Message Loupe

Privacy

Short version: your email is never uploaded. Long version below.

What we collect

Nothing about your email. When you drop a file or paste headers, the parser, content classifier, and verdict logic all run in JavaScript inside your browser. The contents of your email are never transmitted to us, our hosting provider, or any third party.

Domain lookups may happen. For non-webmail senders, your browser may ask Google Public DNS for the sender domain's MX records. A same-site Cloudflare function may relay that domain to public RDAP services for its registration age. The domain is sent in the request body rather than the URL. These requests never include email contents, headers, links, verdict, or the uploaded file.

No analytics, no cookies, no tracking. We don't embed Google Analytics, Plausible, Posthog, or any other tracker. The site is served from a CDN, with one narrowly scoped domain-age function.

Standard server logs. Our hosting provider (Cloudflare Pages) keeps short-lived request logs for availability and DDoS-mitigation purposes. These contain your IP address and the URL you requested, like every other website on the internet. They do not contain anything from your email.

What we don't do

If you contact us

If you email us at [email protected], we'll have whatever you put in that email and your reply-to address. We use that to answer you and nothing else. We don't add you to a mailing list.

Verifying our claims

You don't have to take our word for it. The full source is available on GitHub. Open your browser's network tab while you analyze a sample email; the only scan-time requests you should see are optional domain-only lookups to dns.google and the same-site/api/rdap endpoint.

Changes to this policy

If this ever changes, the change will be in the git history of the site's repository. We won't add tracking quietly.