Last updated: July 2026
We built ThouShaltNotClick to protect people, not to exploit them. Your email content is analyzed locally in your browser by default β it never leaves your device. You may optionally use AI-powered analysis, which sends limited email data to our AI partner for real-time analysis (never stored). When AI catches a phishing attack, only the sender and subject are shared with your organization to protect your colleagues. We use zero third-party trackers. We will never sell your data to anyone, ever. This isn't a legal loophole β it's a promise.
| Data | Why | Stored Where |
|---|---|---|
| Name & email | Your account | Our secure servers (encrypted at rest) |
| Password | Authentication | Bcrypt hash only β we never see your password |
| Simulation results | Track if you caught or clicked the phishing test | Our server |
| Training progress | Know which courses you completed | Our server |
| Extension install status | Help admins see who has protection active | Our server (yes/no + last seen) |
| Online Kindness stats | Aggregate counts of polite language signals | Your device + server (aggregate only, daily sync) |
| AI Analysis data (opt-in only) | Deeper phishing analysis when you click the AI button | Sent to our AI service in real-time. Email content is not stored; analysis results (score and verdict) are logged. |
| Community threat alerts | Protect your org when AI confirms a phishing attack | Sender + subject only β no email body |
| Org email domains | Recognize emails from colleagues (familiar sender detection) | Domain names only β cached locally on your device |
When you open an email in Gmail, our extension analyzes it for phishing indicators using a local analysis engine (analyzer.js) that runs entirely inside your browser. The email content is never transmitted to our servers or any third party. The trust score, findings, and recommendations are all computed on your device.
You may optionally click the βAI Analysisβ button on any email's trust badge for a deeper, AI-powered review. This is entirely voluntary and requires your explicit action each time β it never happens automatically. When used:
A clear disclaimer (βEmail content was sent to our AI for this analysisβ) is shown every time you use this feature.
Your organization's email domains (e.g. yourschool.edu) are synced to the extension so it can recognize emails from colleagues. This only includes the domain names β no staff names, email addresses, or other data. Internal senders receive a small trust score boost. This runs locally in your browser using the cached domain list.
When AI analysis identifies an email as clearly dangerous (score below 30/100), the sender address and subject line only are stored in our database and shared with other members of your organization. This protects your colleagues from the same phishing attack.
The Online Kindness Score monitors your communication patterns across email, chat, and AI platforms for polite language signals (such as greetings, gratitude, and considerate phrasing). This analysis runs 100% in your browser. Your actual messages, emails, and conversations are never recorded, transmitted, or stored. Only an aggregate kindness grade (Average, Good, or Excellent) is synced daily to the server for organizational leaderboards if you are part of an organization. Organization administrators can disable this feature for their organization.
When you manually scan a suspicious URL, that URL is sent to our server for real-time threat analysis β similar to how Google Safe Browsing works in every web browser. The URL is processed immediately and never stored, logged, or associated with your account. No page content, browsing history, or personal data is included.
Schools may optionally enable a Content Filter that blocks categories of websites on managed devices. It is off by default β most users are never affected. When a school turns it on, the extension blocks sites locally on the device (your browsing is not sent to us to be filtered) and records policy events only: attempts to reach a blocked site, and staff βproceed anywayβ bypasses (domain + category + time), shown to administrators as aggregate counts by default. It does not record your general browsing β sites that aren't blocked are never logged. Full terms are in the Content Filter Addendum.
We use zero third-party analytics, advertising, or tracking tools. No Google Analytics. No Facebook Pixel. No Mixpanel, Amplitude, Segment, HotJar, PostHog, or Sentry. No ad networks. No data brokers. Our code has been audited to confirm this. You can verify it yourself β our privacy commitments are embedded directly in the source code of every file in the browser extension.
For schools using ThouShaltNotClick, we store organizational data necessary to run phishing simulations and training: staff rosters (name, email, role), campaign results, and training completion records. This data is accessible only to authorized school administrators and is never shared with other schools, organizations, or third parties.
Organization-wide benchmarking (e.g. Diocese-wide) uses anonymized, aggregated statistics only β click rates and catch rates averaged across schools. No individual staff member's data is ever visible to other schools or the parent organization.
You can request complete deletion of your account and all associated data at any time by contacting us. School administrators can remove staff members from their roster, which removes their simulation and training data. Online Kindness data is stored locally on your device and can be cleared by removing the browser extension. Community threat alerts you contributed will be removed when your account is deleted.
SMS verification is an optional security feature. We send text messages only when you have explicitly opted in from your Security Settings page by ticking a standalone consent checkbox. SMS opt-in is never a requirement for using ThouShaltNotClick β you can use the platform without it.
What we send. One-time 6-digit verification codes when you log in or perform sensitive actions on your account. We do not send marketing, promotional, or bulk SMS messages of any kind. Message frequency varies based on how often you log in β typically a few messages per month per active user. Message and data rates may apply per your carrier's plan.
What we store. Your phone number is stored only while SMS verification is enabled on your account. We also record the date and IP address of your initial opt-in (TCPA compliance) and the version of the consent text you agreed to. Phone numbers are never sold, rented, or shared with third parties for marketing.
How to opt out. Reply STOP to any verification message β your number is immediately removed and SMS verification is disabled. You can also disable SMS verification from your Security Settings page. Reply HELP for help. We will never charge you to opt out, and we will never message a number that has opted out without a fresh, explicit opt-in.
SMS messages are delivered through Twilio, our verified communications partner. For full SMS program details, see the SMS Verification Policy.
The core ThouShaltNotClick platform β phishing simulations and training β is designed for adult staff and teachers, and we do not seek personal information from children for it.
Some schools additionally deploy our optional Content Filter to student devices. In that case the school is the data controller and TSNC acts as a school official / service provider under FERPA. The school is responsible for any parental notice or consent required by FERPA, COPPA, or local law before deploying the filter to student devices. We practice strict data minimization for students: the filter records only blocked-site attempts (never general browsing), defaults to aggregate counts, and is governed by the Content Filter Addendum.
Questions about our privacy practices? Email us at privacy@thoushaltnotclick.com
βEvery person's data deserves the same care and respect we owe every person.β
That's not just our policy β it's our promise.