Privacy Policy

Effective date: May 20, 2025

CYBRLAB AI SARL-S ("Company," "we," "us," or "our") operates the ZeroScam mobile application ("App"), designed to assist Users in identifying potential scams. We are committed to safeguarding your privacy and ensuring that personal data is processed in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

By using the App, you acknowledge that you have read, understood, and agree with this Privacy Policy.

1. Introduction

1.1 Purpose of this Privacy Policy

This Privacy Policy explains what personal data we collect, how we process it, and your rights concerning your data when using ZeroScam.

1.2 Compliance with Applicable Laws

We comply with all relevant data protection laws, including but not limited to the GDPR.

1.3 Age Restriction

The App is intended for Users aged 16 years and older. If we later decide to allow users aged 13 and older, we will update this Privacy Policy and implement additional safeguards.

1.4. Definitions

Terms used in this Privacy Policy correspond to definitions provided in the App's Terms of Use, unless stated otherwise.

2. Data We Collect

We collect only the data necessary to provide and improve the App's functionalities.

2.1 User-Provided Data

When using the App, you may submit:

Text descriptions of potential scams (e.g., summaries of suspicious phone calls or emails).
Screenshots or photos of scam-related messages or documents (one file per request).
Industry/Field selection (if applicable).

You must refrain from and shall not submit sensitive or certain personal information, including but not limited to:

Personal identification and contact details: Name, surname, other names, age, date of birth, identification documents, address, phone number, email.
Financial information: Bank card details, account numbers, financial credentials.
Private content: Private photographs (including private documents of other individuals).
Confidential or legally protected information: Data subject to confidentiality obligations, trade secrets, or information protected under privacy laws.
Biometric and health-related data: Fingerprints, facial recognition data, medical records, or other health-related information.

If such information is present in a screenshot or photo included in the User’s request, the User must take appropriate steps to blur, cover, or crop this data before submission. The Publisher is not responsible for any processing of sensitive data inadvertently and accidentally included in User submissions.

Users are expected to blur, crop or redact any sensitive information before submission. The Publisher is not liable for any unintentional processing of such data.

2.2 Automatically Collected Data

The App collects technical and operational data necessary to provide services, including:

Pseudonymized user ID (generated without personal identifiers)
Operating system ID (to optimize compatibility)
IP address (processed for security and operational analytics)
Log data (e.g., timestamps, errors reports, technical details of requests)

2.3 No Third-Party Data Sources

We do not collect data from external or third-party sources (e.g., social media platforms or marketing databases).

3. How We Use and Process Collected Data

3.1. Use of the Data

Personal data is processed only when a lawful basis under Article 6 of the GDPR applies.

3.1.1

Data Type

User-provided data (screenshots, text descriptions, industry/field selection)

Purpose

Processing user requests and analyzing potential scam risks

Legal Basis (GDPR)

Contractual Necessity (Art. 6(1)(b))

3.1.2

Data Type

Pseudonymized user ID

Purpose

Ensuring proper app functionality and fraud prevention

Legal Basis (GDPR)

Legitimate Interest (Art. 6(1)(f))

3.1.3

Data Type

Operating system ID

Purpose

Optimizing app performance and compatibility

Legal Basis (GDPR)

Legitimate Interest (Art. 6(1)(f))

3.1.4

Data Type

IP address

Purpose

Ensuring security, fraud detection, and operational stability

Legal Basis (GDPR)

Legitimate Interest (Art. 6(1)(f))

3.1.5

Data Type

Basic log data (timestamps, error reports)

Purpose

Debugging and improving the service

Legal Basis (GDPR)

Legitimate Interest (Art. 6(1)(f))

3.1.6

Data Type

Retention of anonymized data for AI model training

Purpose

Improving scam detection capabilities

Legal Basis (GDPR)

Legitimate Interest (Art. 6(1)(f))

3.2. Disclosure of Personal Data

We do not sell or share personal data with third parties for marketing purposes. However, we may disclose personal data under the following circumstances, always ensuring that appropriate safeguards and confidentiality obligations are in place:

Compliance with Legal Obligations

We may disclose personal data when required by law, regulation, legal process, or governmental request, including but not limited to:

Compliance with court orders, subpoenas, or other legal obligations;
Requests from law enforcement agencies, regulatory bodies, or public authorities to detect, prevent, or address fraud, security, or technical issues;
Ensuring compliance with applicable GDPR, data protection, and cybersecurity laws.
Contractors, Consultants, Service Providers

We may share personal data with contractors, consultants, service providers, who assist in operating, maintaining, and improving the App. These parties are:

Strictly bound by confidentiality obligations;
Authorized to process data only for the necessary services related to the App’s functionality, security, and support;
Required to implement appropriate technical and organizational security measures.
Clients Using the Services of the App

If the App operates in a business-to-business (B2B) model, we may provide scam detection results, reports, or relevant processed data to our clients who utilize the App’s services. In such cases:

Data will be shared only to the extent necessary for fulfilling the purpose of the service;
Clients receiving data must comply with GDPR and other applicable data protection regulations;
Any sharing of personally identifiable data will require explicit user consent unless otherwise legally permitted.
Business Partners in Corporate Transactions

In the event of a merger, acquisition, sale of assets, restructuring, or other corporate transaction, we may disclose personal data to:

Potential or actual acquiring companies, investors, or business partners;
Legal and financial advisors involved in the transaction;
Only those parties who are bound by confidentiality obligations and required to handle the data in compliance with GDPR.

We take all necessary steps to ensure that personal data shared under these circumstances remains protected, limited in scope, and subject to strict contractual and legal safeguards.

3.3. Service restriction

In limited cases, the App may automatically limit, restrict or terminate a User’s access to the App if a pattern of abusive requests is detected (e.g., repeated submission of fabricated or misleading data). Such decisions serve to protect the App’s integrity and also have the purpose of compliance with the law and protection of the legitimate interest of the Publisher and third parties.

Right to Contest: If you believe a decision was made in error, you can submit an appeal via contact@cybrlab.ai. We will review your case within 30 days.

4. Data Storage and Retention

4.1 Storage Location

All data is stored on secure physical servers within the European Union.

4.2 Retention Period

We retain data for a maximum of 12 months after the last user request. This period supports scam detection improvements and potential follow-up analyses.

Data is stored in pseudonymized or, whenever possible, anonymized form.
We comply with GDPR's data minimization and storage limitation principles.

4.3 User Data Deletion

Upon request, we will delete or anonymize personal data in compliance with GDPR. Requests can be sent to contact@cybrlab.ai. We will respond within 30 days.

5. Cookies and Technical Data

5.1 No Cookies or Trackers

The App does not use cookies or third-party analytics tools.

5.2 Use of IP Addresses

IP addresses are used only for security, fraud prevention, and operational purposes.
We do not use them for tracking or advertising.

6. User Rights Under GDPR

As an EU-based company, we fully respect your rights under GDPR, including:

Right to withdraw a given consent (Art. 7 GDPR): withdraw your consent at any time without affecting the lawfulness of prior processing.
Right to Access (Art. 15 GDPR): obtain a copy of your data.
Right to Rectification (Art. 16 GDPR): correct inaccuracies in your data.
Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR): request data deletion.
Right to Restriction of Processing (Art. 18 GDPR): limit how your data is processed.
Right to Object (Art. 21 GDPR): object to processing based on legitimate interests.
Right to Data Portability (Art. 20 GDPR): receive your data in a machine-readable format.

To exercise your rights, contact us at [email TBA]. We will respond within 30 days.

7. Data Security

We implement strong security measures, including:

Encryption and pseudonymization of personal data
Storage in high-security EU-based data centers
Regular internal security audits to identify and address vulnerabilities

8. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect regulatory requirements or operational changes. Significant changes will be communicated in advance, and explicit acceptance may be required.

9. Contact Information

For privacy-related questions, don't hesitate to contact us:

by email: contact@cybrlab.ai or
by post: 19 rue de l’Industrie L-8069 Bertrange, Luxembourg.

We aim to respond to users’ within fifteen (15) business days from the date of receipt. Please note that in certain cases, we may request additional information or clarification from the user in order to process the enquiry effectively. The response timeline may be extended accordingly.