacts stay on your device)
- Your location or GPS coordinates
- Your contacts list
- Your photos or media (scam checker processes images on-device only)
- Your browsing history
- Advertising identifiers
- Any biometric data (biometrics are processed locally by your device's operating system)
- Screenshots you scan (processed on-device, never transmitted)
- Content of video calls
- Your Google or Apple password
4. How We Use Your Information
We use the information we collect to:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide the core service (syncing code words) | Performance of contract |
| Authenticate your identity (via Supabase Auth) | Performance of contract |
| Provide scam alerts feed | Performance of contract |
| Enable family voting (Pro) | Performance of contract |
| Track protection streaks (Pro) | Performance of contract |
| Maintain and improve the App | Legitimate interests |
| Provide customer support | Legitimate interests |
| Ensure security and prevent abuse | Legitimate interests |
| Comply with legal obligations | Legal obligation |
We do not use your data for:
- Advertising or marketing
- Profiling or automated decision-making
- Selling to third parties
- Training AI models
- Any purpose unrelated to providing the service
5. End-to-End Encryption
How It Works
- When you create a family, an encryption key is generated on your device
- This key is combined with a join code to create an invite code (e.g.,
ABC123-XyZ789...) - You share this invite code with family members via text, email, or in person
- The encryption key portion never passes through our servers separately — it's only transmitted when you choose to share it
- Your code word is encrypted on your device before transmission
- Our servers store only encrypted data — we cannot decrypt it
- Only devices with the family key can decrypt the code word
What This Means
- Even if our servers were compromised, your code word would remain protected
- Dignity Labs staff cannot read your code word
- Law enforcement requests cannot reveal your code word (we don't have the key)
- You control who receives the invite code and how it's shared
6. Scam Checker Privacy (Pro Feature)
The Scam Pattern Checker is designed with privacy as a priority:
On-Device Processing
- Screenshots are processed entirely on your device using ML Kit text recognition
- Images never leave your device
- Extracted text is not stored or transmitted
- We cannot see what you scan
- No record of scans is kept (message content is never logged)
How It Works
- You select or take a screenshot
- The App uses on-device OCR to extract text
- Text is analysed locally against known scam patterns
- Results are displayed
- When you close the screen, all data is discarded
This design ensures maximum privacy while providing scam pattern checking functionality.
7. Scam Alerts Privacy
What We Collect
- We fetch alerts from our servers based on your family's region (UK, US, or AU)
- We do not track which alerts you view
- We do not collect personal data when you view alerts
Caching
- Alerts are cached locally on your device for offline access
- Cache refreshes automatically when you're online (every 24 hours minimum)
- Cached data is stored only on your device
Third-Party Sources
Alerts are sourced from official organisations. When you tap "Read more" on an alert, you are taken to the source website, which has its own privacy policy.
8. Family Voting Privacy (Pro Feature)
What We Collect
| Data Type | Storage | Retention |
|---|---|---|
| Vote choice (Scam/Unsure/Safe) | Our servers | Until vote session closed |
| Voter's anonymous UUID | Our servers | Until vote session closed |
| Vote timestamp | Our servers | Until vote session closed |
| Vote session description (user-written) | Our servers | Until vote session closed |
What We Do NOT Collect
- Screenshots (you share these externally via WhatsApp, text, etc.)
- Images of any kind
- The content being voted on
Visibility
- Votes are visible to family members only
- Vote counts are aggregated (e.g., "3 voted Scam, 1 voted Safe")
- Individual votes may be visible to family members
9. Data Storage and Security
Where We Store Data
Your data is stored on servers provided by Supabase, Inc., located in the European Union (Frankfurt, Germany). Supabase complies with GDPR and maintains SOC 2 Type II certification.
Security Measures
| Measure | Description |
|---|---|
| End-to-end encryption | Code words encrypted on your device before transmission |
| Zero PII in application database | Our tables contain only anonymous UUIDs — no names, emails, or identity data |
| Server encryption at rest | Supabase encrypts all stored data using AES-256 |
| Encryption in transit | All connections use HTTPS/TLS |
| Row-level security | Database rules ensure you can only access your family's data |
| PIN/Biometric protection | App requires authentication to access |
| Brute-force protection | App locks after 5 failed PIN attempts |
| Hardware-backed storage | Sensitive data stored in iOS Keychain / Android Keystore |
| On-device processing | Scam checker images never leave your device |
| Session timeout | App locks after 60 seconds in background or 5 minutes of inactivity |
Note: Your code word is encrypted by the App before being sent to our servers. Even though Supabase also encrypts data at rest, we add our own encryption layer so that only your family can read the code word.
Local Storage
Some data is stored only on your device:
- Your PIN (hashed, in secure storage)
- Your biometric preference
- Trusted phone numbers and contact names
- Encryption keys (in secure storage)
- Cached scam alerts
- Temporary scam checker data (discarded after use)
- Disclaimer acknowledgement state
This data is never transmitted to our servers.
Data Breach Notification
Our zero-PII architecture means your exposure in the event of a server breach is limited. Our application database contains only anonymous UUIDs and encrypted data — no names, no emails, no identity information. Your code word is end-to-end encrypted and we do not hold the decryption keys, so it remains protected even if our servers are compromised.
The only personal data held on our infrastructure is your email address and display name, stored by Supabase Auth for authentication purposes (see Section 3.2). This is the extent of what could be exposed in a breach.
If a personal data breach occurs that is likely to affect your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and, where the risk is high, notify affected users without undue delay, in accordance with UK GDPR Articles 33 and 34.
10. Data Sharing
We Share Data With
| Recipient | Purpose | Data Shared |
|---|---|---|
| Supabase, Inc. | Cloud infrastructure, authentication, and database | Encrypted application data; authentication data (email, name) managed by Supabase Auth |
We Do NOT Share Data With
- Advertisers
- Data brokers
- Marketing companies
- Social media platforms
- AI training providers
- Any other third parties
Legal Disclosure
We may disclose information if required by law, court order, or government request. However:
- Our application database contains only anonymous UUIDs — we cannot identify users from our own tables without Supabase Auth
- We cannot provide decrypted code words (we don't have the keys)
- Authentication data (email, name) is held by Supabase Auth, not in our application tables
- We will notify you of such requests unless legally prohibited
11. Data Retention
| Data Type | Retention Period |
|---|---|
| Active family data | Retained while family group exists |
| Deleted family data | Permanently deleted within 30 days |
| Authentication data (Supabase Auth) | Retained while you have an active session; deleted within 30 days of account deletion request |
| Local device data | Deleted immediately when you leave a family |
| Vote sessions | Deleted when vote is closed or after 7 days |
| Check-in records | Retained while family group exists |
| Cached alerts | Refreshed every 24 hours; deleted when app is uninstalled |
| Support correspondence | 2 years from last contact |
How to Delete Your Data
To delete all your data from our servers:
- Open the App
- Go to Settings
- Tap "Leave Family"
- Confirm
This will: - Remove your anonymous UUID from the family group immediately - Delete your membership, votes, and check-in records from our servers - Delete all local data (PIN, encryption key, trusted contacts) from your device - If you are the last member, the entire family group is deleted
To delete your authentication data: Contact us at [email protected] to request deletion of your Supabase Auth record.
We will process deletion requests within 30 days as required by GDPR.
12. Your Rights (GDPR)
Under the UK GDPR, you have the following rights:
Right of Access
You can request a copy of all data we hold about you. Note: our application database identifies you only by anonymous UUID. Authentication data (email, name) is held by Supabase Auth. Contact us at [email protected].
Right to Rectification
You can update your family name within the App at any time.
Right to Erasure ("Right to be Forgotten")
You can delete your data by: - Leaving your family group (removes your data from our application database) - Contacting us to request complete deletion including authentication data
Right to Restriction of Processing
You can request we limit how we use your data in certain circumstances.
Right to Data Portability
You can request your data in a machine-readable format.
Right to Object
You can object to processing based on legitimate interests.
Right to Withdraw Consent
Where we rely on consent, you can withdraw it at any time.
Right to Lodge a Complaint
You have the right to complain to the Information Commissioner's Office (ICO): - Website: https://ico.org.uk - Helpline: 0303 123 1113
13. Children's Privacy
Suracode is designed to be used by families, which may include children. However:
- The App does not knowingly collect personal information from children under 13
- Our application database contains no personal information from any user
- We recommend that parents/guardians set up and manage the App
- Children should only use the App under parental supervision
- If we learn we have collected data from a child under 13 without parental consent, we will delete it promptly
If you believe a child has provided us with personal information, please contact us immediately.
14. International Data Transfers
Your data is processed and stored within the European Economic Area (EEA). Supabase hosts our database in Frankfurt, Germany.
Authentication services (Google Sign-In, Apple Sign-In) may process authentication tokens in the United States using approved data transfer safeguards maintained by those providers. Our application database, which contains no personally identifying information, remains in the EEA at all times.
App store distribution (Apple/Google) is separate from app data.
15. Cookies and Tracking
The App does not use cookies or tracking pixels. We do not track your behaviour across other apps or websites.
Optional analytics: If you opt in via Settings, we collect anonymous usage data to improve the App. This is disabled by default. See Section 3.6 for details.
16. Third-Party Services
Supabase (Database, Real-time Sync, and Authentication)
- Purpose: Cloud database, real-time sync, and user authentication
- Location: EU (Frankfurt)
- Data held: Our application data (anonymous UUIDs, encrypted content); authentication data (email, name, provider ID) in Supabase Auth
- Privacy Policy: https://supabase.com/privacy
Google Sign-In (Authentication)
- Purpose: Verify your identity
- Data received by Supabase Auth: Display name, email address, unique identifier
- Data stored in our application database: None — only an anonymous UUID
- Privacy Policy: https://policies.google.com/privacy
Apple Sign-In (Authentication, where available)
- Purpose: Verify your identity
- Data received by Supabase Auth: Display name, email address (or private relay), unique identifier
- Data stored in our application database: None — only an anonymous UUID
- Privacy Policy: https://www.apple.com/legal/privacy/
ML Kit (On-Device OCR)
- Purpose: Text recognition for scam pattern checker
- Location: On-device only (no data transmitted)
- Privacy: https://developers.google.com/ml-kit
Apple App Store / Google Play Store
- Purpose: App distribution and payments
- Privacy Policy: See respective store policies
Scam Alert Sources
- Purpose: Provide scam alert content
- Note: When you tap through to read full alerts, you visit third-party websites with their own privacy policies
17. Regional Privacy Rights
17.1 United Kingdom
Your rights are set out in Section 12. The ICO is your supervisory authority.
17.2 European Union
Your rights under the EU GDPR are equivalent to those in Section 12. You may also lodge a complaint with your local Data Protection Authority.
In accordance with the Digital Services Act (Regulation (EU) 2022/2065), Dignity Labs Ltd does not engage in targeted advertising, does not deploy recommender systems, and does not process personal data for profiling purposes.
You have a 14-day right to withdraw from any paid subscription without giving a reason. You may exercise this right by contacting us at [email protected]. You may use the EU Online Dispute Resolution platform: https://ec.europa.eu/consumers/odr
17.3 United States
California (CCPA/CPRA): You have the right to know what personal information we collect, request deletion, and opt out of sale of personal information. We do not sell personal information. We do not share personal information for cross-context behavioural advertising. Our application database contains no personally identifying information.
Virginia, Colorado, Connecticut, and other US states with consumer privacy legislation: You have equivalent rights to know, delete, and opt out. We honour all verifiable consumer requests regardless of your state of residence.
To exercise any US state privacy right, contact [email protected]. We will respond within 45 days.
17.4 Australia
Your rights are protected under the Australian Privacy Principles (APPs) under the Privacy Act 1988. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
17.5 Canada
Your rights are protected under PIPEDA and applicable provincial privacy legislation. You have the right to access, correct, and request deletion of your personal information. You may lodge a complaint with the Office of the Privacy Commissioner of Canada.
18. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- We will update the "Last Updated" date at the top
- For significant changes, we will notify you via the App
- Continued use of the App after changes constitutes acceptance
We recommend reviewing this policy periodically.
19. Contact Us
For any questions about this Privacy Policy or your personal data:
Dignity Labs Ltd Company Number: 16954194 Registered in England and Wales
Email: [email protected] Website: https://dignitylabs.co.uk
We aim to respond to all enquiries within 30 days.
20. Summary
| Question | Answer |
|---|---|
| Do you sell my data? | No, never |
| Do you store my name or email? | Not in our application database. Authentication data is held by Supabase Auth. |
| Can you read my code word? | No, it's end-to-end encrypted |
| Can you see screenshots I scan? | No, scanning happens on your device only |
| Do you store the content I vote on? | No, you share screenshots externally |
| Where is my data stored? | EU (Frankfurt, Germany) |
| Can I delete my data? | Yes, leave the family or contact us |
| Do you track me? | Only if you opt in, and it's anonymous |
| Do you use my data for AI training? | No, never |
| Where are trusted contacts stored? | On your device only — never on our servers |
| Who can I complain to? | The ICO (https://ico.org.uk) or your local data protection authority |
This Privacy Policy was last updated on 7 February 2026.