Who we are

ScamList is a community-powered scam-detection platform. It lets people report and look up fraud-linked identifiers — phone numbers, LINE IDs, social handles, links, and more — to protect others before they become victims.

The data controller for personal data collected through ScamList is ScamList Ltd. We process personal data in accordance with the Thailand Personal Data Protection Act B.E. 2562 (PDPA).

Contact us at any time: [email protected]

What data we collect

Data you give us directly

• Email address — when you join our waitlist or create an account.
• Language preference — English or Thai, detected from your browser or set manually.
• Scam reports — identifiers you associate with a scam: phone numbers, LINE IDs, social handles, URLs, crypto wallet addresses, bank or e-wallet account numbers, plus optional evidence screenshots. These relate to alleged scammers, not to you — see Section 6.
• Dispute requests — your contact details and supporting information if you dispute a listing.

Data collected automatically

• IP address — processed by Cloudflare for security. Not stored directly by us.
• Browser and device information — OS, browser type, screen size. Used in aggregate only.

How and why we use it

Where we rely on consent, you may withdraw it at any time by unsubscribing or emailing us. Withdrawal does not affect processing already carried out.

Where we rely on legitimate interests, you may object at any time — see Section 7.

How long we keep it

We may keep data longer where required by Thai law or to defend a legal claim.

Who we share it with

We do not sell your data. We do not share it with advertisers. We share only with the processors below under data processing agreements.

We may disclose data to Thai law enforcement or authorities where required by law or court order.

Scam report data — special notice

What the database contains

Reports may include phone numbers, LINE IDs, social handles, URLs, crypto wallet addresses, and bank or e-wallet account numbers associated with a scam incident, plus supporting screenshot evidence.

The database does not contain facial recognition data, full identity documents, or biometric identifiers.

Moderation and evidence

All reports must include supporting evidence. Our team reviews each report for credibility before it is published. Reports that do not meet our evidence threshold are rejected.

AI processing

ScamList uses automated analysis to cross-reference identifiers across multiple reports, detect reused profile photographs, check whether profile images appear to be AI-generated, and identify patterns associated with known scam scripts. No automated decision has legal or similarly significant effects without human review.

If you are the subject of a report

If an identifier associated with you has been incorrectly reported, you have the right to dispute it. Email [email protected] with the subject "Dispute Request", the identifier(s) you are disputing, and your reasoning. We acknowledge within 5 business days and aim to resolve within 30 days. If upheld, we remove the data promptly.

Your rights under Thai PDPA

Under the Personal Data Protection Act B.E. 2562, you have the following rights over personal data we hold about you as a ScamList user.

• Right to access (Section 30) — request a copy of your personal data we hold.
• Right to data portability (Section 31) — receive your data in a structured, machine-readable format.
• Right to object (Section 32) — object to processing based on legitimate interests.
• Right to erasure (Section 33) — request deletion of your data where it is no longer necessary.
• Right to restrict processing (Section 34) — ask us to pause processing in certain circumstances.
• Right to rectification (Section 36) — ask us to correct inaccurate data.
• Right to withdraw consent (Section 19) — withdraw consent for marketing emails at any time.

To exercise any right, email [email protected]. We will respond within 30 days. We may need to verify your identity first.

If you believe we have breached the PDPA, you may lodge a complaint with the Personal Data Protection Committee (PDPC).

Cookies and tracking

We do not use advertising cookies, third-party tracking pixels, or analytics that profile individual users. We do not participate in cross-site tracking.

Security

We implement appropriate technical and organisational measures including: TLS encryption in transit, encryption at rest, Cloudflare Workers as a security proxy layer, server-side Turnstile verification, and access controls limiting who can access personal data.

No internet transmission is completely secure. In the event of a data breach posing a risk to your rights, we will notify the PDPC within 72 hours and affected individuals without undue delay.

International data transfers

Some processors are located outside Thailand (GoHighLevel in the United States; Cloudflare on a global network). Where we transfer personal data of Thai residents internationally, we ensure receiving parties provide adequate protection standards as required by PDPA Section 28, including through contractual safeguards.

Children

ScamList is not directed at children under 20 years old (the age of majority in Thailand). We do not knowingly collect personal data from minors. If you believe we have done so, contact [email protected] and we will delete it promptly.

Changes to this policy

When we make material changes we will update the date at the top of this page and notify waitlist members by email if the changes materially affect how their data is used.

Contact

For privacy requests: [email protected]

To dispute a listing: [email protected]

General enquiries: [email protected]

We aim to respond to all requests within 30 days.