BreachDirectory (UAB "Haunter Media") is the publisher and operator of breachdirectory.com (the "Site") whereby BreachDirectory operates a search engine and various services (the "Services") available. For purposes of this Agreement, when "Site" or "Services" are referenced, such reference includes all hardware, software, and network resources necessary to provide said Site and/or Service.
When first-person pronouns are used in this Agreement, these provisions are referring to BreachDirectory.
As a client and the user of the Site or Services, this Agreement will refer to You through any second-person pronouns, such as "You", "Yours" etc.
This policy describes how we use the information we receive about you when you visit our Site, when you subscribe to or otherwise use our online services. This policy does not cover any information that we may receive from you or about you through channels other than the Site.
Legal bases of data processing
We will process your personal information in a lawful, fair and transparent manner. We only collect and process information about you where we have the legal basis to do so.
These legal bases depend on the services you use and how you use them, i.e. we collect and use your information only where:
This is necessary to perform the contract of which you are a party or to act upon your request before entering into such contract (for example, when we provide the service you request from us.)
This serves a legitimate interest (not denied by your data protection interests), such as conducting research and development, selling and promoting our services, and defending our rights and interests.
You give us consent to do so for a particular purpose (for example, you may consent to our sending you our newsletter.)
We need to process your data at the request of law enforcement or any legal body (on a legal obligation basis.)
Where you consent to the use of your information for a particular purpose, you have the right to change your mind at any time (but this will not affect any processing that has already taken place.)
We do not store personal information for longer than necessary. While we protect this information, we will protect it by commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or alteration. However, we warn you that no electronic transmission or storage method is 100% secure and cannot guarantee complete data security. Where necessary, we may store your personal information in order to comply with a legal obligation or to protect the vital interests of you or another individual.
Collection and use
We may collect, store, use and disclose information for the following purposes, and personal information will not be further processed in a way incompatible with those purposes:
To provide you with the features of our platform.
To process any operational or current payments.
To access and use our website, affiliate programs and related social media platforms.
To contact and communicate with you.
For internal records (e.g. to record your data to notify you about a recent data breach where your account was found when you previously gave us your consent to save your data (when such input is recorded, the values recorded include the URL of the page, the action (say, search form submission, etc.), and an action description (such as "Values were submitted through the search form.", etc.)), also for firewall violations - firewall violations log the URL on which the attack was blocked, the attack method, your IP, the time the firewall rule was triggered and what the payload was - the firewall logs are only kept for as long as absolutely necessary), accounting and administrative purposes. We also track the fact that the search was made - in that case, we track an anonymized session ID, your search type (e.g. email, username, domain, etc.), and the time the search was submitted (for example, Friday 01 July 2000.)
To track social impact (we use Google Analytics, Google Tag Manager, and Google Webmaster Tools to track the count of submissions of the search form and other button clicks (all buttons on the home page and the API page) and how many people checked the checkbox stating that they want to be notified when their accounts are found in a data breach in the future, we also track how many people answered and how they answered the questions in the questionnaire.) When searches are submitted, we record an anonymized user session ID to identify unique users, the search type, and the time the search was performed for analytical purposes, and when the checkbox is checked, we record your input (your search query, search type and search time) to inform you about data breaches in the future. When social impact numbers are recorded, we record an anonymized session ID, the action performed at the time (for example, Search), the present URL (for example, "home"), and the description (for example, "Values were submitted through the search form.")
Analysis, market research and business development, including the management and development of our website, related applications and related social media platforms (we collect search data for analytics - data that is being collected includes the hashed ID of the session, the search type and at what time the search was made - year, month, and day.)
Running a competition, and / or offering you additional benefits.
Complying with legal obligations, and / or resolving any disputes that may arise.
All data that exists inside of BreachDirectory (data breaches) is derived from public sources (websites.) BreachDirectory makes this data available for search by locating it, downloading it, parsing it (making it adhere to a certain format), and uploading it to its systems (databases.)
Some data that users provide to BreachDirectory might be logged - that data includes email addresses provided in the search form if the user wants to be notified of data breaches in the future (when notifying the user, we will provide him or her the ability to opt-out.) Data provided by the user in such a case will be deleted when the user wants to opt-out.
Data provided to us by the Web Application Firewall (once attack attempts are detected and logged - for data that is logged, refer to paragraphs above) will be deleted once we investigate the causes of the attack (usually after one or two weeks.)
Some of the data provided when the API is in use might be logged. Such data includes user email addresses when the user has given consent to be informed about data breaches that might occur in the future and have his or her email address in them. Such users may opt-out using a link provided at the bottom of the newsletter - data will be stored until users do so.
When the API is in use, inside of our database we store the API key, plan that is associated with the API key, the amount of systems integarted and the amount of systems that can be integrated, the amount of queries made and the limit of queries that can be made, whether the API key is valid (Yes / No), when it is valid until and whether it is associated with other systems. Alongside the API key we might also store information relevant to the system that the user uses the API on. In such a case, we will store the API key, the system title and URL to the website, and a small description of what a copmany does if a user elects to provide this information. This information can be deleted by sending a request to [email protected] from the email associated with the API. This information will be deleted when the API key expires or when the user requests us to delete his or her information.
Companies and individuals using the API must inform people that the data is being logged when they opt-in for notifications of data breaches in the future (in that case, data is only collected when users check a checkbox that might be implemented by the individual or a company.)
In general, all information stored in regards to the user is deleted when it's no longer needed either in an automatic fashion (e.g. when the API access expires), or manually (when we review the Web Application Firewall logs and prune them once every week or two or users delete their data via a link provided to them.) Users can also request to delete all of their information by sending an email to [email protected]
We may use your university or company logo to display the use cases of our API. Logos can be removed upon request by contacting us by email.
Disclosure of Personal Information to Third Parties
We may disclose personal information to:
Third-Party Service Providers to enable them to provide their services including, without limitation, IT Service Providers, Data Warehousing, Hosting and Server Providers, Ad Networks, Analysis, Error Loggers, Debt Collectors, Maintenance or Resolution Providers, Marketing or Advertising providers, professional advisors and payment system operators.
To our employees, contractors and / or affiliates.
Credit reporting agencies, courts, tribunals, and regulators in the event that you do not pay for the goods or services we have provided to you.
International transfer of personal information
The personal information we collect is stored and processed in locations where our servers, our partners or third party service providers are. By submitting your personal information to us, you agree that it will be disclosed to those third parties.
We will ensure that any transfer of personal information from European Economic Area (EEA) countries to non-EEA countries is protected by appropriate safeguards, such as the use of standard data protection clauses approved by the European Commission or binding principles or other legally acceptable means.
When we transfer personal information from a non-EEA country to another country, you acknowledge that third parties in other jurisdictions may not be subject to similar data protection laws as those under our jurisdiction. There is a risk that any such third party will take actions or practices that violate the data privacy laws under our jurisdiction, which may mean that you will not be able to seek redress under the privacy laws of our jurisdiction.
Control of your rights and personal information
You may choose to restrict the collection or use of your personal information. If you have previously consented to the use of our personal information for direct marketing purposes, you may change your mind at any time by contacting us. If you ask us to restrict or restrict the processing of your personal information, we will let you know how the restriction affects your use of our site or products and services.
You may ask for details of the personal information we have about you by contacting us over at [email protected] You can request a copy of the personal information we have about you. Where possible, we will provide this information in CSV format or other easily readable computer format. You can always ask us to delete the personal information we have about you. You may also request that we transfer this personal information to another third party - all the same, contact us over at [email protected]
If you believe that any information we hold about you is inaccurate, outdated, incomplete, irrelevant or misleading, please contact us. We will take reasonable steps to correct any information that is inaccurate, incomplete, misleading, or out of date.
We will comply with all applicable data breach laws applicable to us.
All data that BreachDirectory possesses is saved in a database in a format of Title:Domain:Email:Username:IP after acquiring data breaches from public sources (websites.) The data is saved until a user existing in a data breach wants to opt-out (be deleted from the databases: to do so, contact [email protected] with a request to delete your data.)
All of the data and infrastructure used by BreachDirectory is adequately protected by a Web Application Firewall (WAF.) Our website also uses TLS to ensure a secure connection.
Should a data breach occur, we will inform users who have opted in to be notified of a data breach by checking the checkbox (we cannot feasibly inform tens of billions of users.)
You agree to indemnify and hold us, our parent, subsidiaries, officers, directors, shareholders and employees and every other related person harmless, including costs and legal fees, from any claim or demand made by any third party due to or arising out of your access or use to the website or the violation by this agreement by you or any other person - if harm was made, you agree to repay the damage in full.
Our site may redirect to external sites that we do not use. Please note that we have no control over the content and policies of those websites and are not responsible for their respective privacy practices.