ARK isn't Truecaller. And that's the whole point.

The question we asked ourselves

When we started MRVL in 2019, we spent six months watching how people actually interact with security on their phones. We interviewed 200-odd users, ran through their settings with them, asked what they understood about permissions and data. The answer was humbling: almost nobody knew their phone was bleeding information. Not from malice. Just from the compound effect of app permissions, background data, breach exposure, and network leaks.

That's when we realised: there's no single number that tells you how exposed you are. Your antivirus says you're fine. Your password manager says you're fine. Your VPN says you're fine. But you're not actually fine if an app has permission to your contacts, or if your credentials turned up in a breach three years ago, or if your phone is leaking its DNS queries to the wrong server.

Truecaller does one thing brilliantly: it blocks spam and identifies callers. That's genuinely useful. But it's a caller-ID tool. It doesn't give you a holistic picture of your device's security posture.

What a security credit score actually tells you

ARK's 0-100 score exists because we wanted something a doctor would understand, or a parent, or a small business owner juggling three phones. Not 'your DNS leak protocol is misconfigured' (nobody cares). Instead: here's your score. Here's why. Here's what to fix in one tap.

The score pulls from four domains we identified as the ones that actually matter: device hardening (are your basics locked down?), network exposure (is your traffic leaking somewhere?), app permissions (have you accidentally given away the keys?), and breach exposure (are your credentials or PII in the wild?).

On the free tier, we run those checks on-device. No analytics ping. No record of what we found. Your phone stays yours.

Truecaller's data model is entirely different. It's built on crowdsourced caller information and a centralised database of phone numbers. You hand over data to get data back. That's not a judgment. It's just a different architecture, serving a different need.

The stalkerware moment that changed how we thought about privacy

Three weeks after launch, we got a message from a user in Scotland. She'd found a stalkerware app running on her phone. The kind that logs location, intercepts messages, records calls. She'd never seen it in her app drawer because it was hidden. ARK flagged it.

That email made us promise something: we'd keep the stalkerware detector free, forever. Truecaller doesn't do this. They focus on incoming calls. Legitimate. But if someone's already breached your device, the call blocker doesn't help.

Breach exposure works similarly. We integrated with Have I Been Pwned because we wanted people to know if their email or password turned up in a dump. Free tier checks against that database, tells you if you're in there, suggests one-tap remediation (like a password change flow). Shield tier goes further with dark-web monitoring, because some breaches live on the dark web for months before they surface elsewhere.

Why privacy-first isn't a marketing line for us

Here's the difference that probably matters most. We don't have a centralised cloud service reading your phone's guts. When you run a scan in ARK on the free tier, your results stay encrypted on your device. iOS SecureStore, Android EncryptedSharedPreferences. Not plain text. Not sent to our servers. Not indexed. Not sold.

Shield and Fortress tiers do require cloud connectivity because dark-web monitoring, phishing scanning, and GDPR autopilot (our weird, useful feature that auto-files data-subject access requests) need actual servers. But even then, we store the bare minimum: hashed checks, not your passwords or full scan results.

Truecaller's business model depends on building a bigger database. Their value grows as more people feed data into it. That's sustainable for them. For us, the value is accuracy and non-invasiveness. We'd rather be the tool you trust than the platform you feed.

The features that actually separate them

If you're comparing, here's what matters. ARK has a QR and URL phishing scanner because we found that most people get compromised through links, not apps. We have a Wi-Fi analyser because public networks are a blind spot for most users. Password health checking, DNS leak testing, and 2FA auditing because those are the unglamorous but critical pieces of your actual security hygiene.

On Fortress (our premium tier), we built SDK X-Ray because we realised people have no idea what code libraries are running inside their apps, and what data those libraries are asking for. We added AI opt-out hub so you can actually exercise rights that are technically yours under GDPR and CCPA, but invisible to most users. We added voice-clone risk detection because deepfake calls are a real threat now, not a future one.

None of this overlaps with Truecaller's caller ID, spam blocking, or phone number database. Different tools. Different problems.

Who this is actually for

We built ARK for the person who's been in a breach and can't shake the feeling that their phone is compromised. For the parent who wants to know what their teenager's apps are actually doing. For the small business owner managing a fleet of devices and needing audit trails. For the privacy advocate who doesn't want to hand their data to another cloud platform just to understand what's running on their device.

If you're primarily annoyed by spam calls, Truecaller solves that problem faster and better than we do. We don't compete there because we're not trying to be a caller-ID app.

But if you've ever wondered whether your phone is secure, whether your data is in a breach, whether an app has permissions it shouldn't have, or whether your network traffic is actually private, that's where ARK starts.