DATA SOURCE — Recipient risk combines two layers. The built-in baseline (business model, jurisdiction, declared data collection, policy flags) ships with the tool and works fully offline. Sync grades from ToS;DR overlays live crowd-sourced Class A–E ratings from tosdr.org (Terms of Service Didn't Read), matched to each service by domain and refreshed daily at the source — the same /appdb/version/v2 and /service/v3 endpoints their browser extension uses. If your browser blocks the cross-site request (some do for a file opened locally), the tool falls back to the baseline and tells you; serving this file from a domain, or behind a one-line proxy, resolves it. Grades attach at the company/domain level, so a product without its own ToS;DR review inherits its parent's grade (e.g. Gmail and Drive take Google's), shown with a dashed chip and a ↑ marker. Brands ToS;DR hasn't reviewed at all — many automakers, niche wearables — stay a grey "–" rather than borrow an unrelated grade. Ratings are a starting point — verify the current policy for anything that matters.