Privacy Policy
Rampart Technologies - FZCO ("we", "us", "Rampart") operates the Rampart mobile application. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.
We are incorporated in the UAE and comply with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, "PDPL"), the EU General Data Protection Regulation ("GDPR") where applicable, and Apple's App Store Guidelines.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address (via Apple Sign-In, Google, or Microsoft authentication), display name (if provided), preferred language, and region. Your account is secured through your chosen identity provider — we do not store passwords.
Apple Sign-In is used for account authentication only and does not provide access to your inbox. To scan your emails, you must separately connect a Gmail or Outlook account within the app. If you choose Apple's private email relay, we store that relay address for account communications, but email scanning requires a Gmail or Outlook connection.
1.2 Email Data
When you connect a Gmail or Outlook account, Rampart accesses your inbox in read-only mode to scan incoming emails for threats. Here is exactly what we process and store:
| Data | What Happens |
|---|---|
| Email body text | Analyzed in memory, then discarded. Never stored. |
| Subject line | Analyzed in memory, then hashed (SHA-256). Only the hash is stored. |
| Sender address | Hashed (SHA-256) before storage. Sender domain is extracted for threat analysis. |
| Email authentication headers | SPF, DKIM, and DMARC results are stored to detect spoofing. |
| Link URLs | Domains are extracted and checked against threat databases. Full URLs are not stored. |
| Threat analysis results | Threat score, threat reasons, and recommended action are stored. |
1.3 SMS Data
When you enable SMS filtering, Rampart's on-device filter analyzes incoming messages locally on your phone. Message content is analyzed in memory and never leaves your device. Only hashed identifiers, threat scores, and extracted features (such as whether a URL was present) are synced to our servers.
1.4 OAuth Tokens
To access your Gmail or Outlook inbox, we store OAuth access tokens and refresh tokens. These are encrypted using AES-256-GCM before storage. The encryption key is stored in your device's Secure Enclave (iOS Keychain) and is never transmitted to our servers in readable form.
1.5 Device Information
We collect a hashed device fingerprint (derived from device model, OS version, locale, and timezone) solely for fraud prevention — specifically to detect and prevent manipulation of community safety votes. We do not collect your Advertising Identifier (IDFA), Vendor Identifier (IDFV), or any persistent hardware identifiers.
1.6 Community Votes
When you vote on whether a message is a scam or safe, we store your vote alongside the hashed message identifier. Votes are aggregated to build community-powered scam detection. Individual votes are linked to your user ID for quality scoring but are never displayed publicly.
1.7 Push Notification Tokens
If you enable push notifications, we store your Apple Push Notification Service (APNs) device token to deliver threat alerts and security updates. You can disable notifications at any time through iOS Settings.
1.8 Onboarding Preferences
During initial setup, you may enter a preferred first name to personalize your experience. This name is stored in your account and used within the app — it may differ from the name associated with your identity provider. You may update or remove it at any time from Settings.
During onboarding, you are also asked a small number of optional questions about your security concerns, who you are protecting, and your comfort level with technology. Your answers are stored as account preferences and are used solely to personalize the app experience. These answers are not shared with third parties and are deleted when your account is deleted.
1.9 Family Check-in Data
If you activate Family Check-in, Rampart periodically generates a protection snapshot — an aggregate summary containing your current protection status (Protected, Needs Attention, or Inactive), the number of threats caught in recent periods, the timestamp of your last scan, and which permissions are currently active. This snapshot contains no message content of any kind. It is transmitted to our servers every six hours, or when your protection status changes, and is made available to your designated family members.
Both parties must explicitly consent to the connection via an in-app confirmation before any data is shared. Either party may revoke the connection at any time; upon revocation, the connection record is deleted and no further snapshots are sent.
2. How We Use Your Data
We use the information collected to scan emails and SMS for phishing, scams, and security threats; authenticate your email connections securely; personalize your in-app experience based on your onboarding preferences; build and improve community-powered scam detection through aggregated, anonymized vote data; send push notifications about detected threats; prevent abuse of the voting system; manage your subscription and provide customer support; and enable Family Check-in by sharing your protection snapshots with family members you have authorized.
3. Voluntary ML Training Contribution
After using Rampart for a period, you may be invited to opt in to our data contribution program. If you choose to participate, when you mark a message as a scam, extracted technical signals (sender domain, link patterns, authentication failures, urgency indicators) are saved to help improve threat detection for all users. Your message content, subject lines, sender names, and phone numbers are never saved — even with opt-in. Only messages you explicitly flag as scams are analyzed. We do not passively collect data from safe messages. You can withdraw consent at any time from Settings.
4. Data Storage and Security
Your data is stored on Supabase-hosted PostgreSQL databases with the following protections:
Encryption in transit: All API calls use TLS 1.3.
Encryption at rest: OAuth tokens are encrypted with AES-256-GCM before storage. Database backups are encrypted.
Row-Level Security: PostgreSQL RLS policies ensure you can only access your own data. Other users cannot see your scans, votes, or account details.
Hashing: All personally identifiable information in email/SMS scans (sender addresses, message content, phone numbers) is hashed using SHA-256 before storage.
5. Third-Party Services
Rampart integrates with the following third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Apple Sign-In | Account authentication | Email, name (as shared by you) |
| Google OAuth | Gmail inbox access (read-only, for threat scanning) | OAuth tokens (read-only scope) |
| Microsoft OAuth | Outlook inbox access | OAuth tokens (read-only scope) |
| Apple Push Notification Service | Threat alerts | Device token, notification content |
| Supabase | Backend infrastructure | All stored data (encrypted where noted) |
| Apple StoreKit | Subscription management | Transaction data (managed by Apple) |
We do not use any third-party analytics services, advertising SDKs, or tracking pixels.
6. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
- Email/SMS scan results: Retained while your account is active for your threat history.
- Community votes: Retained indefinitely in aggregated form to protect all users. Individual vote attribution is removed upon account deletion.
- OAuth tokens: Deleted immediately when you disconnect an email provider or delete your account.
- ML training contributions: If opted in, retained for up to 12 months. Deleted upon consent withdrawal or account deletion.
- Device ban records: Retained indefinitely for security purposes (contains only hashed device identifiers).
- Onboarding preferences and preferred first name: Retained while your account is active. Deleted within 30 days of account deletion.
- Family Check-in connection data: Deleted immediately when either party revokes the connection or when either account is deleted. Pairing codes expire after 15 minutes if unused.
- Protection snapshots (Family Check-in): The most recent snapshot for each Protected User is retained while the family connection is active and is deleted when the connection is revoked or either account is deleted.
7. Your Rights
Under the UAE PDPL and GDPR (where applicable), you have the following rights:
- AccessView what we store about you
- RectificationCorrect inaccurate information
- ErasureRequest deletion of your data ("right to be forgotten")
- RestrictionLimit how we process your data
- PortabilityReceive your data in a structured format
- Withdraw ConsentFor optional data processing (ML contribution, push notifications)
- ObjectTo specific processing activities
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Children's Privacy
Rampart is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, contact us at [email protected] and we will delete it promptly.
Individuals between 13 and 17 may only use the App with prior consent from a parent or legal guardian. The Family Check-in feature is designed for adult caregivers supporting elderly family members or guardians supporting minors. It must not be used for unauthorized surveillance.
9. International Data Transfers
Rampart Technologies - FZCO is based in the United Arab Emirates. Your data may be processed on servers located in the United States (Supabase infrastructure) and transferred through Google and Microsoft's global infrastructure for email access. These transfers are necessary to provide our service and are protected by the security measures described in Section 4.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. If we make material changes, we will notify you through the app or via email before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was most recently revised.
If a change affects the ML training contribution program, users who previously opted in will be asked to re-consent under the updated terms.
11. Contact Us
If you have questions about this Privacy Policy or your personal data, reach out: