Cactus

Privacy

What Cactus does (and does not do) with the URLs and email content you submit.

What Cactus collects

Cactus only processes what you explicitly paste into the checker:

  • The URL you submit on the Check a Link page.
  • The email body you submit on the Check an Email page, plus every URL Cactus extracts from it.

Cactus does not ask for an account, does not use tracking cookies, and does not store a personal profile of you.

How that data is used

  • Local rule checks. The URL is parsed and run through Cactus's own rules (HTTPS, lookalike domains, suspicious TLDs, sensitive-account wording, etc.). This happens entirely on the Cactus server.
  • Google Web Risk lookup. The normalized URL is sent to Google Web Risk to check it against known-threat lists. Google's privacy policy applies to that request. For an email submission, every URL Cactus extracts may be sent to Google Web Risk separately (capped at 10 per email).
  • Redirect resolution. For URLs that are not already on a trusted domain, Cactus makes a small HEAD request to the URL (and follows any redirects, up to 5 hops, with a 4-second budget) so it can show you where the link actually leads. Cactus does not download the page body. The site operator can see Cactus's server IP in that request. Cactus refuses to contact hosts that resolve to private, loopback, or otherwise non-public IP addresses.
  • Domain registration lookup. Cactus queries the public rdap.org RDAP proxy with the registrable form of the domain (for example example.com, not the full URL) to retrieve its registration date. Domains under 90 days old are flagged, since fresh registrations are a common phishing indicator. Results are cached for 24 hours.
  • Caching. Analysis results for a given URL are cached in-memory on the server for up to 6 hours (sliding 30-minute window) so repeated checks of the same URL are fast and do not re-hit Google Web Risk. The cache is process-local and is cleared whenever the server restarts.
  • Rate limiting. Cactus applies a per-IP rate limit (10 URL checks / minute, 5 email checks / minute). This requires temporarily processing your IP address in memory; it is not persisted.
  • Server logs. The web server may log standard request metadata (timestamp, request path, HTTP status, IP) for operational and abuse-prevention purposes, as is normal for any web application.
  • Browser scan history. Cactus saves a summary of your recent checks (input text, score, and a permalink) to your browser's localStorage. This data never leaves your device — it is not transmitted to the Cactus server or any third party. You can clear it at any time using the "Clear history" button on the home page, or via your browser's site data settings.

Third-party services and data outside Quebec

Some checks require sending limited data to third-party services. Each provider receives only what is described below, and some are located outside Quebec and Canada (notably the United States), which means the data is handled under the laws of those jurisdictions:

  • Google Web Risk (Google LLC, United States). The normalized URL — or each URL extracted from an email — is sent to Google to compare against known-threat lists. Google receives that URL and its own privacy terms apply.
  • rdap.org (domain registration lookup). Only the registrable domain (for example example.com) is sent to retrieve its public registration date — never the full URL or any email content.
  • Public DNS resolvers. Email-authentication checks query the domain's public DNS records (SPF, DMARC, and common DKIM selectors). This is public information any mail server can read.

Cactus does not sell or rent personal information and does not disclose it to anyone other than the providers listed above, only for the purposes described.

How long data is kept

Cactus is designed to retain as little as possible:

  • Analysis cache: results for a submitted URL are held in server memory for up to 6 hours (30-minute sliding window) and cleared on restart. They are never written to a database.
  • Domain-age cache: RDAP results are cached in memory for up to 24 hours.
  • IP address: processed transiently in memory only to enforce rate limits; it is not saved to a database or used to build a profile.
  • Server logs: standard request metadata may be kept short-term for security and abuse prevention, then rotated out.
  • On your device: your scan history and theme preference live in your browser's localStorage until you clear them — they are never transmitted to Cactus.

Cookies and local storage

Cactus uses no advertising or tracking cookies. The only cookie it sets is a strictly necessary one that remembers your language choice (English or French) when you use the language switcher. Your theme preference and scan history are kept in your browser's localStorage and stay on your device.

Automated analysis

The confidence score and verdict are produced automatically by local rules and threat-intelligence lookups — there is no human review of individual checks. The result is informational guidance only and does not, by itself, make a decision that produces legal or similarly significant effects about you. Every result page lists, in plain language, the factors behind the score so you can see why it was given.

What Cactus does not do

  • It does not click, render, or download page contents from the URLs you submit. Redirect resolution uses HEAD requests only.
  • It does not forward email contents to any third party other than Google Web Risk for the extracted URLs.
  • It does not sell, share, or use submitted content for advertising or model training.

Your privacy rights

Under Quebec's Law 25 and Canada's PIPEDA, you have the right to access the personal information an organization holds about you, to ask that it be corrected, and to withdraw consent. Because Cactus requires no account and does not persistently store submissions or a profile, in most cases there is no retained personal information tied to you to access or correct. If you believe Cactus holds information about you, contact the person responsible (below). You may also file a complaint with the Commission d'accès à l'information du Québec or the Office of the Privacy Commissioner of Canada.

Safeguards and breach notification

Cactus applies reasonable safeguards: traffic is served over HTTPS, submissions are not persisted to durable storage, and outbound requests are restricted to prevent abuse of internal networks. No system is perfectly secure. If a confidentiality incident occurs that presents a risk of serious injury, Cactus will take reasonable steps and give notice as required by Law 25.

Who is responsible and how to reach us

The person responsible for the protection of personal information at Cactus can be reached at info@cactus.net for any privacy question, access or correction request, or to withdraw consent.

What you should not paste

Because Cactus sends URLs to Google Web Risk and may log standard request metadata, avoid pasting:

  • Password-reset, magic-link, or other one-time-use sign-in links.
  • Document-sharing links that grant access via the URL itself (Google Drive, SharePoint, Dropbox, etc.).
  • Calendar invites or meeting links with embedded tokens.
  • Email content with names, account numbers, ticket IDs, or any sensitive text you would not want stored in a log.

If you only want to verify that a domain looks safe, paste only the domain (for example example.com).

Important limitation

Cactus gives guidance, not a guarantee. A clean result does not prove a link or email is safe. New phishing sites, targeted attacks, and recently created domains may not yet appear in any threat-intelligence feed.

Last updated: May 2026.