Last updated: June 2026
We built ThouShaltNotClick to protect people, not to exploit them. Your email content is analyzed locally in your browser by default β it never leaves your device. You may optionally use AI-powered analysis, which sends limited email data to our AI partner for real-time analysis (never stored). When AI catches a phishing attack, only the sender and subject are shared with your organization to protect your colleagues. We use zero third-party trackers. We will never sell your data to anyone, ever. This isn't a legal loophole β it's a promise.
| Data | Why | Stored Where |
|---|---|---|
| Name & email | Your account | Our secure servers (encrypted at rest) |
| Password | Authentication | Bcrypt hash only β we never see your password |
| Simulation results | Track if you caught or clicked the phishing test | Our server |
| Training progress | Know which courses you completed | Our server |
| Extension install status | Help admins see who has protection active | Our server (yes/no + last seen) |
| Online Kindness stats | Aggregate counts of polite language signals | Your device + server (aggregate only, daily sync) |
| AI Analysis data (opt-in only) | Deeper phishing analysis when you click the AI button | Sent to our AI service in real-time. Email content is not stored; analysis results (score and verdict) are logged. |
| Community threat alerts | Protect your org when AI confirms a phishing attack | Sender + subject only β no email body |
| Org email domains | Recognize emails from colleagues (familiar sender detection) | Domain names only β cached locally on your device |
When you open an email in Gmail, our extension analyzes it for phishing indicators using a local analysis engine (analyzer.js) that runs entirely inside your browser. The email content is never transmitted to our servers or any third party. The trust score, findings, and recommendations are all computed on your device.
You may optionally click the βAI Analysisβ button on any email's trust badge for a deeper, AI-powered review. This is entirely voluntary and requires your explicit action each time β it never happens automatically. When used:
A clear disclaimer (βEmail content was sent to our AI for this analysisβ) is shown every time you use this feature.
Your organization's email domains (e.g. yourschool.edu) are synced to the extension so it can recognize emails from colleagues. This only includes the domain names β no staff names, email addresses, or other data. Internal senders receive a small trust score boost. This runs locally in your browser using the cached domain list.
When AI analysis identifies an email as clearly dangerous (score below 30/100), the sender address and subject line only are stored in our database and shared with other members of your organization. This protects your colleagues from the same phishing attack.
The Online Kindness Score monitors your communication patterns across email, chat, and AI platforms for polite language signals (such as greetings, gratitude, and considerate phrasing). This analysis runs 100% in your browser. Your actual messages, emails, and conversations are never recorded, transmitted, or stored. Only an aggregate kindness grade (Average, Good, or Excellent) is synced daily to the server for organizational leaderboards if you are part of an organization. Organization administrators can disable this feature for their organization.
When you manually scan a suspicious URL, that URL is sent to our server for real-time threat analysis β similar to how Google Safe Browsing works in every web browser. The URL is processed immediately and never stored, logged, or associated with your account. No page content, browsing history, or personal data is included.
We use zero third-party analytics, advertising, or tracking tools. No Google Analytics. No Facebook Pixel. No Mixpanel, Amplitude, Segment, HotJar, PostHog, or Sentry. No ad networks. No data brokers. Our code has been audited to confirm this. You can verify it yourself β our privacy commitments are embedded directly in the source code of every file in the browser extension.
For schools using ThouShaltNotClick, we store organizational data necessary to run phishing simulations and training: staff rosters (name, email, role), campaign results, and training completion records. This data is accessible only to authorized school administrators and is never shared with other schools, organizations, or third parties.
Organization-wide benchmarking (e.g. Diocese-wide) uses anonymized, aggregated statistics only β click rates and catch rates averaged across schools. No individual staff member's data is ever visible to other schools or the parent organization.
You can request complete deletion of your account and all associated data at any time by contacting us. School administrators can remove staff members from their roster, which removes their simulation and training data. Online Kindness data is stored locally on your device and can be cleared by removing the browser extension. Community threat alerts you contributed will be removed when your account is deleted.
SMS verification is an optional security feature. We send text messages only when you have explicitly opted in from your Security Settings page by ticking a standalone consent checkbox. SMS opt-in is never a requirement for using ThouShaltNotClick β you can use the platform without it.
What we send. One-time 6-digit verification codes when you log in or perform sensitive actions on your account. We do not send marketing, promotional, or bulk SMS messages of any kind. Message frequency varies based on how often you log in β typically a few messages per month per active user. Message and data rates may apply per your carrier's plan.
What we store. Your phone number is stored only while SMS verification is enabled on your account. We also record the date and IP address of your initial opt-in (TCPA compliance) and the version of the consent text you agreed to. Phone numbers are never sold, rented, or shared with third parties for marketing.
How to opt out. Reply STOP to any verification message β your number is immediately removed and SMS verification is disabled. You can also disable SMS verification from your Security Settings page. Reply HELP for help. We will never charge you to opt out, and we will never message a number that has opted out without a fresh, explicit opt-in.
SMS messages are delivered through Twilio, our verified communications partner. For full SMS program details, see the SMS Verification Policy.
ThouShaltNotClick is designed for adult staff, teachers, and parents β not students. We do not knowingly collect personal information from children under 13. The browser extension is intended for use by adults managing school cybersecurity, not by students.
Questions about our privacy practices? Email us at privacy@thoushaltnotclick.com
βEvery person's data deserves the same care and respect we owe every person.β
That's not just our policy β it's our promise.