Privacy Policy
Effective: April 21, 2026 · Last updated: April 21, 2026
FraudTrax is a professional fraud-investigation platform built for United States law enforcement. This Privacy Policy explains what we collect, how we use it, who we share it with, and how long we keep it. It applies to fraudtrax.net, app.fraudtrax.net, and the associated API services.
Plain-English summary. We collect the minimum data needed to run the service: your work email, the plate photos and case notes you upload, and basic usage metadata. We don't sell data. Plate images go to Anthropic (Claude) for AI analysis under their commercial terms. Confirmed fraud reports that you choose to publish into the National Hotlist are shared with other verified agencies. You can delete your account and data at any time.
1. Who We Are
FraudTrax is operated by Hatchet412 / CCR Capital Investments, LLC. Questions: [email protected].
2. Data We Collect
a. Account data (when you sign up)
- Email address — used only for sign-in magic links and service notifications
- Agency and referral source — optional, used for admin review of verification status
- Verification decision — whether your email domain was auto-approved, admin-approved, or placed on the waitlist
- IP address and user-agent — at sign-up and session creation, for audit and abuse prevention
b. Investigation data (when you use the product)
- Uploaded plate and VIN images — stored in Cloudflare R2, keyed by your user ID; only you can access your own images
- AI analysis reports — the text output from Claude for each analysis
- Structured analysis metadata — plate number, issuing state, plate type, AI-flagged indicators, officer-confirmed indicators, fraud-probability score, case number (if you entered one), notes, inspection-location city/state
- Confirmed fraud reports you submit — plate, state, tag type, dealer info, seizure location, case number, fraud category, your notes, your contact info (visibility configurable: private / agency-network / all-verified-LE)
- VIN verification records — the four captured VINs (dash/B-pillar/federal/OBD), vehicle details, optional owner-self-reported fields, case info, officer name + badge, your canvas-drawn signature
- Carfax handoff audit log — each time you click "Open in Carfax for Police" we log which VIN, when, and from which feature (for audit and abuse detection)
- Hotlist download audit log — which format you downloaded, how many rows, when
c. Usage data
- Session cookies (
ft_session, HttpOnly, Secure, SameSite=Lax) scoped to .fraudtrax.net
- Server-side error reports (no PII) for reliability monitoring
- Aggregated, de-identified field signals (counts of which indicators fire most per state) to improve the AI's state-specific reference data
d. Data we do NOT collect
- We do not collect CJI (Criminal Justice Information) or run inside the CJIS security perimeter. Officers must not paste PII of civilians (names, DLs, DOBs) into free-text notes unless their agency policy permits cloud storage of that data.
- We do not sell data to third parties.
- We do not use advertising cookies or cross-site tracking.
3. How We Use the Data
- Provide the service — authenticate you, run AI analysis, store and retrieve your investigation records, enforce tier limits
- Improve the product — aggregate anonymized signals about which fraud indicators fire, to refine the reference data the AI uses; raw individual records are not used as training data
- Abuse prevention — rate-limit per IP and per account, detect impossible usage patterns
- Billing — if you upgrade to a paid tier, we process payments through Stripe and retain subscription status
- Communications — sign-in links; occasional service notices (outages, policy changes); reply to your support emails
4. How Data Is Shared
a. AI analysis — Anthropic (Claude)
Plate images and text prompts are sent to Anthropic's Claude API for analysis under Anthropic's commercial data-use terms. Anthropic does not train on commercial API traffic. See Anthropic commercial terms.
b. Infrastructure — Cloudflare
All FraudTrax workers, the D1 database, R2 object storage, and Pages hosting run on Cloudflare. They process data as a subprocessor under their DPA. See Cloudflare privacy policy.
c. Email delivery — Resend
Magic-link sign-in emails and service notifications are sent via Resend. Only your email address and message content are processed. See Resend privacy policy.
d. Billing — Stripe
If you subscribe, Stripe processes payment data. We never see or store your full card number. See Stripe privacy policy.
e. National Hotlist (only what you explicitly publish)
Confirmed fraud reports you submit are reviewed by a FraudTrax administrator. Once approved, the plate, state, fraud category, dealer info, and seizure city/state are visible to any verified LE user of the platform. Your contact information (email/phone) is visible only at the level you chose when submitting: private (admin only), agency-network (opt-in participating agencies), or all-verified-LE.
f. Law-enforcement requests
We respond to valid legal process (subpoena, court order, warrant). We will notify you before complying unless legally prohibited.
5. Data Retention
- Uploaded images: retained while your account is active; deletable any time; automatically purged on account deletion
- Error-reporting records (the internal
errors.fraudtrax.net dashboard): 30 days rolling
- Magic-link tokens: 15 minutes
- Sessions: 30 days, revocable via sign-out
- Saved analyses, cases, VIN verifications, confirmed fraud reports: retained while your account is active; deletable any time
- Subscription / billing records: 7 years, as required by tax law
- Audit logs (Carfax handoffs, hotlist downloads): retained for the life of the account for security review
6. Your Rights
- Access — request an export of your data
- Correction — edit your analyses, cases, reports, and verifications at any time through the app (signed records are locked; we will issue a corrected record on request)
- Deletion — delete individual records, or email us to delete your account entirely
- Portability — export saved analyses as CSV, VIN verifications as printable HTML/PDF
- Withdraw consent — revoke contact-visibility on confirmed fraud reports at any time
To exercise any of these rights, email [email protected] from the email address on your account.
7. Security
- All traffic over TLS 1.2+
- At-rest encryption on Cloudflare D1 and R2
- Session cookies are HttpOnly, Secure, SameSite=Lax
- Passwordless sign-in (magic links, 15-min TTL) — no password database to breach
- Admin-only review gates on national hotlist publication
- Audit logs for sensitive events (hotlist download, Carfax handoff, admin review actions)
No system is perfect. If you believe your account has been compromised or you discover a security issue, email [email protected] immediately.
8. Children's Privacy
FraudTrax is not directed to, or usable by, anyone under 18. We do not knowingly collect data from minors.
9. International Users
FraudTrax is designed for and hosted in the United States. Data may be processed in US-based Cloudflare data centers and the US-region Anthropic API. Do not use this service if you are accessing it from a jurisdiction whose laws would prohibit that transfer.
10. Changes to This Policy
We will post material changes to this page and, where we have your contact on file, email you a notice at least 14 days before they take effect. The effective date at the top of this page will always reflect the current version.
11. Contact
Questions, concerns, or legal requests: [email protected]
Operator: Hatchet412 / CCR Capital Investments, LLC.