Privacy Policy

• Kromeum is the company. Armour is the app you're using. Both promises below apply to Armour.
• We don't store anything you give us *. Your scan history, files, sandbox reports, and Vexa chats live on your device — in your browser's local database — not on our servers.
• You stay in control. Wipe your local history any time from Settings → Data & privacy. Export an encrypted backup if you want to keep it on your own cloud or a USB stick.
• We don't sell data. No ads. No tracking pixels.
• We never read, monitor, or sync anything from Chrome, Safari, or any other browser on your device. Armour only sees what you hand to it.
• Aligned with GDPR (EU) and CCPA (California).

* apart from the bare minimum we need to log you back in — your email, a hashed (one-way encrypted) password, and your display name.

Everything required for the "log back in next time" promise — and nothing more:

• Email address.
• Hashed password (we never see your plaintext password).
• Display name.
• Subscription tier and trial status.
• Which version of the Terms & Privacy you accepted, with timestamp.
• Anything you have explicitly chosen to sync (e.g. saved scan profile if you opted in) — stored end-to-end encrypted using a key derived from your account, so even our database operators cannot read it.

• Scan history — every URL, file hash, and verdict you've checked.
• Sandbox reports — MetaDefender Sandbox detonation results, IOCs, MITRE techniques, behavioural indicators.
• Vexa chats — your conversations with the AI assistant.
• Auto-scan queue + retry state — the queue, progress, and per-download history for the in-app browser and OS-download interceptor.
• Trusted-sources allowlist — the list of domains you've marked as trusted to skip auto-scans never leaves your device.
• Encrypted backups — if you export, the file is AES-encrypted on your device with your passphrase before it ever leaves. We can't decrypt it.

All of this lives in your browser's IndexedDB / local storage. If you clear your browser data or uninstall, it's gone — unless you've made a backup.

To actually scan something, we have to ask specialist engines. When you trigger a scan, your input goes directly to:

• IPQualityScore & Google Web Risk — receive URLs you scan for phishing / malicious-site reputation.
• Hybrid Analysis — listed as an additional intel source for hash lookups when available; vetting status is shown in the Provider Status banner.
• MetaDefender Cloud — receives file hashes and, when Deep Scan is enabled, files up to 140 MB for multi-engine antivirus scanning.
• MetaDefender Sandbox — when sandbox detonation is enabled, files up to 80 MB are detonated in an isolated VM to extract behavioural indicators.
• Cloudmersive Advanced Virus Scan — when Deep Scan or Auto-scan downloads is enabled, files up to 1 GB are uploaded for cloud antivirus analysis (macros, scripts, password-protected archives, OLE objects). Cloudmersive states they do not retain files after scanning.
• Lovable AI Gateway (Google Gemini) — receives scan results, Vexa chat messages, and threat-analysis prompts to generate replies.
• Resend — sends transactional email (sign-in, security alerts) on our behalf.

Once data is in a third party's hands, it's governed by their privacy policies, not ours. We are not responsible for how they retain, share, or process what you send through their scanners. If that's a concern, don't scan things you wouldn't want their providers to see — or read each provider's policy first.

• Sell, rent, or trade your data — ever.
• Run third-party advertising trackers or pixels.
• Read your scan inputs for marketing or model training.
• Watch your screen, microphone, camera, contacts, or location.
• Read what you do in Chrome, Safari, or any other browser on your device.
• Auto-scan files on your device unless you've explicitly enabled OS-level interception in the native shell.
• Store your scan history, file hashes, sandbox reports, or chats on our servers.

If you connect Gmail or Outlook to Email Protection, we request the minimum read-only scope you choose — senders only, headers, or full read-only. We do not see your mail on our servers. The phishing/scam scan runs on your device. We only label or move flagged messages into an "Armour Quarantine" folder after you tap to authorize. You pick how far back we look (24 hours, 7 days, or 30 days) and you can disconnect at any time — local cache is wiped instantly. Unlike apps that take system-wide access to your inbox, you decide what we see, how much, and for how long.

Caller lookups query a community spam-reputation database with the number you typed — nothing else from your phone is sent. SMS scam analysis runs entirely on-device on text you paste in yourself. We do not read your call log, your messaging app, or block calls system-wide. We only tell you whether what you handed us looks legit or scammy.

Paid plans are billed and managed by Apple App Storeor Google Play. Subscriptions auto-renewat the end of each period unless cancelled in your store account at least 24 hours before renewal. Cancelling stops the next charge; your paid access continues until the current period ends. Refunds are handled by the store under their refund policies.

You can export your local data as an encrypted backup, wipe your local history, or delete your account (and everything we store server-side) at any time from Settings → Data & privacy. Account deletion removes your email, password hash, and display name from our servers permanently.

Privacy questions, takedown requests, or data-subject access requests: privacy@kromeum.app.