Privacy Policy.

FraudTrax is a professional fraud-investigation platform built for United States law enforcement. This Privacy Policy explains what we collect, how we use it, who we share it with, and how long we keep it. It applies to fraudtrax.net, app.fraudtrax.net, and the associated API services.

FraudTrax is operated by Hatchet412 / Omega Point Solutions LLC. Questions: hatchet412@proton.me.

2.a: Account data (when you sign up)

• Email address: used only for sign-in and service notifications
• Agency and referral source: optional, used for admin review of verification status
• Verification decision: whether your email domain was auto-approved, admin-approved, or placed on the waitlist
• IP address and user-agent: at sign-up and session creation, for audit and abuse prevention

2.b: Investigation data (when you use the product)

• Uploaded plate and VIN images: stored in Cloudflare R2, keyed by your user ID; only you can access your own images
• DAN-O analysis reports: the text output DAN-O produces for each analysis (the specific underlying model is disclosed in the court-ready packet per Daubert/Frye)
• Structured analysis metadata: plate number, issuing state, plate type, AI-flagged indicators, officer-confirmed indicators, fraud-probability score, case number, notes, inspection-location city/state
• Confirmed fraud reports you submit: plate, state, tag type, dealer info, seizure location, case number, fraud category, your notes, your contact info (visibility configurable: private / agency-network / all-verified-LE)
• VIN verification records: the four captured VINs (dash/B-pillar/federal/OBD), vehicle details, optional owner-self-reported fields, case info, officer name + badge, your canvas-drawn signature
• Carfax handoff audit log: each time you click "Open in Carfax for Police" we log which VIN, when, and from which feature
• Hotlist download audit log: which format you downloaded, how many rows, when

2.c: Usage data

• Session cookies (ft_session, HttpOnly, Secure, SameSite=Lax) scoped to .fraudtrax.net
• Server-side error reports (no PII) for reliability monitoring
• Aggregated, de-identified field signals (counts of which indicators fire most per state) to improve the AI's state-specific reference data

2.d: Data we do NOT collect

• We do not collect CJI (Criminal Justice Information) or run inside the CJIS security perimeter. Officers must not paste PII of civilians (names, DLs, DOBs) into free-text notes unless their agency policy permits cloud storage of that data.
• We do not sell data to third parties.
• We do not use advertising cookies or cross-site tracking.

• Provide the service: authenticate you, run AI analysis, store and retrieve your investigation records, enforce tier limits
• Improve the product: aggregate anonymized signals about which fraud indicators fire, to refine the reference data the AI uses. Paid-tier records (Officer / Agency / Enterprise) are not used as training data without separate opt-in consent. Free-tier contributions follow a separate model (see Section 3a).
• Abuse prevention: rate-limit per IP and per account, detect impossible usage patterns
• Billing: if you upgrade to a paid tier, we process payments through Stripe and retain subscription status
• Communications: sign-in links; occasional service notices (outages, policy changes); reply to your support emails

3.a: Free-tier contributions and the model-improvement flywheel

Free-tier accounts contribute to the data pipeline that improves DAN-O's accuracy. By using the free tier, you grant FraudTrax a non-exclusive, royalty-free license to use the following, and only the following, to improve the system's analysis capabilities:

• Plate images, VIN inputs, and analysis text you submit through the analyzer
• "Mark as fraud" submissions you flag for review, including any officer notes you provide
• State-level fraud-detection-measure and security-control submissions you contribute through the Contribute tab
• Screen-recording or PowerPoint contributions you upload through the Contribute tab

What this means in practice:

• Admin review. Every contribution flows through admin review. Approved submissions become ground-truth labels in the training corpus. Rejected submissions are discarded and not retained beyond the rejection record.
• Not shared, not republished, not reproduced. Approved free-tier submissions are not displayed back to other users as raw data. They are absorbed into the system's analysis capabilities. The single exception is the National Heat Map, which plots approved fraud reports at city / county granularity (no contributor identity attached).
• De-identified. Before a contribution enters the training corpus we strip officer name, badge, agency name, and any free-text identifiers we can detect. Approved heat-map plots are aggregated and rounded to ~1 km grid.
• Withdrawal. You can request deletion of all your free-tier contributions and the labels derived from them by emailing hatchet412@proton.me. Withdrawal applies prospectively: model weights already trained on prior data cannot be selectively un-trained, but the underlying labeled records are removed and will not influence future training rounds.
• Upgrade to opt out. Officer-tier ($19.99/mo) and higher are excluded from the training flywheel by default. Upgrading at any time means your future submissions are not used for model improvement unless you separately opt in.

Under no circumstances are free-tier submissions sold, licensed to third parties, used in advertising, used in research publications, or used outside FraudTrax's analysis capabilities.

4.a: DAN-O analysis engine (Anthropic Claude API under the hood)

DAN-O is FraudTrax's analysis engine. It runs on Anthropic's Claude API via Cloudflare AI Gateway. Plate images and text prompts are sent to Anthropic under their commercial data-use terms; Anthropic does not train on commercial API traffic. The specific Claude model used is disclosed on every court-ready packet (required for Daubert/Frye admissibility). See Anthropic commercial terms.

4.b: Infrastructure (Cloudflare)

All FraudTrax workers, the D1 database, R2 object storage, and Pages hosting run on Cloudflare. They process data as a subprocessor under their DPA. See Cloudflare privacy policy.

4.c: Email delivery (Resend)

Sign-in emails and service notifications are sent via Resend. Only your email address and message content are processed. See Resend privacy policy.

4.d: Billing (Stripe)

If you subscribe, Stripe processes payment data. We never see or store your full card number. See Stripe privacy policy.

4.e: National Hotlist (only what you explicitly publish)

Confirmed fraud reports you submit are reviewed by a FraudTrax administrator. Once approved, the plate, state, fraud category, dealer info, and seizure city/state are visible to any verified LE user of the platform. Your contact information (email/phone) is visible only at the level you chose when submitting: private (admin only), agency-network (opt-in participating agencies), or all-verified-LE.

4.f: Law-enforcement requests

We respond to valid legal process (subpoena, court order, warrant). We will notify you before complying unless legally prohibited.

• Uploaded images: retained while your account is active; deletable any time; automatically purged on account deletion
• Error-reporting records (the internal errors.fraudtrax.net dashboard): 30 days rolling
• Magic-link tokens: 15 minutes
• Sessions: 30 days, revocable via sign-out
• Saved analyses, cases, VIN verifications, confirmed fraud reports: retained while your account is active; deletable any time
• Subscription / billing records: 7 years, as required by tax law
• Audit logs (Carfax handoffs, hotlist downloads): retained for the life of the account for security review

• Access: request an export of your data
• Correction: edit your analyses, cases, reports, and verifications at any time through the app (signed records are locked; we will issue a corrected record on request)
• Deletion: delete individual records, or email us to delete your account entirely
• Portability: export saved analyses as CSV, VIN verifications as printable HTML/PDF
• Withdraw consent: revoke contact-visibility on confirmed fraud reports at any time

To exercise any of these rights, email hatchet412@proton.me from the email address on your account.

• All traffic over TLS 1.2+
• At-rest encryption on Cloudflare D1 and R2
• Session cookies are HttpOnly, Secure, SameSite=Lax
• Password + TOTP MFA sign-in (magic-link is being sunset)
• Admin-only review gates on national hotlist publication
• Audit logs for sensitive events (hotlist download, Carfax handoff, admin review actions)

No system is perfect. If you believe your account has been compromised or you discover a security issue, email security@fraudtrax.net immediately.

FraudTrax is not directed to, or usable by, anyone under 18. We do not knowingly collect data from minors.

FraudTrax is designed for and hosted in the United States. Data may be processed in US-based Cloudflare data centers and the US-region Anthropic API. Do not use this service if you are accessing it from a jurisdiction whose laws would prohibit that transfer.

We will post material changes to this page and, where we have your contact on file, email you a notice at least 14 days before they take effect. The effective date at the top of this page will always reflect the current version.

Questions, concerns, or legal requests: hatchet412@proton.me

Operator: Hatchet412 / Omega Point Solutions LLC.