Security & Privacy
Before You Click is built with privacy as the foundation, not as a feature. Here we explain exactly how we protect your data.
Our core promise
Your email content NEVER leaves your device. All risk checks are performed 100% locally. We don't see your emails, don't store them, and don't use them for AI training.
What we NEVER collect
- Email content (body, subject)
- Recipients or senders
- Attachment content or names
- Contact lists
- Keyboard input
- Screen recordings
What we DO collect (optional)
- Anonymous counts (# warnings shown)
- Which check triggered (e.g., "R1")
- Platform (Gmail/Outlook)
- App version
- Crash reports (no content)
* Analytics are optional and never contain content
How it works technically
Privacy by design, not as an afterthought
Local processing
The Risk Engine runs entirely on your own device. Email content is analyzed in your browser and never leaves your machine.
Zero-knowledge
Our servers don't know what you type. We only see that you're using the app, not what you're doing with it. Literally zero knowledge of your content.
End-to-end encrypted
Settings sync and cloud features use end-to-end encryption. Only you (and your team admin) can see your settings.
Data flow
┌─────────────────────────────────────────────────────────────────┐
│ YOUR DEVICE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ [Gmail/Outlook] → [Before You Click Extension] │
│ │ │ │
│ │ email content │ LOCALLY │
│ ↓ │ PROCESSED │
│ ┌───────────────┐ │ │
│ │ Risk Engine │ ←───────────┘ │
│ │ (local) │ │
│ └───────┬───────┘ │
│ │ │
│ ↓ │
│ ┌───────────────┐ │
│ │ ALLOW / WARN │ │
│ └───────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
│
│ Only metadata (optional)
│ - check ID (e.g., "R1")
│ - timestamp
│ - NO content
↓
┌─────────────────────────────────────────────────────────────────┐
│ BEFORE YOU CLICK CLOUD │
├─────────────────────────────────────────────────────────────────┤
│ │
│ • License validation │
│ • Settings sync (encrypted) │
│ • Anonymous counts │
│ │
│ ❌ NO email content │
│ ❌ NO recipients │
│ ❌ NO attachments │
│ │
└─────────────────────────────────────────────────────────────────┘Compliance & Standards
GDPR Compliant
Fully compliant with GDPR. Minimal data collection, right to erasure, and data portability.
EU Data Residency
All cloud data is stored in EU data centers (Supabase EU region).
SOC 2 (planned)
We're working towards SOC 2 Type II certification for enterprise customers.
TLS 1.3
All communication with our servers uses TLS 1.3 encryption.
Security questions?
Have questions about our security practices or want to request a security review?
Contact security team