Privacy Policy
Last updated: April 18, 2026
1. Introduction
At ScanTotal ("we," "us," or "our"), we believe privacy is a fundamental right, not a feature. This Privacy Policy explains in detail how we collect, process, store, share, and protect information when you visit scantotal.net and use our free security scanning tools, including our file scanner, URL scanner, email analyzer, SMS/text analyzer, QR code scanner, and threat intelligence lookup.
Our guiding principle is simple: we collect only the minimum information necessary to deliver our services, and we never sell, rent, or trade your data. By using our Site and Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Site.
2. Who We Are
ScanTotal is a free, privacy-first cybersecurity platform operated as an independent project. The service is based in Australia and delivered globally through Cloudflare's edge network.
- Site operator: ScanTotal
- Privacy contact: contact@scantotal.net
- Service scope: free online security scanning tools for individuals and small businesses
3. Information We Collect
3.1 Information You Voluntarily Provide
When you use our scanning tools, you choose what information to submit. We only process what you actively provide:
- URLs and domains: When you use the URL Scanner, QR Scanner, or Threat Intelligence tool, we process the URL or domain you enter to perform heuristic analysis and check it against reputable threat databases.
- File hashes: When you scan a file, the file is hashed (SHA-256) directly in your browser using the Web Crypto API. Only the hash, never the file itself, is sent to our servers for comparison against known malware signatures. The actual file never leaves your device.
- Text and SMS content: When you use the SMS Analyzer, the text you paste is processed to detect scam patterns. It is analysed in real time and discarded immediately after the result is returned.
- Email files (.eml): When you use the Email Analyzer, the email headers and body are parsed for indicators of phishing or malicious attachments. Nothing is retained after processing.
- QR code images: Images submitted to the QR Scanner are decoded in-browser; the decoded URL is then processed through our URL scanning pipeline.
- Contact information: If you contact us via email or the contact form, we receive whatever information you choose to include, usually your name, email address, and message content.
Important: We do not permanently store the content you submit. All scan data is processed in real time and discarded immediately after analysis.
3.2 Information Collected Automatically
When you visit scantotal.net, certain information is collected automatically:
- IP address: Used for rate limiting, abuse prevention, and approximate geolocation (country/region only).
- Browser and device information: User agent string, operating system, language preference, and screen size, primarily for compatibility and analytics.
- Scan metrics: Anonymous counters record how many scans of each type are performed, to help us monitor service usage and detect abuse.
- Timestamps and referrer URLs: Standard web log data used for debugging, security, and service reliability.
This automatically collected information is primarily handled by Cloudflare as part of our hosting infrastructure and by our own minimal analytics system. We do not use Google Analytics, Facebook Pixel, or any other third-party tracking analytics.
3.3 Cookies and Similar Technologies
We use only the cookies strictly necessary to operate the Site, plus cookies set by our advertising partner:
- Essential cookies: Used for CSRF protection, admin session management, and remembering your scan preferences. These cannot be disabled without breaking core functionality.
- Advertising cookies (Google AdSense): If AdSense is active on the Site, Google may place cookies on your device to deliver ads, limit how often you see the same ad, and measure ad effectiveness. Google's use of cookies is governed by Google Privacy & Terms.
- No analytics or social tracking cookies: We do not set cookies for marketing, cross-site tracking, or behavioural profiling.
You can control or delete cookies through your browser settings. Disabling essential cookies may prevent parts of the Site from functioning correctly.
4. How We Use Your Information
- Service delivery: Running scans, returning results, and protecting users from threats.
- Rate limiting and abuse prevention: Applying per-IP request limits (30 requests per minute by default) to keep the service fast and free for everyone.
- Service improvement: Understanding which tools are used most, where errors occur, and how to improve accuracy of threat detection.
- Security: Protecting the Site against denial-of-service attacks, automated abuse, and malicious submissions.
- Legal compliance: Complying with applicable laws, lawful requests, and enforceable subpoenas.
- Communications: Responding to questions, support requests, or feedback you send us.
We do not use your information to build advertising profiles, train machine learning models, or sell to data brokers.
5. Legal Bases for Processing (GDPR)
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar data protection laws, we rely on the following legal bases under the General Data Protection Regulation:
- Legitimate interests: Operating a secure and reliable service, preventing abuse, and improving our product.
- Consent: For non-essential cookies and similar technologies, where required by local law.
- Contractual necessity: Delivering the service you requested by submitting a scan.
- Legal obligation: Retaining certain logs or complying with valid legal requests.
You have the right to object to processing based on legitimate interests at any time.
6. Third-Party Services
We rely on a small number of carefully selected third-party services to run the Site:
- Cloudflare, Inc.: Provides hosting, DNS, CDN, DDoS protection, and Workers compute. Connection metadata (IP, user agent, timestamps) is handled by Cloudflare as part of standard hosting operations. See Cloudflare's Privacy Policy.
- Google Safe Browsing: URLs you submit to the URL, QR, Email, or SMS scanner may be checked against Google Safe Browsing's threat database. This is handled server-side and submitted anonymously, no user identifiers are sent. See Google Safe Browsing.
- Google AdSense: If ads are enabled, Google AdSense serves the ads and may use cookies and device identifiers as described in Section 10 below.
- Anthropic (Claude API): When enabled, email content submitted to the Email Analyzer may be passed to Anthropic's Claude model for language-model phishing analysis. Anthropic does not retain your data for model training. See Anthropic's privacy policy.
We do not share your data with any other third parties for marketing or advertising purposes.
7. Data Retention
We retain data only as long as necessary to fulfil the purposes described in this Policy:
- Scan content (URLs, hashes, text): Not stored after processing.
- Uploaded files: Never uploaded, client-side hashing only.
- Contact-form messages: Up to 24 months, then deleted.
- Admin logs: Up to 90 days.
- Cloudflare access logs: Per Cloudflare's retention policy (typically short-lived).
- Anonymous analytics counters: Indefinitely, with no user-identifiable information.
If you contact us and ask us to delete any data you have sent us, we will do so within 30 days where legally permitted.
8. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We only share information in the following limited circumstances:
- Service providers: Sharing with our infrastructure partners (Cloudflare, Google Safe Browsing, Anthropic) strictly for service delivery.
- Legal process: When required to comply with a valid subpoena, court order, or other legal obligation.
- Rights protection: To protect the rights, property, or safety of ScanTotal, our users, or the public.
- Business transfer: In the unlikely event of a merger, acquisition, or asset sale, user information may be part of the transferred assets, with notice to affected users where legally required.
9. International Data Transfers
ScanTotal operates from Australia and uses services (Cloudflare, Google, Anthropic) headquartered in the United States with infrastructure worldwide. By using the Site, you acknowledge that your information may be transferred to and processed in countries other than your country of residence. Where transfers involve data protected under GDPR, we rely on Standard Contractual Clauses or equivalent safeguards adopted by our service providers.
10. Advertising and Google AdSense
To keep ScanTotal free, we may serve advertisements provided by Google AdSense. AdSense may use cookies and similar technologies to:
- Show ads relevant to your interests based on your prior visits to this or other websites.
- Limit the number of times you see the same ad.
- Measure the effectiveness of advertising campaigns.
You can opt out of personalised advertising at Google's Ads Settings or through industry-wide opt-out tools at youronlinechoices.com and aboutads.info.
Google, as a third-party vendor, uses cookies to serve ads on our Site. Google's use of the DART cookie enables it and its partners to serve ads to users based on their visits to our Site and other sites on the Internet.
11. Data Security
We take reasonable and appropriate measures to protect your information:
- HTTPS everywhere: All traffic is served over TLS 1.3 via Cloudflare.
- Client-side hashing: Files are hashed in your browser; raw files never reach our servers.
- Minimal data collection: Less data means less risk.
- Security headers: HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy are enforced.
- Admin controls: Administrative access is protected by strong passwords, TOTP multi-factor authentication, and short-lived signed session tokens.
- Rate limiting and CSRF protection: Active on all sensitive endpoints.
No internet-based service can be guaranteed 100% secure. If we discover a breach that affects your personal information, we will notify affected users and applicable authorities as required by law.
12. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Right to access: Request a copy of the personal information we hold about you.
- Right to rectification: Correct inaccurate information.
- Right to erasure ("right to be forgotten"): Request deletion of personal information.
- Right to restrict processing: Request that we limit how we process your information.
- Right to data portability: Receive your information in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent.
- Right to lodge a complaint: File a complaint with your local data protection authority (for example, the Office of the Australian Information Commissioner, the UK Information Commissioner's Office, or your EU supervisory authority).
To exercise any of these rights, email us at contact@scantotal.net. We will respond within 30 days.
13. California Privacy Rights (CCPA/CPRA)
California residents have specific rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the right to know what information is collected, the right to deletion, the right to correction, the right to opt out of the "sale" or "sharing" of personal information, and the right to non-discrimination. ScanTotal does not sell personal information within the meaning of the CCPA. To exercise any California-specific rights, email contact@scantotal.net.
14. Do Not Track
Some browsers offer a "Do Not Track" (DNT) signal. Because there is no industry-wide standard for how DNT should be honoured, our Site does not respond to DNT signals. However, we respect your privacy by limiting tracking to the essentials described in this Policy.
15. Children's Privacy
ScanTotal is not directed at children under the age of 13 (or the minimum age specified by local law, such as 16 in some EU countries). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, post a prominent notice on the Site. Continued use of the Site after changes means you accept the updated Policy.
17. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or your personal information, please contact us:
Email: contact@scantotal.net
Website: scantotal.net/contact
We take privacy seriously and will respond to all legitimate inquiries as quickly as possible, typically within a few business days.