Privacy Policy

Last Updated: February 14, 2026

1. Overview

This Privacy Policy describes how LeakedSource ("we," "us," or "our") collects, uses, stores, discloses, and protects your personal information when you access or use the LeakedSource website, application programming interfaces, and related services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

We are committed to transparency regarding our data practices. Because the Service involves the processing of data breach intelligence, this Policy also describes how we handle breach-related data, which may include personal information originating from third-party data breaches.

2. Who We Are

LeakedSource is a data breach intelligence and monitoring service owned and operated by HEROIC Holdings, LLC ("HEROIC"), a limited liability company organized under the laws of the United States. HEROIC serves as the data controller for the personal information processed through the Service.

For privacy-related inquiries, you may contact us at [email protected].

3. Information We Collect

We collect information from several sources to provide, maintain, and improve the Service.

3.1 Information You Provide Directly

  • Account Information: When you create an account, we collect your name, email address, and password (stored in hashed form).
  • Search Queries: Email addresses, usernames, phone numbers, IP addresses, or other identifiers you submit to check against our breach database.
  • Payment Information: When you subscribe to a paid plan, payment details (such as credit card number and billing address) are collected and processed by our third-party payment processor. We do not store full payment card numbers on our servers.
  • Communications: Information you provide when contacting our support team, submitting feedback, or otherwise communicating with us.
  • Monitored Email Addresses: Email addresses you add for ongoing breach monitoring.

3.2 Information Collected Automatically

  • Device and Browser Information: Browser type and version, operating system, device type, screen resolution, and language preferences.
  • Usage Data: Pages viewed, features used, search frequency, time spent on pages, navigation paths, and clickstream data.
  • Log Data: IP address, access timestamps, referring URLs, HTTP request method, response status codes, and user agent strings.
  • Cookies and Similar Technologies: Session identifiers, preference cookies, and analytics data (see Section 7).

3.3 Information from Third-Party Sources

  • Breach Intelligence Data: We obtain data breach records from HEROIC, which aggregates breach data from publicly known data exposures, security research, and other lawful sources. This data may include email addresses, usernames, hashed or plaintext passwords, phone numbers, IP addresses, physical addresses, and other personal information that was exposed in third-party data breaches. See Section 5 for details on how this data is handled.
  • Payment Processor: Our payment processor may share limited transaction data (such as confirmation of successful payment) with us.

4. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide the Service: To check your submitted identifiers against known data breaches, deliver search results, and provide breach monitoring and notification features.
  • Account Management: To create and manage your account, process subscription payments, and enforce service tier limitations.
  • Transactional Communications: To send account verification emails, password reset requests, breach alerts, payment receipts, and other service-related notifications.
  • Service Improvement: To analyze usage patterns, diagnose technical issues, optimize performance, and develop new features.
  • Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, abuse, or fraudulent activity on the Service.
  • Analytics: To understand aggregate user behavior and measure the effectiveness of our Service (see Section 7).
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not sell your personal information to third parties. We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human involvement.

5. Breach Data & Intelligence

The core function of LeakedSource is to help individuals and organizations determine whether their personal information has been exposed in known data breaches. The following describes how breach data is sourced, processed, and presented.

5.1 Data Sources

Breach records are provided by HEROIC, which collects and indexes data from publicly available breach datasets, security research, and other lawful sources. LeakedSource does not hack, access, or otherwise unlawfully obtain data from any system. All breach data processed through the Service has been previously exposed by third parties and is obtained exclusively for cybersecurity and anti-fraud purposes.

5.2 How Searches Work

When you perform a search, your query (e.g., an email address) is transmitted securely to the HEROIC API over an encrypted connection. The HEROIC API returns matching breach records, which are then displayed to you based on your subscription tier. Free tier users see limited information (breach names and dates); paid subscribers may access additional details such as exposed data fields.

5.3 Sensitive Data Masking

Certain categories of sensitive information returned in breach records are automatically masked or partially redacted to limit exposure. This includes, but is not limited to, passwords (showing only the last two characters), Social Security numbers (last two digits), and payment card numbers (first six and last four digits only). Full plaintext credentials are never displayed through the Service.

5.4 Stealer Log Data

Some breach records originate from credential-stealing malware ("stealer logs"). This data is classified separately and is only accessible to paid subscribers. We implement additional access controls for stealer log data given its potential sensitivity.

5.5 Accuracy and Completeness

Breach data originates from external, third-party sources. While we endeavor to verify the legitimacy and authenticity of breach datasets, we cannot guarantee the accuracy, completeness, currency, or reliability of any particular breach record. Records may contain errors, fabricated entries, or outdated information. The absence of results for a given query does not guarantee that your information has not been compromised.

6. Third-Party Services

We engage the following categories of third-party service providers to operate the Service. These providers process personal information on our behalf and are contractually obligated to use it only for the purposes for which it was disclosed.

Provider Purpose Data Shared
HEROIC Breach intelligence provider (API) Search queries (email, username, etc.)
Stripe Payment processing Name, email, payment card details, billing address
Amazon SES Transactional email delivery Email address, message content
Google Analytics Website analytics Anonymized usage data, IP address (anonymized)
Cloudflare DNS, CDN, and DDoS protection IP address, request metadata

We may also use Anthropic's Claude AI technology for internal service improvement and content generation. User-specific personal information is not submitted to AI services for processing without anonymization.

7. Cookies & Analytics

We use cookies and similar technologies to operate the Service, maintain your session, remember your preferences, and collect analytics data.

7.1 Types of Cookies We Use

  • Essential Cookies: Required for core functionality such as authentication, session management, and CSRF protection. These cannot be disabled.
  • Analytics Cookies: Used by Google Analytics (via Google Tag Manager) to collect anonymized information about how visitors use the Service, including pages visited, time on site, and navigation patterns. We use IP anonymization.

7.2 Managing Cookies

You may control or delete cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service. For more information about managing cookies, visit allaboutcookies.org.

7.3 Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. We do not currently respond to DNT signals, as there is no universally accepted standard for how to interpret them.

8. Data Security

We implement industry-standard administrative, technical, and physical security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher.
  • Encryption of sensitive data at rest.
  • Hashing of passwords using strong, salted cryptographic algorithms (bcrypt).
  • Role-based access controls limiting employee access to personal information.
  • Regular security assessments and monitoring for unauthorized access.
  • Automatic session timeouts and rate-limiting protections.

No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

9. Data Retention

  • Account Data: Retained for the duration of your account. When you delete your account, your personal information is permanently deleted within 30 days, except where retention is required by law.
  • Search History: Retained for the purpose of enforcing daily search limits and providing account activity history. Search history is deleted when you delete your account.
  • Payment Records: Transaction records are retained for up to seven (7) years to comply with tax and financial reporting obligations.
  • Server Logs: Automatically purged after 90 days.
  • Free Scan Data: Email addresses submitted through the free scan (without account creation) are not stored after the scan result is delivered.
  • Breach Intelligence Data: Breach records sourced from HEROIC are retained in our database as part of the breach intelligence index. Due to the cybersecurity nature of this data, breach records may be retained even after individual deletion requests, consistent with applicable law and the legitimate interest in maintaining a comprehensive threat intelligence database.

10. Your Rights & Choices

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to certain exceptions (see Section 9).
  • Data Portability: Request a machine-readable copy of your personal information.
  • Opt-Out of Marketing: Unsubscribe from non-essential communications at any time using the unsubscribe link in any marketing email.
  • Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days (or as required by applicable law). We may ask you to verify your identity before processing your request.

10.1 Breach Data Removal

Breach records originate from third-party sources and exist independently of your use of the Service. Deleting your LeakedSource account does not remove your information from external breach databases. If your information appears in a breach record and you wish to request its removal from our search index, please contact us at [email protected]. Please note that we may retain breach data for legitimate cybersecurity and anti-fraud purposes as permitted by applicable law.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information:

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for which it is used, and the categories of third parties with whom it is shared.
  • Right to Delete: You have the right to request deletion of personal information, subject to certain legal exceptions.
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information as defined under the CCPA. We do not share your personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, contact us at [email protected] or submit a request through your account settings. We will verify your identity before fulfilling your request.

12. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your personal information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfers. We take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it.

13. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at [email protected].

14. FCRA Disclaimer

LeakedSource is not a consumer reporting agency as defined by the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq. The Service does not constitute a "consumer report" as that term is defined in the FCRA. You may not use the Service or any information obtained through the Service as a factor in (a) establishing an individual's eligibility for credit, insurance, or employment; (b) tenant screening; (c) any other purpose authorized under the FCRA. Any use of the Service in violation of this provision is strictly prohibited and constitutes a material breach of the Terms of Service.

15. AI & Automated Processing

We may use artificial intelligence technologies, including Anthropic's Claude, for the following purposes:

  • Generation of breach summaries and educational content.
  • Internal data analysis and service improvement.
  • Automated categorization and classification of breach data.

We do not submit identifiable user personal information to AI systems for processing. Any AI-assisted analysis of breach data is performed on aggregated or anonymized datasets. No automated decisions with legal or similarly significant effects are made solely by AI without human review.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Policy on the Service and updating the "Last Updated" date. For material changes that significantly affect how we process your personal information, we will provide additional notice (such as an email notification or an in-app banner). Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the changes.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

HEROIC Holdings, LLC

d/b/a LeakedSource

Email: [email protected]

Website: leakedsource.com