NotifyBreach

Legal

Privacy Policy

Last updated: June 14, 2026

This Privacy Policy explains how NotifyBreach ("NotifyBreach," "we," "us," or "our"), operated by InfoHash Private Limited, collects, uses, discloses, and protects personal data in connection with our business breach-intelligence SaaS platform at threat.notifybreach.com (the "Platform"). It applies to our business customers and their authorized users, to visitors of our website, and to individuals whose personal data appears within third-party breach and leak datasets that we process so that our customers can monitor exposure of their own domains. We are committed to handling personal data lawfully, transparently, and securely, and to honoring the rights afforded to individuals under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).

1.1. Who We Are and Scope of This Policy

NotifyBreach is a business-to-business (B2B) breach-intelligence platform operated by InfoHash Private Limited, with its registered address at LADUN ROAD, CHUNGI NAKA KE PAAS SUJANGAD, CHURU, RAJASTHAN-331507, India. The Platform is available at threat.notifybreach.com and is intended exclusively for use by businesses and their authorized personnel, not by consumers in a personal capacity.

The Platform allows our business customers ("Customers") to add internet domains they own or control and to monitor those domains for security exposure. Specifically, the Platform surfaces (a) breached or leaked employee credentials discovered in third-party breach datasets and malware-infection ("stealer") logs, (b) employee profiles and exposure information sourced through third-party enrichment providers, (c) ransomware-group threat intelligence, and (d) a read-only Customer API for programmatic access to a Customer's own data.

This Privacy Policy describes how we process personal data in two distinct contexts: (1) personal data relating to our Customers, their authorized users, and website visitors, for which we act as a data controller; and (2) personal data about individuals ("data subjects") that appears within third-party breach and leak datasets tied to a Customer's monitored domains. We explain our role in each context in Section 2.

This Policy does not govern how our Customers use the data made available to them through the Platform. When a Customer monitors its own domains and reviews exposure relating to its workforce, the Customer determines the purposes and means of that processing and acts as an independent controller (or employer) with respect to its personnel. Customers are responsible for their own privacy notices and lawful basis toward their employees.

2.2. Our Dual Role: Controller and Processing of Breach Data

NotifyBreach as Data Controller (account, billing, and marketing data)

For personal data relating to our Customers, their authorized users, prospective customers, and visitors to our website — including account registration data, billing and contact information, usage and device data, and marketing preferences — NotifyBreach is the data controller. We determine why and how that data is processed, as described in Sections 4 and 5.

NotifyBreach's handling of breach and leak data about third parties

A core function of the Platform involves processing personal data about individuals ("data subjects") whose information appears in third-party breach corpora, leaked databases, and malware-infection logs. This data — which may include email addresses, usernames, plaintext or hashed passwords, the source URL or breach name, and associated metadata — is not collected from the data subjects directly. It is aggregated from third-party sources (see Section 3) and made available to a Customer only where the data relates to a domain the Customer has added and verified.

We are transparent that this processing concerns personal data about identifiable individuals — often a Customer's current or former employees — who have not provided that data to us themselves. We process this data under the GDPR lawful basis of legitimate interests (Article 6(1)(f)): namely, the legitimate interest of NotifyBreach and our Customers in detecting, preventing, and responding to security threats, credential compromise, account takeover, and data breaches affecting the Customer's organization. We have assessed that this security-protective purpose is not overridden by the rights and freedoms of the data subjects, in part because the data is already exposed elsewhere, because access is scoped to the organization to which the data subject is connected, and because the processing serves the data subject's own interest in being protected against misuse of their compromised credentials.

Where breach data includes special categories of personal data, we do not seek to derive or infer such categories and process the data only as security-relevant exposure indicators. Individuals whose breach data is processed have the rights described in Sections 11 and 12, including the right to object and the right to request information or removal.

3.3. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

Account and customer data

  • Identity and contact data: name, business email address, company/organization name, and job role of authorized users.
  • Domain data: the internet domains a Customer adds for monitoring, and domain-verification records.
  • Authentication data: hashed passwords, two-factor authentication (2FA/TOTP) enrollment status, and session tokens.
  • Billing and subscription data: plan details, transaction records, and any billing contact information (payment card data, where applicable, is handled by our payment processor, not stored by us in full).
  • API token data: read-only Customer API tokens and per-token usage metering records.

Usage, device, and cookie data

  • Log and usage data: pages and features accessed, requests made, timestamps, and the authenticated user, email, and authentication method associated with a request.
  • Device and network data: IP address (including a truncated/network-prefixed form used for rate limiting), browser type, and operating system.
  • Cookies and similar technologies: strictly necessary cookies for authentication and session management, and limited diagnostic identifiers (see Section 6).

Breach, leak, and credential data (about data subjects)

  • Compromised credentials: email addresses, usernames, and associated passwords (plaintext or hashed as found in the source) discovered in breach datasets and malware-infection logs.
  • Breach metadata: the breach name or source, the originating URL, the date a breach was indexed, and the affected service.
  • These records are tied to a Customer's verified domains and are stored encrypted at rest (see Section 7).

Employee enrichment data

  • Employee profile and exposure data sourced from third-party enrichment providers (such as ContactOut), which may include name, business email, job title, and professional profile information for individuals associated with a Customer's domain.

Ransomware intelligence data

  • Ransomware-group activity and victim-disclosure intelligence aggregated from public and third-party threat-intelligence sources. This data is primarily organizational, though it may incidentally reference named individuals.

4.4. Sources of Personal Data

We obtain personal data from the following sources:

  • Directly from Customers and their authorized users: when an account is created, domains are added, or the Platform is used.
  • Automatically through use of the Platform: log, usage, device, and cookie data generated as users interact with the Platform.
  • From third-party breach and leak sources: aggregated breach corpora, leaked credential databases, and malware-infection (stealer) logs. This breach data about data subjects is sourced from third parties and is not collected from the data subjects directly.
  • From third-party enrichment providers: employee profile and exposure data (for example, via ContactOut).
  • From third-party and public threat-intelligence sources: ransomware-group and victim-disclosure intelligence.
  • From service providers: such as payment processors, hosting, analytics, and error/log tooling, in connection with operating the Platform.

5.5. Purposes of Processing and Legal Bases (GDPR Article 6)

We process personal data for the purposes below. For each purpose we identify the GDPR Article 6 legal basis on which we rely.

Providing and operating the Platform

To create and administer accounts, authenticate users, deliver monitoring and breach-intelligence services, serve the Customer API, and provide support. Legal basis: performance of a contract (Article 6(1)(b)) with the Customer.

Processing breach, leak, and enrichment data

To detect and surface compromised credentials, employee exposure, and related security risks tied to a Customer's domains. Legal basis: legitimate interests (Article 6(1)(f)) — the interest of NotifyBreach and our Customers in information security, threat detection, prevention of account takeover, and breach response, balanced against the rights of data subjects as described in Section 2.

Security, monitoring, and abuse prevention

To secure the Platform, apply rate limiting, log and investigate requests, and prevent fraud or misuse. Legal basis: legitimate interests (Article 6(1)(f)) and, where applicable, compliance with a legal obligation (Article 6(1)(c)).

Billing and account management

To process subscriptions, invoices, and payments, and to meter API usage. Legal basis: performance of a contract (Article 6(1)(b)) and compliance with a legal obligation, including tax and accounting (Article 6(1)(c)).

Product improvement and analytics

To understand usage, diagnose errors, and improve the Platform. Legal basis: legitimate interests (Article 6(1)(f)) in maintaining and improving a reliable service.

Marketing and communications

To send service-related communications and, where permitted, marketing about our products. Legal basis: legitimate interests (Article 6(1)(f)) for business-to-business communications, or consent (Article 6(1)(a)) where required by law. You may opt out of marketing at any time.

Legal compliance and dispute resolution

To comply with applicable law, respond to lawful requests, and establish, exercise, or defend legal claims. Legal basis: compliance with a legal obligation (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)).

6.6. How We Protect Breach Passwords and Sensitive PII

We recognize that breach data — particularly leaked passwords — is highly sensitive. We apply the following measures specifically to this data:

  • Encryption at rest: breached passwords and associated sensitive PII are stored encrypted at rest, so that the underlying values are not readable from the data store without the applicable decryption keys.
  • Scoped access: breach and leak records are exposed only to the Customer whose verified domain the record relates to, and only to that Customer's authorized users.
  • Access controls: authentication, optional two-factor authentication, and read-only API tokens limit who can access data and how.
  • Logging and monitoring: access to and use of the Platform is logged to support security monitoring and incident investigation.

Despite these measures, we present compromised credentials for the limited security purpose of enabling a Customer to remediate exposure (for example, by forcing password resets). We encourage Customers to treat all surfaced credentials as compromised and to act accordingly.

7.7. Cookies, Analytics, and Logging

We use cookies and similar technologies, as well as server-side logging and diagnostic tools, to operate and secure the Platform.

  • Strictly necessary cookies: used for authentication, session management, and security. These are required for the Platform to function and cannot be disabled through the Platform.
  • Error and performance monitoring (Sentry): we use Sentry to capture application errors and performance diagnostics. This may include technical context such as the request, user identifier, and device/browser information needed to reproduce and fix issues.
  • Logging and observability (Axiom): request and application logs — which may include the authenticated user identifier, email, authentication method, and IP address — are processed and shipped to Axiom for operational monitoring, security, and troubleshooting.

Where required by applicable law, we will obtain consent before placing non-essential cookies and provide controls to manage your preferences. You can also manage cookies through your browser settings, though disabling necessary cookies may impair Platform functionality.

8.8. Data Sharing, Service Providers, and Sub-processors

We do not sell personal data. We share personal data only as necessary to operate the Platform and as described below. Our service providers are bound by contracts (including data processing agreements where required) that restrict their use of personal data to providing services to us.

  • Cloud hosting and infrastructure (Amazon Web Services / AWS): hosting of the Platform, databases, object storage, and supporting infrastructure.
  • Employee enrichment provider (ContactOut): supplies employee profile and exposure data used to enrich a Customer's domain monitoring.
  • Error monitoring (Sentry): application error and performance diagnostics.
  • Logging and observability (Axiom): operational and security log processing.
  • Payment processing: our payment provider processes billing and payment information on our behalf.
  • Professional advisors and authorities: legal, accounting, and security advisors, and competent authorities, where required to comply with law or protect our rights.

We may also disclose personal data in connection with a corporate transaction such as a merger, acquisition, financing, or asset sale, subject to appropriate confidentiality protections. A current list of sub-processors is available on request via [email protected].

9.9. International Data Transfers

We and our service providers may process personal data in countries other than the one in which you are located, including the United States. Some of these countries may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, primarily the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by additional technical and organizational measures where appropriate. You may request a copy of the relevant transfer mechanism by contacting [email protected].

10.10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to provide the Platform, comply with our legal obligations, resolve disputes, and enforce our agreements.

  • Account, billing, and contact data: retained for the duration of the customer relationship and thereafter as required for legal, tax, and accounting purposes.
  • Usage and log data: retained for a limited period for security, troubleshooting, and analytics, after which it is deleted or aggregated.
  • Breach, leak, and enrichment data: retained while a Customer continues to monitor the relevant domain and the data remains relevant to assessing exposure; we periodically review and remove data that is no longer relevant, and we will action verified removal requests as described in Sections 11 and 12.
  • Data tied to a closed account or a removed/unverified domain: deleted or de-identified within a reasonable period after the account is closed or the domain is removed, except where retention is required by law.

When retention is no longer justified, we securely delete or anonymize the data.

11.11. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, loss, or destruction. These measures include:

  • Encryption of sensitive data at rest (including breached passwords) and encryption of data in transit using TLS.
  • Authentication, optional two-factor authentication, role-based access, and scoped read-only API tokens.
  • Per-IP rate limiting, request logging, and security monitoring to detect and respond to abuse.
  • Network and infrastructure controls within our cloud environment, and least-privilege access to production systems and secrets.
  • Ongoing review of our security practices and prompt response to identified vulnerabilities.

No method of transmission or storage is completely secure. While we work to protect personal data, we cannot guarantee absolute security. If we become aware of a personal data breach affecting your data, we will notify affected parties and competent authorities where required by applicable law.

12.12. Your Rights Under the GDPR

If you are located in the EEA, the UK, or Switzerland, you have the following rights with respect to your personal data, subject to applicable conditions and exemptions:

  • Right of access: to obtain confirmation of whether we process your personal data and a copy of that data.
  • Right to rectification: to have inaccurate or incomplete personal data corrected.
  • Right to erasure: to request deletion of your personal data in certain circumstances.
  • Right to restriction: to request that we limit our processing of your personal data in certain circumstances.
  • Right to object: to object to processing based on legitimate interests, including direct marketing.
  • Right to data portability: to receive certain personal data you provided to us in a structured, commonly used, machine-readable format.
  • Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting prior processing.
  • Right to lodge a complaint: with a supervisory authority (see Section 16).

Rights of data subjects whose breached data appears on the Platform

If you are an individual whose breached or leaked personal data is processed on the Platform — for example, because your credentials appear in a third-party breach dataset tied to a monitored domain — you may exercise the rights above with respect to that data. In particular, you may contact us at [email protected] to (a) ask what personal data of yours we hold, (b) object to our processing on legitimate-interest grounds, and (c) request removal of your records from the Platform. Because we process breach data sourced from third parties and tied to organizational domains, we may need to verify your identity and may direct you to the relevant Customer (typically your current or former employer) where they act as controller. Removing your data from the Platform does not remove it from the original third-party source. We will respond to verified requests within the timeframe required by applicable law (generally one month under the GDPR).

To exercise any of these rights, contact [email protected]. We will not discriminate against you for exercising your rights.

13.13. Your Rights Under the CCPA/CPRA (California Residents)

If you are a California resident, the CCPA as amended by the CPRA provides you with specific rights regarding your personal information. This section uses terms as defined under California law.

Categories of personal information

In the preceding 12 months, we may have collected the following categories of personal information: identifiers (such as name, email, IP address, and account identifiers); commercial information (such as subscription and billing records); internet or network activity (such as usage and log data); professional or employment-related information (such as job title and employer, including via enrichment); and account credentials and other security-relevant data, including credentials appearing in third-party breach datasets. The sources, purposes, and disclosures for these categories are described in Sections 3, 4, 5, and 8.

Your California rights

  • Right to know: the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to delete: to request deletion of personal information we have collected, subject to legal exceptions.
  • Right to correct: to request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: to direct us not to sell or share your personal information.
  • Right to limit use of sensitive personal information: to limit our use of sensitive personal information to permitted purposes.
  • Right to non-discrimination: we will not discriminate against you for exercising your rights.

No sale or sharing of personal information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We disclose personal information to service providers and contractors only to perform services on our behalf, under contracts that restrict their use of the information.

To exercise your California rights, contact us at [email protected]. We will verify your request consistent with applicable law, and you may use an authorized agent to submit a request on your behalf. We will respond within the timeframes required by the CCPA/CPRA.

14.14. Children's Privacy

The Platform is a business product intended for use by businesses and their authorized adult personnel. It is not directed to, and we do not knowingly collect personal data directly from, children. We do not permit individuals under the age of 18 to create accounts, and we do not knowingly target individuals under the age of 16.

Because breach data is aggregated from third-party sources, it is possible that such data could incidentally relate to a minor. We do not seek out or knowingly process the data of minors for any purpose other than the security purpose described in this Policy, and we will remove a minor's data upon a verified request. If you believe we hold a child's personal data, contact [email protected].

15.15. Automated Decision-Making and Profiling

We do not use your personal data to make decisions based solely on automated processing that produce legal or similarly significant effects on you within the meaning of GDPR Article 22.

The Platform applies automated matching to associate breach and enrichment data with a Customer's domains and to surface exposure to that Customer. This processing supports the Customer's security decision-making; it does not, by itself, produce legally significant decisions about data subjects on our part. Any remediation or employment-related actions taken in response to surfaced exposure are decisions made by the Customer, not by NotifyBreach.

16.16. Changes, Contact, and Complaints

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the effective date and, where appropriate, provide additional notice. We encourage you to review this Policy periodically.

How to contact us

For privacy questions or to exercise your rights, contact us at [email protected]. For general support, contact [email protected]. You may also write to us at InfoHash Private Limited, LADUN ROAD, CHUNGI NAKA KE PAAS SUJANGAD, CHURU, RAJASTHAN-331507, India. Our Data Protection Officer / EU Representative, where applicable, can be reached at our Grievance Officer at [email protected].

Governing law

This Privacy Policy and any related matters are governed by the laws of India, without prejudice to any mandatory data protection rights you have under the laws of your place of residence.

Right to lodge a complaint

If you are in the EEA, the UK, or Switzerland, you have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data infringes applicable law. We would, however, appreciate the opportunity to address your concerns directly before you do so — please contact us first at [email protected].