α
back to command
// verified posture · evidence index

Trust, but verify.

Every badge in our footer is listed below with a plain-language explanation, steps you can run yourself to check it, and the honest limits of what each claim does and doesn't cover.

HTTPS / TLS 1.3

updated 2026-05-18

Every byte that travels between your browser and our servers goes through an encrypted tunnel. Someone snooping on the wifi network can't read it.

// verify it yourself
  1. 01Check the padlock in your address bar

    Click the padlock icon next to the URL. Your browser will show 'Connection is secure' and the certificate details, including the TLS version (should be 1.2 or 1.3).

  2. 02Run an independent SSL scan

    Paste this site's URL into SSL Labs' free scanner. It produces a public report card (A through F) for the TLS configuration.

    SSL Labs SSL Test
// limits · what this does NOT cover

TLS protects data in transit only. It does NOT guarantee the server is honest or that the data stored on the server is encrypted at rest.

No accounts · No tracking

updated 2026-05-18

You don't create an account to use this tool. We don't load Google Analytics, Facebook Pixel, or any third-party ad tracker.

// verify it yourself
  1. 01Open your browser's DevTools → Network tab

    Press F12 (or Cmd-Option-I on Mac), click 'Network', then reload this page. Look at the 'Domain' column. You should see only this site's domain plus our backend (lovable.app / supabase.co). No google-analytics.com, no facebook.net, no doubleclick.net.

  2. 02Install a tracker blocker and watch it stay silent

    Tools like uBlock Origin or Privacy Badger show a counter of blocked requests. On this site it should stay at 0 or near 0.

    uBlock Origin
// limits · what this does NOT cover

Your network provider and our hosting provider (Cloudflare/Supabase) can still see basic request metadata (IP, timing). We don't sell or share it, but we can't make it invisible to them.

PWA sandbox

updated 2026-05-18

This app runs inside your browser's locked sandbox — the same isolation that protects your laptop when you visit any random website. It can't reach files on your computer, your other browser tabs' data, or other apps.

// verify it yourself
  1. 01It's just a website

    There's no installer, no .exe, no admin permissions request. Even when installed as a PWA, browsers run it under the same Same-Origin Policy and sandbox as a regular tab.

  2. 02Read the browser's PWA security model

    Both Chromium and Mozilla document exactly what a PWA can and cannot access.

    MDN: Progressive Web Apps
// limits · what this does NOT cover

The sandbox protects your device from us. It does NOT mean the data you type in is encrypted on our backend — see the database section below.

Community-verified blacklist

updated 2026-05-18

Entries on the blacklist come from real people reporting real scams. No single report is taken at face value — an entity needs 3 or more independent reports before it auto-promotes to the temporary blacklist, and an admin reviews before it reaches the verified list.

// verify it yourself
  1. 01Submit a test report and watch it sit at 1/3

    Go to Report a Scam, file one report against a fake test entity, then look it up in Risk & Recon. You'll see the report count, not a verdict.

    Report a Scam
  2. 02Cross-check against external scam databases

    If a blacklisted entry is real, it usually also appears in Chainabuse, ScamAdviser, or the FTC's consumer sentinel. Look it up there too.

    Chainabuse
// limits · what this does NOT cover

Community data is noisy. False positives happen (revenge reports) and false negatives happen (new scams haven't been reported yet). Treat results as one signal among several.

Source-visible build

updated 2026-05-18

The code running in your browser right now is built from a public repository. Anyone — including you — can read it, search it for hidden tricks, and check that it does what we say it does.

// verify it yourself
  1. 01Open the repo and search the source

    Look for analytics scripts, third-party trackers, or anything that uploads your data. Files like AppShell.tsx, TrustRegistry.tsx, and the route files are the whole app surface.

    Project source (link once published)
  2. 02View source on this page

    Right-click → 'View page source' in your browser. The bundled JavaScript is minified, but it comes from the same files you can read in the repo.

// limits · what this does NOT cover

'Source-visible' is not the same as a reproducible build. We don't currently publish build hashes that let you cryptographically prove the deployed bundle matches a specific commit.

// claims we do NOT make

Badges you'll never see in our footer (and why)

Pig-butchering sites win trust by faking impressive-sounding compliance claims. We refuse to use their playbook, even when it would look better.

  • SOC 2 Type II

    Requires a paid third-party audit ($15k–$80k, 6–12 months). We don't have one. Any site that claims SOC 2 without a publishable report is bluffing.

  • "Bank-grade" or "military-grade" encryption

    Marketing phrases with no technical definition. The actual standard is TLS 1.3, which we list honestly above.

  • Multi-agency API verified

    Would only be true once we integrate live feeds from agencies like the FTC, FBI IC3, or Chainabuse. Until those integrations are live and named on this page, we don't claim it.

// evidence changelog

What changed and when

Every time we add, revise, weaken, or retract a trust claim, it lands here. Newest first. The per-badge "updated" stamp above is the date of that badge's most recent entry below.

format v1 · generated
// sha-256 of this exact export
computing…

What this proves: the file you download is byte-identical to what your browser rendered. Run shasum -a 256 trust-changelog.txt locally and compare to the hash above.

What this does NOT prove: our identity. There is no private key on the client, so this is not a cryptographic signature. To verify the file actually came from us, also compare the hash to the reference hash published in the public source repo — that's a channel an attacker on the network can't forge.

  1. added(page)

    Published the /trust page with plain-language evidence and self-verify steps for all five footer badges.

  2. addedHTTPS / TLS 1.3

    Initial evidence: SSL Labs link + 'check the padlock' steps. Limits note: TLS covers transit only, not data at rest.

  3. addedNo accounts · No tracking

    Initial evidence: DevTools Network walkthrough + uBlock Origin link. Limits note: hosting providers still see request metadata.

  4. addedPWA sandbox

    Initial evidence: MDN PWA reference. Limits note: sandbox protects device, not backend data.

  5. addedCommunity-verified blacklist

    Initial evidence: 3-report promotion threshold + Chainabuse cross-check. Limits note: noisy data, false +/- possible.

  6. addedSource-visible build

    Initial evidence: 'view source' + repo browse. Limits note: not a reproducible build — no published bundle hashes yet.

  7. removed(retracted)

    Removed prior claims of '256-bit military-grade encryption', 'SOC 2 Type II', and 'multi-agency API verified' from the footer. None were independently verifiable. See 'Badges we do NOT make' above.

// see something we got wrong? open a report or file an issue on the source repo.

Install Alpha Command: 1. Open browser menu  →  2. Tap Install / Add to Home Screen