Privacy Policy
Effective Date: March 26, 2026 · Last Updated: March 26, 2026 · Version 1.0
1. Introduction
Ingat ("the App") is a Filipino SMS scam detection service developed to protect users from fraudulent text messages. This Privacy Policy explains how Ingat collects, uses, stores, and protects information when you use our Android application and backend services.
Ingat is committed to protecting your privacy and complying with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations, as well as the principles of the EU General Data Protection Regulation (GDPR) where applicable.
By using Ingat, you consent to the practices described in this Privacy Policy. If you do not agree, please uninstall the App and discontinue use.
2. Data Controller
Data Controller: Ingat Development Team
Contact Email: privacy@ingatph.com
Data Protection Officer: dpo@ingatph.com
3. What Data We Collect
3.1 Data That NEVER Leaves Your Device
Core privacy guarantee: Verification codes and sensitive authentication messages are recognized on your device and excluded from all cloud processing. No server — not ours, not any third party's — ever sees them.
Ingat recognizes sensitive messages from 50+ services including GCash, BDO, BPI, Maya, Metrobank, UnionBank, Google, Facebook, Instagram, WhatsApp, Telegram, Grab, Shopee, Lazada, TikTok, and many more.
3.2 Safe Messages — Processed but NEVER Stored
| Data Type | Purpose | Retention |
|---|
| SMS message content determined safe | Analyzed in real-time by AI to determine scam likelihood | Never stored. Processed in memory and immediately discarded. No safe message content is ever written to a database. |
3.3 Confirmed Scam Messages — Stored for Training
Only confirmed scam messages are retained. When our AI confirms a message is a scam (score above threshold), the message content is stored in anonymized form to improve our detection model. Safe messages are never stored. Your personal, legitimate messages are discarded immediately after analysis.
| Data Type | Purpose | Retention |
|---|
| Confirmed scam message content | Retained in anonymized form to train and improve our AI scam detection model, protecting future users from new scam patterns | Until model retraining cycle completes, then deleted |
| Hashed sender number | SHA-256 hash to identify repeat scam senders without revealing actual number | 90 days |
| Scam score | Numerical confidence score (0-100) | 90 days |
| Scam type classification | Category of detected scam | 90 days |
| Timestamp | When the scan was performed | 90 days |
| Device ID | Pseudonymous identifier for auth and rate limiting | Duration of account |
| Subscription tier | Free or Premium plan status | Duration of account |
3.4 Data We Do NOT Collect
- Verification codes or authentication messages
- Full phone numbers (only one-way hashes of sender numbers)
- Contact lists or address books
- Location or GPS data
- Browsing history
- Personal names, email addresses, or demographic data
- Call logs
4. How We Use Your Data
- Scam detection and classification — analyzing SMS messages in real-time to alert you of potential scams.
- Aggregate scam intelligence — hashed sender numbers build a community scam database that protects all users.
- Service authentication — device IDs authenticate API requests and enforce rate limits.
- Service improvement — aggregate, anonymized scan statistics help improve detection accuracy.
- Subscription management — tracking tier to enforce limits and enable premium features.
We do not use your data for advertising, profiling, behavioral tracking, or any purpose unrelated to scam detection.
5. Legal Basis for Processing
Philippine Data Privacy Act (RA 10173):
- Consent (Section 12(a)): You provide consent when you submit an SMS for analysis.
- Legitimate interest (Section 12(f)): Processing hashed sender data serves a legitimate interest in fraud prevention.
GDPR (where applicable):
- Consent (Article 6(1)(a)): You explicitly consent when you use the scan feature.
- Legitimate interest (Article 6(1)(f)): Aggregate scam intelligence protects users from fraud.
6. Data Sharing and Third Parties
Ingat does not sell, rent, lease, or trade personal data or scan results to any third party. This is an unconditional commitment.
6.1 Service Providers
| Provider | Purpose | Data Shared |
|---|
| Anthropic (Claude AI) | SMS content analysis | SMS text for real-time analysis only. Zero data retention configured. |
| Amazon Web Services | Cloud infrastructure | Stored data on encrypted infrastructure in Asia Pacific region. |
| Firebase (Google) | Push notifications | Device ID and notification tokens only. No SMS content. |
6.2 Law Enforcement
We may disclose data if required by a valid court order or legal process under Philippine law. We will notify affected users unless prohibited by law.
7. Data Retention and Deletion
| Data | Retention | Deletion |
|---|
| SMS message content | Zero retention | Never persisted |
| Scan results | 90 days | Automated daily batch deletion |
| Device ID and account | Duration of account | Deleted upon request |
Requesting Deletion
- Use the "Delete My Data" option in the App settings.
- Email privacy@ingatph.com with your request.
Deletion requests are processed within 30 days.
8. Data Security
- Encryption in transit: TLS 1.2+ with certificate pinning.
- Encryption at rest: AES-256 via AWS RDS encryption.
- API authentication: HMAC-SHA256 signed requests with replay prevention.
- Rate limiting: Per-device rate limits prevent abuse.
- Access control: MFA-required, no standing production database access.
- Audit logging: All data access is logged and monitored.
- No SMS content logging: SMS content is excluded from all logs and error reports.
9. Your Rights
Under the Philippine Data Privacy Act (RA 10173)
- Be informed — know what data is collected and how it is used.
- Access — request a copy of data we hold about you.
- Correct — request correction of inaccurate data.
- Erasure or blocking — request deletion or blocking of your data.
- Object — object to the processing of your data.
- Data portability — receive your data in a structured format.
- Damages — claim compensation if your rights are violated.
- File a complaint — lodge a complaint with the National Privacy Commission.
Under the GDPR (where applicable)
- Restriction of processing — request limits on data use.
- Withdraw consent — withdraw consent at any time.
- Lodge a complaint with your local supervisory authority.
To exercise any of these rights, contact privacy@ingatph.com.
10. Children's Privacy
Ingat is not directed at children under 18. We do not knowingly collect data from children. Contact privacy@ingatph.com if you believe a child has provided data.
11. International Data Transfers
Scan data may be processed by Anthropic's AI services outside the Philippines. Transfers are covered by appropriate safeguards and standard contractual clauses. SMS content is never stored by any party.
12. Changes to This Policy
When we make material changes, the "Last Updated" date will be revised and users will be notified via in-app notification. Continued use constitutes acceptance.
13. Contact Information