An email arrived in my inbox on the 4th of April. Subject line: “Different approach to monitoring, no app install needed.”

On the surface, it looked like the kind of outreach I get occasionally. A company is making a case for its child-safety product and wants my attention. I review products. I reviewed Salfeld Child Control last October, tested it properly, asked the right questions, and published an honest assessment because it earned one.

So my first reply was simple. Thanks, I’ll have a look.

But before I could write a single word about SafeScroll for this newsletter, I had questions. Nine of them.

What followed is something I think every parent who has ever downloaded a child safety app needs to read.

The Email That Started This

The pitch was actually quite clever. SafeScroll, the email claimed (All emails in a gallery below), monitors a child’s social media activity using only their username. No app on the child’s phone. No device access. No VPN. Parents type in a username and get alerts about what is being posted publicly1.

The reasoning was smart. Most monitoring tools require cooperation from the teenager, and that is where most parents lose the battle. Fair point.

But then I read the bottom of the email.

“This company runs autonomously · polsia.com”

That one line changed a lot for me.

What Is Polsia?

Polsia describes itself as “an autonomous AI system that plans, codes, and markets your company 24/7.”2 Their tagline is “AI that runs your company while you sleep.” SafeScroll is not a company built by a team of child safety professionals. It is a product built by AI, marketed by AI3. The email that landed in my inbox was, in all likelihood, written and sent by an AI system. There is no “Cold Outreach team” in the traditional sense.

The domain ownership is hidden behind a privacy service, standard practice for some businesses, but worth noting for a product being marketed to parents as a child safety tool. A search of publicly available WHOIS records4 confirms the registration is shielded, meaning there is no named individual or company verifiable at the domain level. On Trustpilot5, user reviews describe credits burned on work marked as complete that was not delivered, support described as an AI chatbot rather than a human, and billing that continued working when the product did not. I want to be clear about what Trustpilot reviews are: individual user accounts, unverified, and reflecting a range of experiences. But the pattern across multiple independent reviewers is consistent enough to flag

AI as a tool can be genuinely useful. But an AI system autonomously building and marketing a child safety product, with no identifiable human expertise in safeguarding, child protection, or digital forensics behind it, is a different thing entirely.

The Nine Questions

On the 6th of April, I sent my formal questions. The same process I use for any product I consider covering here.

• Are you registered with the Information Commissioner’s Office (ICO)? If so, please provide your registration number.

• Where is the data stored? Which country, and on which servers?

• How long is data retained after a parent cancels the service?

• Does your product scrape data from Instagram or TikTok? If so, how do you comply with their Terms of Service?

• Exactly what can SafeScroll see and what can it not see?

• Was the initial email to me generated and sent by an AI system via Polsia’s platform?

• Who are the named human safeguarding or child protection professionals involved in building this product?

• Please provide a direct link to your full privacy policy.

• Are you compliant with UK GDPR? Do you have a designated Data Protection Officer?

They replied, Well, Kind Of.

SafeScroll came back to me. And to their credit, they did at least respond.

But when I went through their reply to those nine questions, here is where things stood.

Fully answered: 0 out of 9.

Partially answered: 2 out of 9.

Not answered: 7 out of 9.

No ICO registration number. No country of data storage. No named hosting provider. No named safeguarding professionals. No privacy policy link. No Data Protection Officer. No answer on whether the original email was AI-generated.

They confirmed the product monitors public activity via username, that data is stored encrypted on their servers, and that they are “GDPR compliant.” A self-declaration is not the same as verification, but it is something.

The Claim That Does Not Add Up

Here is the line that stopped me.

“unusual patterns” including “DMs from adults.”6

DMs are private. They are not visible to any third-party tool that accesses only a public profile via username. If SafeScroll can only see public posts, it cannot see who is sending your child direct messages, how many, or from whom.

So one of two things is true. Either the product accesses more data than they are telling parents, which raises serious questions about what they are actually collecting. Or the claim about flagging DMs is not accurate, and parents who download this tool, believing it will alert them to suspicious direct message activity, will not get what they were promised. This is not a grey area. It is a direct contradiction at the heart of the product’s core safety claim.

⚡Please don’t forget to react & restack if you appreciate my work. More engagement means more people might see it. ⚡

The Second Email

I went back to them the same day their reply arrived. I laid out the seven unanswered questions again, called out the DM contradiction, and asked for a clear explanation.

I told them I intended to publish by the end of the week. I said I would include their response in full, whatever it said. I told them that if I did not hear back by Wednesday, I would note publicly that these questions had remained unanswered after two rounds of contact.

Wednesday came.

Wednesday went.

Nothing.

What the Silence Tells Us

I am not going to over-interpret silence. Companies miss deadlines. Inboxes get cluttered, I know this from first-hand experience.

But I am publishing now because the information I already have is enough, and because parents are actively being marketed to by this product right now.

Here is what we know. SafeScroll is a product built on Polsia’s autonomous AI platform. No human safeguarding team designed it. A domain that is less than a year old, with hidden ownership details. Their reply to nine specific questions answered none of them fully. And the one substantive safety claim in their reply, that the product can flag DMs from adults, is not consistent with a tool that only accesses public profile data.

I gave them two opportunities to set the record straight. They did not take either one.

What You Should Ask Before Downloading Anything

Before you download or sign up for any child safety app:

• Who built it? Not a brand name. Named individuals with verifiable safeguarding or child protection credentials.

• Is it ICO-registered? Check ico.org.uk. Any UK company processing personal data about children should be listed.

• What exactly can it see? Public posts only? DMs? Stories? Private accounts? Demand specifics.

• Where is the data stored? Which country, which servers? What happens if the company closes?

• Does it comply with platform rules? Third-party tools scraping Instagram or TikTok data may be violating those platforms’ Terms of Service.

• Has it been independently reviewed? Not by influencers or bloggers. By security researchers or child protection professionals.

What I Am Doing About It

Writing about this is not enough. So I want to be open with you about the steps I am taking beyond publishing.

I have submitted a formal concern to the Information Commissioner’s Office. The ICO is the UK’s independent data protection regulator. If SafeScroll is collecting personal data submitted by UK users without being registered, that is not a question of best practice. It is a legal requirement. I have provided them with the full documented correspondence, the questions I asked, the partial reply I received, and the silence that followed. They will decide what, if anything, to investigate. But I felt it was important that the concern was on record.

I do not know what the regulator will do with these reports. That is not the point. The point is that if you come across something like this and you have the platform and the background to raise it formally, you should. I spent eight years in Digital Forensics and Incident Response. I know how to document a concern properly. So I did.

If SafeScroll responds to any of this, I will update this post with their response in full.

You are not alone in trying to navigate this. That is what I am here for

As always, thank you for your support. Please share this across your social media, and if you do have any comments, questions, or concerns, then feel free to reach out to me, as I am always happy to spend some time helping to protect children online.

Remember that becoming a paid subscriber means supporting a charity that is very close to my heart and doing amazing things for people. Childline, I will donate all subscriptions collected every six months, as I don’t do any of this for financial gain.

Want to Support Great Causes? (And Get Absolutely Nothing Else?)

Dale (Cyber Safety Guy)

·

February 10, 2025

Read full story

If you or a child you know needs support:

Childline: 0800 1111 | childline.org.uk

Available 24/7, 365 days a year. Free, confidential, and here for every child.

Share

Cyber Safety Guy Podcast