Privacy Policy
Last updated: March 26, 2026
LooksPhishy.org is a non-profit, open-source service for reporting phishing URLs. This policy explains what data we collect, why, and what happens to it.
Responsible for data processing: Simon Köck — reachable at privacy@looksphishy.org
What we collect
When you submit a report via the website
- The URL you report. This is the core purpose of the service. We store and process it to verify the threat and relay it to security providers.
- Your email address, if you choose to provide one. This is optional and only used to notify you about the outcome of your report.
- A Cloudflare Turnstile token. This is generated by Cloudflare’s bot-detection widget embedded in the form. It helps us prevent automated abuse. The token does not contain personal information. See Cloudflare’s privacy policy for how Cloudflare processes Turnstile data.
When you forward an email to report@looksphishy.org
- The content of the forwarded email, including headers, body text, and any URLs contained within it. We extract the URLs, process them, and discard the email content.
- Your email address (the sender address). We use this to notify you about the outcome of your report.
We do not store the original phishing email body after URLs have been extracted.
Automatically collected data
- Server logs. Our infrastructure (hosted on Cloudflare) may log IP addresses, request timestamps, and user-agent strings for operational and security purposes. These logs are retained for a maximum of 30 days and are not used for tracking or analytics.
What we do NOT collect
- We do not use cookies for tracking.
- We do not use analytics services (no Google Analytics, no Plausible, nothing).
- We do not require user accounts.
- We do not sell, rent, or trade any data.
How we use your data
Reported URLs are:
- Verified against threat intelligence sources to confirm they are malicious.
- Relayed to security providers including Google Web Risk, Netcraft, Cloudflare, and domain/hosting abuse contacts. This is the entire purpose of the service.
- Stored in our database to prevent duplicate reports and to allow us to track the status of each relay.
Reported URLs are shared with third-party security providers by design. That is what this service does. The URLs themselves are suspected phishing sites, not personal data of the reporter.
Third-party services
| Service | Purpose | Their privacy policy |
|---|---|---|
| Cloudflare | Hosting, DNS, email routing, Turnstile | cloudflare.com/privacypolicy |
| AWS SES | Sending abuse reports to registrars and hosting providers | aws.amazon.com/privacy |
| Plunk | Sending user-facing notification emails | useplunk.com/legal/privacy |
| Google Web Risk | Submitting confirmed phishing URLs for browser-level blocking | policies.google.com/privacy |
| Netcraft | Submitting confirmed phishing URLs for takedown | netcraft.com/privacy |
Data retention
- Reported URLs: Retained indefinitely as part of the threat intelligence record.
- Email addresses (optional, from reports): Retained for up to 90 days, then deleted.
- Forwarded email content: Discarded immediately after URL extraction. Not stored.
- Server logs: Retained for up to 30 days.
Your rights
If you are located in the EU/EEA, you have the right to:
- Access the data we hold about you.
- Correct inaccurate data.
- Delete your data (where applicable — note that reported URLs are threat intelligence, not personal data).
- Object to processing.
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, contact privacy@looksphishy.org.
Children
This service is not directed at children under 16. We do not knowingly collect data from minors.
Changes to this policy
We may update this policy from time to time. Changes will be posted on this page with an updated date. For significant changes, we will note it on the GitHub repository.
Contact
For any questions about this policy or your data:
Simon Köck privacy@looksphishy.org