Privacy Policy
Last updated: April 4, 2026
In simple words, we check your email against known breach data. We do not sell your data, we do not store your search in plain text, and you can delete your account at any time.
1. What we collect
When you create an account, we collect:
- Your email address, which is required to create your account and send alerts
- A hashed version of your password. We do not store plain text passwords
- Your account creation time
- Your subscription plan status
When you use the breach checker or add emails to monitor, we store:
- The email addresses you choose to monitor
- Breach check results, including which breach sources returned a match
- Timestamps of checks
2. What we do not collect
- We do not collect, store, or log email addresses entered into the public breach checker by visitors who are not signed in
- We do not collect payment card details. Stripe handles payment processing
- We do not collect browsing history or track you across other websites
- We do not use advertising trackers or sell your data to advertisers
- We do not collect your IP address except when needed for abuse prevention
3. How we use your data
We use your data to:
- Operate your account and provide breach monitoring services
- Send breach alert emails when your monitored emails appear in new leaks
- Send product updates if you choose to receive them
- Prevent abuse of the platform, including rate limiting and fraud prevention
We do not use your data for advertising, profiling, or any purpose outside running this service.
4. How breach checks work
When you check an email address against our breach database, we query our local database of known leaked credentials. We do not send your email to any third party for this check.
We send only the first 5 characters of an SHA 1 hash of your email, never the email itself. This is part of a privacy model called k anonymity and helps protect your actual email address.
See our Methodology page for a more detailed technical explanation.
5. Data storage and security
Your data is stored in a SQLite database hosted on Render infrastructure in the United States. We apply the following protections:
- All passwords are hashed using Argon2
- Sessions use encrypted and signed cookies
- All connections are protected by HTTPS and TLS
- Admin and ingestion endpoints are access controlled
We keep your account data until you delete your account. Breach check results are kept to support your dashboard history.
6. Third party services
We use the following third party services:
- Render for hosting and infrastructure in the United States
- Brevo for transactional email delivery
- Google Fonts for typography loaded on page render
Each of these services has its own privacy policy. We choose providers with strong data protection practices.
7. Your rights
You have the right to:
- Access request a copy of the data we hold about you
- Correction update your email or account details
- Deletion delete your account and associated data
- Portability receive your data in a machine readable format
- Objection object to how we process your data
To use any of these rights, email us at privacy@dataleakz.com. We will respond within 30 days.
8. Cookies
We use one cookie, a session cookie that keeps you signed in. It is an HttpOnly, SameSite cookie and does not track you across other websites. We do not use advertising cookies, analytics cookies, or other third party tracking cookies.
9. Contact us
If you have any questions about this privacy policy or how we handle your data:
- Email: privacy@dataleakz.com
- For security issues, see our security.txt
We take privacy seriously and will respond to questions as quickly as possible.