Privacy Policy

Last updated: 2 April 2025

BreachWarden ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how it is used when you use our service at breachwarden.co.uk.

1. Data We Collect

• Account data: your email address and a hashed password used to create and secure your account.
• Monitored email addresses: email addresses you ask us to monitor for data breaches. These are stored securely and used solely to check breach databases on your behalf.
• Billing data: payment is processed by Stripe. We do not store card numbers. We store your Stripe customer ID and subscription status.
• Telegram chat ID: if you link a Telegram account, we store your Telegram chat ID to deliver breach alerts.
• Scan results: breach records returned from global breach intelligence databases, associated with your monitored email addresses.
• Usage logs: server logs including IP addresses and timestamps for security and debugging purposes. Logs are retained for up to 30 days.

2. How We Use Your Data

• To check your monitored email addresses against known breach databases.
• To send you breach alert notifications via email and/or Telegram.
• To process subscription payments via Stripe.
• To maintain your account and provide customer support.
• To detect and prevent fraud or abuse.

3. How We Check for Breaches

We check whether your email address appears in known data breaches using multiple global breach intelligence databases. When checking, we use a k-anonymity model: your email is hashed and only a partial prefix is ever transmitted. Your full email address is never sent externally.

4. Data Sharing

We do not sell or rent your personal data. We share data only with:

• Stripe — for payment processing. Governed by Stripe's Privacy Policy.
• Breach intelligence providers — for breach lookups (k-anonymity model, no raw email shared).
• Telegram — if you link your account, breach alerts are delivered via the Telegram Bot API.
• Law enforcement or regulators where we are legally required to do so.

5. Data Retention

• Account and subscription data: retained while your account is active and for up to 90 days after deletion.
• Breach scan results: retained for the lifetime of your account to show your history.
• Server logs: retained for up to 30 days.

6. Your Rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Object to or restrict certain processing.
• Data portability.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Security

We use industry-standard security practices including encrypted connections (TLS), hashed passwords (bcrypt), and access controls. No system is perfectly secure, and we cannot guarantee absolute security of your data.

8. Cookies

We use minimal cookies and browser localStorage to keep you logged in and to persist temporary state (e.g. a pending gift redemption). We do not use tracking or advertising cookies.

9. Third-Party Links

Our service may link to third-party websites (e.g. Stripe checkout). We are not responsible for the privacy practices of those sites.

10. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or via an in-app notice. Continued use of the service after changes constitutes acceptance.

11. Contact

For privacy-related questions or requests: [email protected]