Privacy Policy

    Effective Date: April 30, 2026

    Darwin Labs Inc. ("Darwin Labs," "we," "us," or "our") operates the website darwinsecurity.ai and related services (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information, and explains your rights with respect to that information.

    By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Services.

    1. Information We Collect

    1.1 Information You Provide

    • Account and contact information, such as your name, email address, and company name.
    • Communications you send us, including support requests and feedback.
    • Any other information you choose to provide when using our Services.

    1.2 Information Collected Automatically

    • Log data, including IP address, browser type, pages visited, and timestamps.
    • Usage data, such as features accessed and actions taken within the Services.
    • Cookies and similar tracking technologies used to maintain sessions and analyze usage.

    1.3 Information from Third Parties

    We may receive information about you from third-party services integrated with our platform (e.g., authentication providers, analytics tools) consistent with their privacy policies.

    1.4 Security and Threat Detection Data

    To provide and improve our scam-detection and alerting service, the Services analyze data that you submit, share, or otherwise expose to the Service. This may include:

    • URLs and links shared with or analyzed by the Services, including domains, full URLs, redirect chains, and associated page metadata.
    • Message content and metadata submitted for scam analysis — such as text messages, emails, chat messages, or social media posts you ask us to review.
    • Sender information associated with suspected scams, including phone numbers, email addresses, social media handles, display names, and similar identifiers.
    • Transaction or payment details submitted for fraud review, such as wallet addresses, account identifiers, payment requests, and amounts. We do not require, and you should not submit, full payment-card numbers.
    • Browser extension data, if you choose to install a Darwin browser extension — such as the URL of a page being analyzed, page metadata, and specific elements you flag for review.
    • Device and network signals used for threat detection, such as user-agent string, approximate geolocation derived from IP, and the timing or frequency of requests.

    This data is collected solely to provide, operate, and improve the security alerting service, and is handled in accordance with this Privacy Policy.

    1.5 Analytics

    We use Google Analytics (Google LLC) to measure how visitors use the Services. Analytics events are sent to our own servers and forwarded to Google, and we set first-party identifiers that contain no personal data. See Google's Privacy Policy; you can opt out by blocking cookies in your browser.

    2. How We Use Your Information

    We use the information we collect to:

    • Provide, maintain, and improve our Services.
    • Respond to your inquiries and provide customer support.
    • Send administrative communications, including security updates and policy changes.
    • Analyze usage patterns to enhance user experience.
    • Comply with applicable legal obligations.
    • Protect the security and integrity of our Services and users.
    • Analyze content you submit — including URLs, messages, sender details, and transaction information — to detect potential scams, phishing attempts, and fraudulent activity.
    • Generate alerts, risk scores, and informational guidance based on that analysis.
    • Aggregate and anonymize threat data to improve detection accuracy for the broader Darwin user community.
    • Maintain databases and pattern libraries of known scam URLs, fraudulent phone numbers, malicious actors, and recurring fraud schemes used to drive future alerts.

    3. Free Service and Our Business Model

    Darwin is currently offered free of charge to consumer users. We use the data described in this Privacy Policy to operate the Services, improve our scam-detection accuracy, and conduct product analytics that help sustain the free service.

    We do not sell personal data, and we do not use your data to serve third-party advertising. We also do not share your data with third parties for their independent marketing purposes. The value exchange is straightforward: you give us the data needed to detect threats, and we use that data — including in aggregated and anonymized form — to keep improving the Service and protect users.

    4. Automated Analysis and AI

    Darwin uses automated systems, including machine-learning and artificial-intelligence models where applicable, to analyze content you submit to the Services and to identify potential scams, phishing, and fraudulent activity. These systems generate alerts, risk scores, and informational guidance based on patterns, signals, and known indicators of fraud.

    We do not use your submitted data to train, fine-tune, or otherwise improve our AI or machine-learning models. Our models apply existing detection logic to your submissions to generate alerts at the time you submit them; your submissions are not added to a training corpus.

    No automated system is perfect. Alerts and analyses produced by the Services are informational and are not guarantees that a communication, link, counterparty, or transaction is safe or unsafe. False positives and false negatives can and do occur. You should always exercise your own judgment before sending money, sharing information, clicking links, or otherwise acting on a message or transaction.

    This Privacy Policy works in conjunction with our Terms of Service, including the "Nature of the Service" and "No Guarantee of Security" provisions, which describe the limits of the Service in more detail.

    5. How We Share Your Information

    We do not sell your personal information. We may share your information in the following circumstances:

    • Service Providers: We share information with trusted third-party vendors who help us operate our Services (e.g., cloud infrastructure, analytics). These providers are contractually required to protect your data.
    • Threat Intelligence: We may share threat indicators with law enforcement, financial institutions, industry partners, and threat-intelligence networks to help protect the broader community. These indicators fall into two categories: (1) anonymized or aggregated patterns, such as scam URLs, malicious-domain reputation data, and recurring fraud patterns that do not identify any individual; and (2) scam-attribution identifiers tied to suspected bad actors — such as phone numbers, email addresses, and wallet addresses associated with reported fraud — which may be shared in identifiable form only when necessary to disrupt the threat or as legally required. We do not share personally identifiable information about Darwin users themselves through this channel without your consent or a legal requirement.
    • Legal Requirements: We may disclose information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of Darwin Labs, our users, or others.
    • Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
    • With Your Consent: We may share information in other ways if you have given us explicit consent.

    We do not share, sell, rent, or otherwise disclose your mobile phone number or SMS opt-in data to any third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent are not shared with any third parties.

    6. SMS/Text Messaging

    We use SMS to deliver one-time passcodes, to let you access Darwin Security services by texting one of our registered program numbers, and to send notifications related to actions you initiate (including service messages). You can opt in by submitting your phone number through our verification flow on darwinsecurity.ai and affirmatively checking the SMS consent box at the time of submission, or by texting one of our registered program numbers. You can opt out at any time by replying STOP to any message; reply HELP or email [email protected] for help. Message frequency varies based on your activity, and message and data rates may apply. We do not share mobile numbers or opt-in data with third parties or affiliates for marketing purposes. See our Terms of Service for the full SMS program terms.

    7. Data Retention

    We retain your personal information for as long as necessary to provide our Services and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. When your data is no longer needed, we securely delete or anonymize it.

    Account data — such as your name, email address, and login records — is retained for the life of your account and for a reasonable period afterward (generally up to 24 months) to handle support, billing, and legal requests, after which it is deleted or anonymized.

    Security and threat-detection data — including flagged URLs, reported scam indicators, malicious sender identifiers, and patterns derived from analyses — may be retained for a longer period than account data because it serves an ongoing protective function for all users. Where this data has been aggregated or anonymized so that it no longer identifies you, we may retain it indefinitely as part of our threat-intelligence corpus. Identifiable submissions are retained only for as long as needed to investigate the relevant threat, update our threat-intelligence databases, and protect other users, after which the data is anonymized or deleted. In most cases, identifiable submissions are anonymized or deleted within 36 months of collection. Retention periods are reviewed annually.

    Retention periods are determined by the sensitivity of the data, the purposes for which it was collected, applicable legal and regulatory obligations, and the protective value of the data to other users.

    8. Data Security

    We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS) and at rest, access controls, and regular security reviews.

    Despite our efforts, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

    While we implement strong security measures for our own systems, the scam-detection and alerting service itself is provided on an as-is basis and we cannot guarantee detection or prevention of every threat. Please review our Terms of Service — including the "Disclaimer of Warranties," "No Guarantee of Security," and "Limitations of Liability" sections — for the full disclaimers that apply to the Service.

    9. International Data Transfers

    The Services are operated, and data is processed and stored, in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Services, you consent to this transfer.

    10. Your Rights and Data Deletion

    Depending on your location, you may have certain rights with respect to your personal information, including:

    • Right of Access: Request a copy of the personal information we hold about you.
    • Right to Rectification: Request correction of inaccurate or incomplete information.
    • Right to Erasure (GDPR) / Right to Delete (CCPA): Request deletion of your personal information, subject to certain exceptions.
    • Right to Restriction: Request that we limit the processing of your information in certain circumstances.
    • Right to Data Portability: Request a copy of your data in a machine-readable format.
    • Right to Object: Object to our processing of your information in certain circumstances.

    How to Submit a Data Deletion Request

    To request deletion of your personal data, please contact us at [email protected] with the subject line "Data Deletion Request".

    Please include your full name, email address associated with your account, and a description of the data you wish to have deleted.

    We will acknowledge your request within 5 business days and complete the deletion within 30 days, subject to any legal retention obligations and except where longer retention for identifiable security or threat-detection data is described in Section 7 (Data Retention) above. We will confirm deletion in writing once completed, and will note any data retained under this exception.

    Please note that we may need to retain certain information to comply with our legal obligations, resolve disputes, or enforce our agreements.

    11. Cookies and Tracking Technologies

    We use cookies and similar technologies to maintain your session, understand how you use our Services, and improve your experience. You can control cookies through your browser settings; however, disabling certain cookies may affect the functionality of our Services.

    Do Not Track. Some web browsers transmit a "Do Not Track" (DNT) signal. There is currently no uniform industry standard for recognizing or honoring DNT signals, and the Services do not currently respond to them. You can control tracking preferences through your browser's cookie settings as described above.

    12. Third-Party Links

    Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you access.

    13. Children's Privacy

    The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, please contact us and we will promptly delete it.

    14. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page and, where appropriate, notify you by email or through the Services. We encourage you to review this policy periodically.

    15. Contact Us

    If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

    Darwin Labs Inc.
    San Francisco, California
    Email: [email protected]