Scam intelligence (FTC-derived feed)

ScamBounce can use consumer-reported unwanted call intelligence as one signal in its own risk scoring. That intelligence is derived from patterns reported in FTC unwanted call data and similar consumer-reported sources—not from live calls to your phone and not from ScamBounce listening to conversations.

What the data is (and is not)

• Numbers may appear because they were reported in FTC unwanted call data or grouped with similar consumer-reported activity. That is different from a claim that a number is a "confirmed scammer," "FTC verified scam," or "government confirmed fraud."
• Consumer-reported data can be incomplete, duplicated, or mistaken. It is not independently verified by ScamBounce.
• The public feed only includes normalized, aggregated fields (for example E.164 number and counts). It does not include raw complaint narratives or personal details.

How the Android app uses the feed

• The app fetches the JSON feed over HTTPS from a stable URL and caches it locally for use as one input to screening and labeling logic.
• Call screening is designed so decisions do not depend on a blocking live internet round-trip at ring time; the app does not call the FTC directly.
• No authentication is required to read the public feed; do not send secrets or personal data to the feed URL.

Public endpoints

The same deployment serves the marketing site and the api.scambounce.com hostname when that domain is attached to this Vercel project.

FTC-derived feed (JSON)

https://api.scambounce.com/ftc-feed.json

Health check

https://api.scambounce.com/api/health

(alias) https://api.scambounce.com/health

Daily refresh (Vercel Cron)

A scheduled job calls /api/refresh-ftc once per day (03:00 UTC). It pulls the latest FTC DNC reported-calls data, aggregates by originating number, and stores the JSON in Redis (TLS via UPSTASH_REDIS_URL) so /ftc-feed.json stays fast and cache-friendly. The job is not exposed without a secret.

Required environment variables

• CRON_SECRET — shared secret; Vercel Cron sends Authorization: Bearer <CRON_SECRET> when that variable is set in the project.
• FTC_API_KEY — free api.data.gov key used by api.ftc.gov.
• UPSTASH_REDIS_URL — the TLS connection string from the Vercel Redis integration, used by the standard redis npm client (not REST env vars).

Manual run (GET or POST; replace token): curl -sS -X POST -H "Authorization: Bearer YOUR_CRON_SECRET" "https://api.scambounce.com/api/refresh-ftc"

Deployment verification (operators)

After deploy, confirm each URL returns valid JSON (HTTP 200, application/json):

• https://www.scambounce.com/ftc-feed.json
• https://scambounce.com/ftc-feed.json
• https://api.scambounce.com/ftc-feed.json
• https://api.scambounce.com/api/health
• https://api.scambounce.com/health (rewrite to /api/health)

Fallback seed on disk: public/ftc-feed.seed.json (served only when Redis has no feed yet or UPSTASH_REDIS_URL is unset). After backend regenerates a snapshot, you can copy it into that seed file for the next deploy, or rely on the daily refresh once env vars are set.

FAQ · Privacy Policy · Home