We collect only the data needed to provide threat analysis. The information below is submitted by you, inside the App, when you actively use a feature: URLs / domains — when you use Link Check or QR Scan. Phone numbers — when you use Spam Check. Email addresses — when you use Email Check. Message text (SMS, email body, WhatsApp content) — when you paste it into Message Check or import a screenshot for OCR analysis. File hashes (SHA-256) — when you scan a file. The file itself is never uploaded. We compute the cryptographic hash on your device and transmit only that string. Anonymous device identifier (random UUID generated on first launch) — used to rate-limit abusive traffic and aggregate anonymized telemetry. Not tied to your name, account, or any personally identifiable information. App performance data (crash logs, feature-usage counts) — generated by the mobile platform and used solely to improve stability. Advertising identifier (Android AAID / iOS IDFA, when allowed by the user) — collected by Google AdMob to serve ads. Subject to the device-level opt-out settings.

Important: We do not collect unnecessary personal data, and we do not track your browsing activity outside of what you explicitly submit.

We do not collect your real name, postal address, date of birth, ID/passport number, or biometric data. We do not read your contact list, call log, SMS inbox, or browsing history. We do not access your camera or microphone without an explicit user action (only when you tap "Scan QR" or pick a screenshot). We do not upload your files, photos, or documents — only SHA-256 hashes. We do not store passwords you save in the in-app Password Vault. They are encrypted and kept exclusively on your device.

We do NOT: Sell your personal data Use your data for invasive tracking Share sensitive user content for advertising purposes

Threat analysis: matching your input against our threat database and third-party intelligence services to return a risk verdict. Community protection: if you voluntarily submit a threat report, the indicator (e.g. URL or phone number) may be added to our database — anonymized — so other Kangal users are protected. Service improvement: understanding aggregated feature usage to prioritize improvements. Security & abuse prevention: detecting automated abuse, rate-limiting, fraud prevention. Advertising: serving ads through Google AdMob in line with your device-level ad preferences.

You can control or disable cookies through your browser or device settings. We do not use tracking technologies for behavioral advertising.

To deliver accurate verdicts, Kangal sends specific indicators to the services below. Each service acts as an independent data controller and is bound by its own privacy policy. Service Data shared Purpose Google Safe Browsing Submitted URL Check against Google's malicious URL list VirusTotal URL and file SHA-256 hash Aggregated multi-vendor malware scan OpenAI (GPT-4o-mini) Submitted URL and message text AI-powered contextual analysis LeakCheck Submitted email address Data-breach / leak lookup IPQualityScore Submitted phone number Global phone fraud scoring SkipCalls US phone number only US-market spam-call database USOM (Turkey) URL / domain Turkish national cybersecurity blocklist Google AdMob Advertising identifier Ad serving and measurement We do not sell your personal data to advertisers, data brokers, or any third party.

These providers: Only receive limited data Are required to follow strict data protection standards Cannot use your data for their own purposes

Analysis history is stored locally on your device (SQLite). The latest 500 analyses are retained; older records are purged automatically. You can clear all history from the in-app Settings. Password vault entries are encrypted with the platform keychain (Android Keystore / iOS Keychain, AES-256) and never leave your device. Community threat reports you submit are retained on our servers for as long as they remain useful for protecting other users. You may request removal by emailing privacy@kangal.io. Server-side logs (aggregated, non-identifying request metadata) are retained for 90 days for fraud prevention and then deleted.

You may contact us for: Data access requests Data deletion requests Privacy concerns Reporting misuse or abuse
📩 privacy@kangal.io
We aim to respond to all privacy-related requests as quickly as possible.

All network communication uses TLS 1.3 encryption. The Password Vault uses hardware-backed keychain storage with AES-256 and biometric unlock. We apply the principle of least privilege to internal access to our infrastructure. Rate limiting and abuse-prevention monitoring protect our APIs against misuse. No system is perfectly secure. If you believe your data has been compromised, contact us at security@kangal.io.