Editor's note [25/04/26]:

SafeScroll replied after this article was published. I said I would include their response in full, whatever it said. Their complete reply is below, followed by my assessment of it.

On the DM contradiction, they have retracted the claim. Their exact words: "You caught a misleading claim in a prior response. I'm flagging it directly." They have confirmed the product cannot see direct messages and monitors public posts only. That is the most important correction in their reply, and they made it clearly. Credit where it is due.

On ICO registration, they have confirmed they are a US-based company without ICO registration, stating they do not process UK residents' data specifically. I have forwarded this reply to the ICO as an update to the formal concern I submitted before publication. UK GDPR has extraterritorial reach. Any company intentionally targeting UK parents, which cold-emailing a UK-based child safety advocate to promote a product to UK families clearly is, may fall within its scope regardless of where their servers are located.

Where UK GDPR applies to a non-UK company, Article 27 requires them to appoint a UK Representative as a point of accountability for UK residents and the ICO. There is no evidence of one here.

On data storage, the product is hosted on Render infrastructure in the US with a Neon PostgreSQL database. Data is deleted within 30 days of cancellation. Data stored under US jurisdiction can be subject to US CLOUD Act requests, which allow American law enforcement to compel US companies to produce data stored anywhere in the world. UK parents should be aware of that.

On compliance, their own reply states they "cannot claim full GDPR compliance as a US entity without EU residency." No SOC2 certification. No named safeguarding professionals. These remain unanswered.

On data sharing, they confirm data is not sold or shared with third parties.

Their reply in full:

My overall assessment: this is a more substantive reply than their first, and they deserve credit for acknowledging the DM error directly. But the core concerns remain. No ICO registration. No named safeguarding professionals. No independent security certification. Data under US jurisdiction. A product built and marketed autonomously by AI that could not fully deliver on one of its central safety claims.

I will continue to monitor this. If anything changes, I will update this post again.

An email arrived in my inbox on the 4th of April. Subject line: “Different approach to monitoring, no app install needed.”

On the surface, it looked like the kind of outreach I get occasionally. A company is making a case for its child-safety product and wants my attention. I review products. I reviewed Salfeld Child Control last October, tested it properly, asked the right questions, and published an honest assessment because it earned one.

So my first reply was simple. Thanks, I’ll have a look.

But before I could write a single word about SafeScroll for this newsletter, I had questions. Nine of them.

What followed is something I think every parent who has ever downloaded a child safety app needs to read.

The Email That Started This

The pitch was actually quite clever. SafeScroll, the email claimed (All emails in a gallery below), monitors a child’s social media activity using only their username. No app on the child’s phone. No device access. No VPN. Parents type in a username and get alerts about what is being posted publicly1.

The reasoning was smart. Most monitoring tools require cooperation from the teenager, and that is where most parents lose the battle. Fair point.

But then I read the bottom of the email.

“This company runs autonomously · polsia.com”

That one line changed a lot for me.

What Is Polsia?

Polsia describes itself as “an autonomous AI system that plans, codes, and markets your company 24/7.”2 Their tagline is “AI that runs your company while you sleep.” SafeScroll is not a company built by a team of child safety professionals. It is a product built by AI, marketed by AI3. The email that landed in my inbox was, in all likelihood, written and sent by an AI system. There is no “Cold Outreach team” in the traditional sense.

The domain ownership is hidden behind a privacy service, standard practice for some businesses, but worth noting for a product being marketed to parents as a child safety tool. A search of publicly available WHOIS records4 confirms the registration is shielded, meaning there is no named individual or company verifiable at the domain level. On Trustpilot5, user reviews describe credits burned on work marked as complete that was not delivered, support described as an AI chatbot rather than a human, and billing that continued working when the product did not. I want to be clear about what Trustpilot reviews are: individual user accounts, unverified, and reflecting a range of experiences. But the pattern across multiple independent reviewers is consistent enough to flag

AI as a tool can be genuinely useful. But an AI system autonomously building and marketing a child safety product, with no identifiable human expertise in safeguarding, child protection, or digital forensics behind it, is a different thing entirely.

The Nine Questions

On the 6th of April, I sent my formal questions. The same process I use for any product I consider covering here.

• Are you registered with the Information Commissioner’s Office (ICO)? If so, please provide your registration number.

• Where is the data stored? Which country, and on which servers?

• How long is data retained after a parent cancels the service?

• Does your product scrape data from Instagram or TikTok? If so, how do you comply with their Terms of Service?

• Exactly what can SafeScroll see and what can it not see?

• Was the initial email to me generated and sent by an AI system via Polsia’s platform?

• Who are the named human safeguarding or child protection professionals involved in building this product?

• Please provide a direct link to your full privacy policy.

• Are you compliant with UK GDPR? Do you have a designated Data Protection Officer?

They replied, Well, Kind Of.

SafeScroll came back to me. And to their credit, they did at least respond.

But when I went through their reply to those nine questions, here is where things stood.

Fully answered: 0 out of 9.

Partially answered: 2 out of 9.

Not answered: 7 out of 9.

No ICO registration number. No country of data storage. No named hosting provider. No named safeguarding professionals. No privacy policy link. No Data Protection Officer. No answer on whether the original email was AI-generated.

They confirmed the product monitors public activity via username, that data is stored encrypted on their servers, and that they are “GDPR compliant.” A self-declaration is not the same as verification, but it is something.

The Claim That Does Not Add Up

Here is the line that stopped me.

“unusual patterns” including “DMs from adults.”6

DMs are private. They are not visible to any third-party tool that accesses only a public profile via username. If SafeScroll can only see public posts, it cannot see who is sending your child direct messages, how many, or from whom.

So one of two things is true. Either the product accesses more data than they are telling parents, which raises serious questions about what they are actually collecting. Or the claim about flagging DMs is not accurate, and parents who download this tool, believing it will alert them to suspicious direct message activity, will not get what they were promised. This is not a grey area. It is a direct contradiction at the heart of the product’s core safety claim.

⚡Please don’t forget to react & restack if you appreciate my work. More engagement means more people might see it. ⚡

The Second Email

I went back to them the same day their reply arrived. I laid out the seven unanswered questions again, called out the DM contradiction, and asked for a clear explanation.

I told them I intended to publish by the end of the week. I said I would include their response in full, whatever it said. I told them that if I did not hear back by Wednesday, I would note publicly that these questions had remained unanswered after two rounds of contact.

Wednesday came.

Wednesday went.

Nothing.

What the Silence Tells Us

I am not going to over-interpret silence. Companies miss deadlines. Inboxes get cluttered, I know this from first-hand experience.

But I am publishing now because the information I already have is enough, and because parents are actively being marketed to by this product right now.

Here is what we know. SafeScroll is a product built on Polsia’s autonomous AI platform. No human safeguarding team designed it. A domain that is less than a year old, with hidden ownership details. Their reply to nine specific questions answered none of them fully. And the one substantive safety claim in their reply, that the product can flag DMs from adults, is not consistent with a tool that only accesses public profile data.

I gave them two opportunities to set the record straight. They did not take either one.

What You Should Ask Before Downloading Anything

Before you download or sign up for any child safety app:

• Who built it? Not a brand name. Named individuals with verifiable safeguarding or child protection credentials.

• Is it ICO-registered? Check ico.org.uk. Any UK company processing personal data about children should be listed.

• What exactly can it see? Public posts only? DMs? Stories? Private accounts? Demand specifics.

• Where is the data stored? Which country, which servers? What happens if the company closes?

• Does it comply with platform rules? Third-party tools scraping Instagram or TikTok data may be violating those platforms’ Terms of Service.

• Has it been independently reviewed? Not by influencers or bloggers. By security researchers or child protection professionals.

What I Am Doing About It

Writing about this is not enough. So I want to be open with you about the steps I am taking beyond publishing.

I have submitted a formal concern to the Information Commissioner’s Office. The ICO is the UK’s independent data protection regulator. If SafeScroll is collecting personal data submitted by UK users without being registered, that is not a question of best practice. It is a legal requirement. I have provided them with the full documented correspondence, the questions I asked, the partial reply I received, and the silence that followed. They will decide what, if anything, to investigate. But I felt it was important that the concern was on record.

I do not know what the regulator will do with these reports. That is not the point. The point is that if you come across something like this and you have the platform and the background to raise it formally, you should. I spent eight years in Digital Forensics and Incident Response. I know how to document a concern properly. So I did.

If SafeScroll responds to any of this, I will update this post with their response in full.

You are not alone in trying to navigate this. That is what I am here for

As always, thank you for your support. Please share this across your social media, and if you do have any comments, questions, or concerns, then feel free to reach out to me, as I am always happy to spend some time helping to protect children online.

Remember that becoming a paid subscriber means supporting a charity that is very close to my heart and doing amazing things for people. Childline, I will donate all subscriptions collected every six months, as I don’t do any of this for financial gain.

Want to Support Great Causes? (And Get Absolutely Nothing Else?)

Dale (Cyber Safety Guy)

·

February 10, 2025

Read full story

If you or a child you know needs support:

Childline: 0800 1111 | childline.org.uk

Available 24/7, 365 days a year. Free, confidential, and here for every child.

Share

Cyber Safety Guy Podcast