AVASC — Association of Victims Against Cyber-Scams: shield, globe, and padlock wordmark logo
Report
Scam DatabaseReport CaseStoriesGuidesRecoveryAboutDonateSign in
Notice: This page is a pre-launch scaffold. It covers the topics a real privacy policy must address but is not legal advice and must be replaced with counsel-reviewed or generator-produced copy before collecting additional victim data at scale.

Privacy Policy

Last updated: April 17, 2026

1. Introduction

The Association of Victims Against Cyber-Scams (“AVASC,” “we,” “us,” or “our”) operates avasc.org and provides scam reporting, pattern intelligence, alert subscriptions, and victim-support resources (the “Service”). This Privacy Policy explains what information we collect, how we use and share it, and the choices you have.

AVASC is a California nonprofit organization. AVASC is not a law firm, investigator, or government agency, and does not guarantee recovery of funds. Using the Service does not create an attorney-client or investigator-client relationship.

2. Information we collect

We collect three buckets of information:

  • Scam reports you submit — free-text description of what happened, scam type, estimated amount lost, optional file attachments, and optional contact information. Reports may include highly sensitive personal details. AVASC strongly advises that you never submit passwords, full card numbers, SSNs, or government-ID numbers in a report.
  • Account and contact information — if you create an account or subscribe to alerts: name, email, phone number (when you opt in to SMS), and any preferences you save.
  • Usage and device information — pages viewed, features used, IP address, approximate location derived from IP, browser and device identifiers, session duration, and error diagnostics.

[REQUIRES LEGAL REVIEW] Confirm whether victim-report free-text should be treated as special-category data under GDPR (health / criminal allegations common) and whether that triggers additional safeguards.

3. How we use information

We use the information above to:

  • Process, triage, and — if approved by moderators — anonymize and publish scam patterns to help others recognize and avoid similar fraud.
  • Deliver alert messages (SMS or email) to subscribers who have opted in, per their preferences.
  • Provide victim-support resources and respond to inquiries.
  • Detect and prevent abuse of the Service.
  • Share aggregated, de-identified insights with law enforcement, regulators, and the public to help combat scams.
  • Communicate with donors and subscribers about program impact and AVASC news (only when you have opted in).
  • Comply with legal obligations.

[REQUIRES LEGAL REVIEW] Confirm whether victim reports are ever used to train AI classifiers, and if so disclose with an opt-out path consistent with GDPR Article 22 and CCPA profiling rules.

4. What gets published publicly

Approved scam patterns are published on AVASC's public database in an anonymized form. Specifically:

  • Reporter name, email, and phone are never published.
  • Free-text reports are reviewed by moderators and edited to remove identifying details, scam-artist contact information that could endanger reporters, and any password / card / SSN content that slipped through.
  • You can ask to withdraw or amend a report at any time by emailing privacy@avasc.org.

[REQUIRES LEGAL REVIEW] Define moderator workflow + retention of rejected reports, and confirm the defamation posture for user-submitted allegations.

5. How we share information

We share information only with:

  • Service providers — hosting (Vercel), database (Supabase), SMS delivery (Twilio), email delivery (SendGrid / Resend), payment processing (Stripe, PayPal), and analytics (where you have opted in).
  • Law enforcement — we may share scam reports with the FTC, FBI IC3, state attorneys general, or other authorities when required by law, subpoena, or court order, or when we believe sharing is necessary to protect against imminent harm.
  • Aggregated public reporting — de-identified, aggregated statistics may be shared with the public, press, researchers, and policymakers.
  • Business transfers — in connection with a merger or transfer of the nonprofit's assets.

We do not sell personal information.

6. SMS and email alerts

AVASC sends SMS and email alerts only to subscribers who have expressly opted in. Every SMS message complies with the Telephone Consumer Protection Act (47 U.S.C. § 227) and FCC rules; every marketing email complies with the CAN-SPAM Act. STOP / UNSUBSCRIBE / HELP keywords work as expected and are honored immediately.

You can manage your alert preferences at /alerts/preferences.

7. Cookies and tracking

We use cookies and similar technologies in four categories:

  • Strictly necessary — keeps you signed in, remembers preferences, prevents CSRF. Always on; required for the site to work.
  • Functional — remembers UI preferences. On by default; can be disabled in your browser.
  • Analytics — aggregated usage and performance data. Off unless you opt in via the consent banner.
  • Advertising / marketing — currently none; AVASC does not run advertising. This category is reserved.

[REQUIRES LEGAL REVIEW] Wire a cookie consent banner for EU / California visitors. Pattern exists on the leadsmart-ai repo and can be ported.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your account and associated personal information.
  • Export your data in a portable format.
  • Withdraw consent to marketing communications.
  • Opt out of any “sale” or “sharing” of personal information as defined under CCPA / CPRA (we do not believe we engage in either).

Exercise any right by emailing privacy@avasc.org. We respond within the timeframes required by applicable law.

9. California residents — CCPA / CPRA

If you are a California resident, you have additional rights under the CCPA and CPRA:

  • Right to know the categories of personal information we have collected, sources, purposes, and third parties we share with.
  • Right to delete personal information, with limited exceptions.
  • Right to correct inaccurate personal information.
  • Right to limit use of sensitive personal information.
  • Right to opt out of sale or sharing — AVASC does not sell or share personal information. If this ever changes we will provide a “Do Not Sell or Share” link.
  • Right to non-discrimination — we will not retaliate for exercising these rights.

To submit a request, email privacy@avasc.org with the subject “CCPA request.”

10. Retention

We retain scam reports indefinitely as anonymized pattern data (deletions erase linkage to the reporter but may leave the anonymized pattern in the database if others have relied on it). Account information is retained while the account is active; deletion removes or anonymizes personal information within 90 days, except where retention is required by law (donation records for tax purposes, SMS consent proof for TCPA).

[REQUIRES LEGAL REVIEW] Confirm retention windows per data category.

11. Security

We apply industry-standard safeguards: encryption in transit (TLS) and at rest, access controls, audit logging, and regular security reviews. Reports containing sensitive details are stored in access-controlled systems separate from public data. If you discover a security issue, please email security@avasc.org before public disclosure.

12. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If a child has submitted a report, parent / guardian contact at privacy@avasc.org to have it removed.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice at least 30 days before they take effect.

14. Contact

Questions about this Privacy Policy can be directed to privacy@avasc.org.

Association of Victims Against Cyber-Scams · Los Angeles, California · 501(c)(3) Pending

See also our Terms of Service. ← Back to Home