Privacy Policy

Last updated: 13 May 2026

What We Collect

When you use Ask Horas, we collect:

• The content you submit for analysis (links, messages, phone numbers, emails, screenshots).
• Your IP address and the chain of forwarding proxies, plus reverse-DNS hostname and Autonomous System Number (ASN) associated with that IP.
• Coarse geographic information derived from your IP: country, region, city, postal code, timezone, and approximate coordinates.
• Whether your IP is on the public Tor exit-node list or known to be a datacenter/hosting-provider network (computed locally).
• Your preferred languages, browser and operating-system name and version, device type, and Chrome Client Hints (when sent).
• Standard request headers your browser sends automatically — preferred languages and encoding, your “Do Not Track” and Global Privacy Control settings, the page that referred you (if any), and a per-request identifier.
• A coarse TLS-handshake fingerprint (JA4 digest) and continent code provided by our hosting layer, used to flag automation and obvious geographic anomalies.
• Browser-side context that you provide on first load: timezone, viewport and full screen geometry (including available area and orientation), device pixel ratio, hardware concurrency, device memory, network connection type, accessibility preferences (prefers-color-scheme, prefers-reduced-motion, prefers-contrast), and a hash of a small canvas/WebGL drawing as a stability signal.
• Browser self-reports useful for distinguishing real devices from automation: navigator.webdriver (the standard automation flag), maximum touch points, vendor and platform strings, plugin count, and your storage estimate (used as an incognito-mode signal — we do not access actual stored data).
• Permission states for notifications, geolocation, camera, and microphone — only the state (granted/denied/prompt). We never request these permissions.
• Behavioral metadata per submission: whether the text was pasted versus typed, time since the previous submission, whether the chat tab was focused.
• A first-party cookie (horas_cfp) carrying a random UUID, used solely to recognise repeat visits over a 30-day window. You can clear it from your browser at any time.

We do not use third-party fingerprinting services, advertising trackers, or commercial data brokers. We do not share any of this information with advertisers. The canvas and WebGL hashes are stored in our own database for fraud-pattern analysis and are never transmitted to external services.

How We Use It

Submitted content is analyzed by AI to generate fraud risk assessments. Session metadata (IP, geographic coarse-location, ASN, browser, device type) is used for security, rate limiting, abuse and bot detection, and to improve fraud-detection accuracy by identifying campaign patterns. We never use this data for advertising or share it with advertisers.

Data Retention

Session and submission data is retained for service improvement and fraud knowledge base maintenance. You may request deletion by contacting us.

Third Parties

We use third-party AI providers (such as OpenAI) to process submissions. Submitted content is sent to these providers for analysis. We use Supabase for data storage and Vercel for hosting. When a domain or sender we don't recognise is part of a submission, we may also send the bare domain or phone number to a public web-search service (Tavily) to verify whether it's a real, well-known entity. We never send personal content (the message body, your IP, or anything tied to your session) to the search service — only the domain or phone-number string itself.

UAE Compliance

This service complies with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. We process personal data lawfully and transparently for the legitimate purpose of fraud prevention.

Contact

For privacy inquiries, use our contact form.