Privacy Policy
Contents
The short version: We never store your email address. When you check your email, it is sent to the breach database API in real time, the result is returned to your browser, and your email is immediately discarded. Nothing is saved. Ever.
1 What data we collect
EmailLeaked is designed from the ground up to collect as little data as possible. We operate on a privacy-first principle — we only collect what is strictly necessary to provide the service.
Email addresses: When you enter an email address to check for data breaches, that email is transmitted directly to the HaveIBeenPwned (HIBP) public API in real time. It is never written to any database, log file, or server-side storage. The API returns a result to your browser. After that, your email address no longer exists anywhere in our system.
Passwords: When you use the password checker, your password is hashed locally in your browser using SHA-1. Only the first 5 characters of that hash are sent to the HIBP Pwned Passwords API — a technique called k-anonymity. Your actual password never leaves your device under any circumstances.
Contact form data: If you submit the contact form, we collect your name, email address, and message for the purpose of responding to your enquiry. This data is stored securely and never shared with third parties.
2 How we use your data
The data we process is used solely for the following purposes:
- Checking your email or password against publicly available breach databases and returning the result to you
- Responding to messages submitted through the contact form
- Analysing anonymous, aggregated usage patterns to improve the service (no personal data involved)
We do not use your data for marketing, profiling, or any purpose beyond what is listed above.
3 What we never do
We want to be explicit about the things we will never do with your data:
- Never store email addresses entered into the breach checker
- Never sell, rent, or share your personal data with any third party for commercial purposes
- Never display advertising targeted based on your email or search history
- Never transmit your password — only a partial hash of it, using k-anonymity
- Never send unsolicited emails — we only contact you if you reach out first via the contact form
4 Cookies and tracking
EmailLeaked uses minimal cookies. We use a single local storage entry to remember your dark/light mode preference. This is a functional preference stored only in your browser and is never transmitted to our servers.
We do not use advertising cookies, cross-site tracking cookies, or any third-party analytics cookies that identify you as an individual. If we introduce analytics in the future, we will update this policy and use only privacy-respecting, cookieless analytics tools.
5 Third-party services
EmailLeaked uses the following third-party services to deliver its functionality:
- HaveIBeenPwned API — the breach database used to check email addresses and passwords. Your email is sent to this API in real time. HIBP's own privacy policy applies to data sent to their service.
- Cloudflare Pages — our hosting provider. Cloudflare may log standard request metadata (IP address, timestamp) as part of their infrastructure. These logs are subject to Cloudflare's privacy policy.
- Google Fonts — used to load the Plus Jakarta Sans typeface. This may result in a request to Google's servers. If you wish to prevent this, you may block Google Fonts via your browser settings.
We are not affiliated with or endorsed by any of these services.
6 Data security
All connections to EmailLeaked are secured via HTTPS (TLS encryption). Data in transit between your browser and our service is encrypted. Since we do not store email addresses entered into the checker, there is no database of user emails that could be compromised in a breach of our own systems.
Contact form submissions are stored securely and access is restricted to authorised personnel only.
7 Your rights
Because we do not store your email address when you use the breach checker, there is no personal data for us to retrieve, correct, or delete in relation to that usage.
If you have submitted a contact form enquiry and wish to have that data deleted, please contact us at the address below and we will action your request within 30 days.
If you are located in the European Economic Area (EEA) or United Kingdom, you have rights under the GDPR and UK GDPR including the right to access, correct, and erase your personal data, and the right to lodge a complaint with your local data protection authority.
8 Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically. Continued use of the service after any changes constitutes your acceptance of the updated policy.
9 Contact us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
- Via the contact form at emailleaked.com/contact
- By email at privacy@emailleaked.com
Questions about your privacy?
We'll reply within 24 hours.