This Privacy Policy explains how Breach Monitor ("we", "us", "our") collects, uses, stores, and protects information when you use our website and services. We are committed to handling personal data in a transparent and lawful manner in accordance with the UK General Data Protection Regulation (UK GDPR) as incorporated by the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) 2016/679, and other applicable privacy laws.
1. Overview
🔍
What we do
We index publicly circulating credential data — including data breaches, stealer malware logs, and credential dumps — and let you search to assess your exposure.
🔒
What we don't do
We never sell your personal data. We never send passwords in emails. We don't run ads or tracking.
⚖️
Your rights
You can access, correct, export, or delete your account data at any time under UK GDPR and EU GDPR.
Data Controller
Breach Monitor Ltd (Companies House registration: [PLACEHOLDER — add once registered])
Registered address: [PLACEHOLDER — registered UK address]
ICO Registration No.: [PLACEHOLDER — register at ico.org.uk before launch]
Contact: [email protected]
2. Data We Collect About You
2.1 Account Data
When you register, we collect:
| Data | Purpose |
|---|---|
| Email address | Account identification, login, verification, breach alerts |
| Bcrypt password hash | Authentication — your plain-text password is never stored |
| Account tier & plan | Determine feature access and enforce subscription limits |
| Registration timestamp | Account management |
| Email verification status | Prevent use of unverified accounts |
2.2 Usage Data
When you use the Service, we may log:
| Data | Purpose |
|---|---|
| Search queries | Audit trail, abuse prevention, quota enforcement |
| Query type (email / domain / bulk) | Usage analytics and rate limiting |
| IP address | Rate limiting, fraud detection, legal compliance |
| User agent string | Abuse detection |
| Result count & timestamp | Usage statistics |
Search logs are retained for 90 days and are accessible to you via the Search History page.
2.3 Payment Data
Payments are processed entirely by Stripe. We never receive or store your full card number, CVV, or banking details. We retain only:
| Data | Purpose |
|---|---|
| Stripe session ID | Reconcile payments and prevent duplicate processing |
| Plan purchased & amount | Subscription records |
| Payment timestamp & status | Billing audit trail |
2.4 Notification Preferences
If you set a separate notification email address, we store it to route breach alerts to your preferred address. This field is optional and can be cleared at any time in your Profile settings.
2.5 API Keys
If you generate an API key, we store the full key in our database (used to authenticate your API requests). Only the last 8 characters are shown in the dashboard. Revocation clears the key from our database immediately.
3. Breach Data We Index
The core function of this Service is to index credentials from publicly circulating data sources. This includes:
- Data breaches — credentials leaked from compromised company databases (e.g. corporate breaches)
- Stealer malware logs — credentials harvested from individual infected devices by malware (e.g. Redline, Lumma, META stealers) and distributed via Telegram channels and other platforms
- Credential dumps — aggregated combolists circulating in public forums and file-sharing platforms
This data was already publicly circulating before we indexed it. We do not claim ownership of this data and are not the original source of any breach or infection.
The index contains fields such as email addresses, usernames, password hashes or plain-text passwords (as they appeared in the source), and breach dates. The source field is deliberately excluded from all user-facing search results and exports to reduce harm.
If your personal data appears in our index and you wish to have it removed, please submit a request via the Data Removal page. We process removal requests within 30 days.
UK GDPR / EU GDPR note: Our lawful basis for processing publicly circulating credential data (breaches, stealer logs, dumps) is legitimate interests (Art. 6(1)(f)) — specifically, enabling individuals and organisations to identify compromised credentials and take protective action. We have conducted a Legitimate Interests Assessment (LIA) and maintain records of this assessment as required by Art. 30 GDPR. You may object to this processing at any time; see Section 9.
4. How We Use Your Data
| Data | Purpose |
|---|---|
| Provide the Service | Authenticate you, process searches, deliver results |
| Send breach alerts | Email notifications when a monitored address appears in new data |
| Process payments | Fulfil subscription and credit pack purchases via Stripe |
| Enforce limits | Monthly search quotas, rate limits, tier gates |
| Security & fraud prevention | Detect abuse, protect our infrastructure |
| Legal compliance & law enforcement | Respond to valid legal requests (warrants, subpoenas, court orders) and cooperate with law enforcement where required by law |
| Service improvements | Aggregate, anonymised analytics only — never individual profiling |
We do not use your data for advertising, sell it to third parties, or use it to build behavioural profiles.
When we are required by law to disclose your information to authorities, we will notify you unless we are legally prohibited from doing so (e.g., by a court order, a non-disclosure requirement, or where notification would prejudice a law enforcement investigation).
5. Third-Party Services & Sub-Processors
We use the following sub-processors. By using the Service you acknowledge the involvement of these parties:
Stripe
Payment processingEmail address (for receipts), payment method details (handled directly by Stripe — we never receive card data)
Privacy policy →SendGrid (Twilio)
Transactional emailEmail address, email body content (verification links, breach alerts, password reset links)
Privacy policy →Cloud Infrastructure (United States)
Hosting & computeAll service data is stored on servers physically located in the United States. No personal data is shared with the hosting provider beyond standard server-level access logs.
We do not embed third-party analytics (Google Analytics, Facebook Pixel, Hotjar, etc.) on any page of the Service. We do not use advertising networks.
6. Data Retention
| Data | Purpose |
|---|---|
| Account data (email, password hash, tier) | Until account deletion + 30 days |
| Search logs | 90 days from creation |
| Payment records (Stripe session, amount, plan) | 7 years (legal / tax obligation — UK HMRC) |
| Breach alert logs | 90 days |
| Password reset tokens | Cleared immediately on use; auto-expired after 1 hour if unused |
| API keys | Until revoked by user or account deleted |
| Credit transaction history | Until account deletion + 30 days |
| IP address logs (rate limiting) | 30 days rolling |
After account deletion, personal data is purged from active databases within 30 days. Anonymised aggregate statistics (search counts, credit totals) may be retained indefinitely as they cannot be linked back to an individual.
7. Security
We implement the following technical and organisational measures (TOMs) to protect your data:
- Passwords stored as bcrypt hashes (cost factor 12) — never in plain text
- JWT tokens for session management — short-lived (24 hours), signed with a secret key
- API keys stored securely; never logged in application output
- All traffic encrypted in transit via HTTPS/TLS in production
- Rate limiting on all authentication and search endpoints to mitigate brute force and abuse
- Database and search index not publicly exposed — accessible only within the private network
- Role-based access control — admin functions require explicit
is_adminflag - Servers hosted with a reputable US infrastructure provider
No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to [email protected]. We will acknowledge responsible disclosure within 48 hours.
9. Your Rights (UK GDPR & EU GDPR)
If you are located in the United Kingdom, the European Economic Area, or another jurisdiction with equivalent privacy laws, you have the following rights regarding your personal data:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you. We will respond within 30 days.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete data — you can update your email and notification address directly in Profile settings.
Right to Erasure (Art. 17)
Request deletion of your account and associated personal data. Contact us at [email protected].
Right to Data Portability (Art. 20)
Request your personal data in a structured, machine-readable format (JSON or CSV).
Right to Restriction (Art. 18)
Ask us to restrict processing of your data in certain circumstances (e.g., while a dispute is resolved).
Right to Object (Art. 21)
Object to processing based on legitimate interests — including our indexing of breach data containing your credentials. We will cease unless we have compelling legitimate grounds.
Right to Withdraw Consent (Art. 7)
Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77)
UK residents: file with the ICO (ico.org.uk). EU residents: contact your national supervisory authority (e.g., the CNIL in France, the DSB in Austria).
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing a request. Where requests are complex or numerous, we may extend this by a further 60 days and will notify you accordingly.
10. Lawful Basis for Processing (GDPR Art. 6)
| Processing activity | Lawful basis |
|---|---|
| Account registration & login | Performance of contract (Art. 6(1)(b)) |
| Sending verification & password reset emails | Performance of contract (Art. 6(1)(b)) |
| Sending breach alert emails | Performance of contract / Legitimate interests (Art. 6(1)(b)/(f)) |
| Payment processing | Performance of contract (Art. 6(1)(b)) |
| Retaining payment records | Legal obligation — HMRC / tax law (Art. 6(1)(c)) |
| Search logging & rate limiting | Legitimate interests — security and abuse prevention (Art. 6(1)(f)) |
| IP address logging | Legitimate interests — fraud prevention, legal defence (Art. 6(1)(f)) |
| Indexing breach data, stealer logs & credential dumps | Legitimate interests — enabling security awareness (Art. 6(1)(f)) |
| Responding to law enforcement requests | Legal obligation (Art. 6(1)(c)) |
11. Children's Privacy
The Service is not directed to children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us at [email protected] and we will delete the account and associated data promptly.
12. International Data Transfers & EU Representative
12.1 Where Your Data is Stored
All primary service data (database, search index, backups) is stored on servers physically located in the United States. As a UK company serving users in the UK and EU, data transfers from the UK and EEA to our US infrastructure are governed by the mechanisms described below.
12.2 UK → US Transfers
The United States does not currently hold a UK adequacy decision. Transfers of UK personal data to our US servers are covered by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.
12.3 EU → US Transfers
For personal data of EEA residents transferred to our US servers, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914). We only use sub-processors that provide equivalent protections (Stripe, SendGrid both operate under SCCs).
12.4 UK ↔ EU Data Flows
The United Kingdom holds an adequacy decision from the European Commission (UK GDPR Adequacy Regulations 2021), meaning personal data flows freely between the UK and EU without additional safeguards at present. Should this decision lapse, we will implement appropriate transfer mechanisms and notify users accordingly.
12.5 EU Representative
As a UK-registered company processing personal data of EU residents, we are required by Art. 27 EU GDPR to designate a representative within the European Union.
EU Representative
[PLACEHOLDER — designate before launch. Low-cost options: GDPR-Rep.eu (~€200/yr), DP-Dock, or any EU-based legal entity you control]
Contact for EU residents in the meantime: [email protected]
13. Data Breach Notification
In the event of a personal data breach affecting your data, we will act in accordance with our obligations under Art. 33 and Art. 34 of UK GDPR and EU GDPR:
Notification to Supervisory Authorities
Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the UK ICO (for UK personal data) and/or the relevant EU supervisory authority in the affected member state (for EU personal data) within 72 hours of becoming aware of the breach, as required by Art. 33 GDPR.
Notification to Affected Users
Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals (Art. 34 GDPR), we will notify those individuals directly via email to their registered address without undue delay. The notification will describe the nature of the breach, the data involved, likely consequences, and the steps we are taking.
Internal Records
All personal data breaches — regardless of whether notification is required — are documented internally in our breach register as required by Art. 33(5) GDPR.
If you discover or suspect a security issue involving our systems, please report it immediately to [email protected].
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the Service at least 14 days before they take effect, unless changes are required by law. The "Last updated" date at the top of this page reflects when this policy was last revised.
Your continued use of the Service after a policy update constitutes your acceptance of the revised policy. If you do not agree to the changes, you may request account deletion.
15. Contact & Data Protection Officer
For privacy-related questions, data subject requests, or to report a concern:
Breach Monitor — Data Protection
Company: Breach Monitor Ltd
Registered address: [PLACEHOLDER — UK registered office address]
ICO No.: [PLACEHOLDER — register at ico.org.uk]
General privacy enquiries: [email protected]
Security disclosures: [email protected]
Data removal requests: breachmonitors.com/takedown
Legal matters: [email protected]
We do not currently have a formally designated Data Protection Officer (DPO) as we do not meet the mandatory thresholds under Art. 37 GDPR (large-scale systematic monitoring or processing of special category data). Privacy queries are handled directly by our operations team. We will appoint a DPO if our processing activities change to require one.