Privacy Policy

LeakyCreds ("we," "us," or "our") operates a credential exposure monitoring platform at leakycreds.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using our Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

1.1 Information You Provide to Us

Account Registration: When you create an account, we collect your email address, first name, last name, password (stored as a cryptographic hash), and organization name.

Profile Information: You may optionally provide a profile image, additional contact information, and organization details including domains, application URLs, and notification preferences.

Scanner Usage: When you use our public scanner, we collect the domain names or email addresses you submit for scanning, along with scan timestamps and results.

Report Requests: When you request a detailed report, we collect your name, email address, and the domain being analyzed.

Communications: When you contact us or submit interest forms, we collect your name, email, organization details, and any message content you provide.

1.2 Information Collected Automatically

Usage Data: We automatically collect information about your interactions with the Service, including pages visited, features used, scan frequencies, and access times.

Device and Browser Information: We collect information about your device, browser type, IP address, operating system, and referring URLs.

Cookies and Tracking Technologies: We use cookies and similar tracking technologies to maintain user sessions, remember preferences, and analyze Service usage. Specifically, we use:

• Authentication Cookies: Access tokens and refresh tokens to maintain your logged-in session (expires after 1 day).
• Google Analytics: To understand how visitors use our Service and improve user experience (tracking ID: G-3PZJN0JWWM).
• Google reCAPTCHA: To prevent automated abuse of our scanning service.

1.3 Information from Third-Party Sources

We aggregate credential exposure data from publicly accessible sources including breach databases, stealer malware log repositories, paste sites, underground forums, and Telegram channels. This data is used solely to provide our monitoring service and alert customers about credential exposures affecting their domains.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide credential exposure monitoring, scanning services, risk analysis, and incident detection.
• Account Management: To create and manage your account, authenticate users, and maintain role-based access controls.
• Alerts and Notifications: To send real-time alerts via email or webhooks when credentials matching your monitored domains are detected in our intelligence feeds.
• Analytics and Reporting: To generate security analytics, incident reports, and exposure trends for your organization.
• Service Improvement: To analyze usage patterns, improve our detection algorithms, enhance user experience, and develop new features.
• Security: To detect and prevent fraud, abuse, security incidents, and unauthorized access to the Service.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Communications: To respond to your inquiries, provide customer support, and send administrative messages about the Service.

3. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• With Your Consent: We may share information when you explicitly authorize us to do so.
• Within Your Organization: If you are part of an organization account, authorized users within your organization (MSP Admins and Org Viewers) can access incident data, scan results, and analytics related to your organization's monitored domains.
• Via Webhooks: When you configure webhook notifications, we send incident alerts to your specified endpoints (e.g., Slack, PagerDuty, custom URLs). You control what data is transmitted through webhook configurations.
• Service Providers: We may share information with trusted third-party service providers who assist in operating the Service, including cloud hosting providers, analytics services, and email delivery services. These providers are contractually obligated to protect your information and use it only for the services they provide to us.
• Business Transfers: If LeakyCreds is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Service of any change in ownership or use of your personal information.
• Legal Requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., court orders, subpoenas, law enforcement).
• Protection of Rights: We may disclose information to protect the rights, property, or safety of LeakyCreds, our users, or others, including enforcing our Terms of Service and investigating fraud or security incidents.

Important Note: We do not share the compromised credentials we detect (passwords, usernames, etc.) with any third parties except as necessary to deliver alerts to your configured notification endpoints.

4. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit using HTTPS/TLS protocols
• Encryption of sensitive data at rest
• Password hashing using cryptographic algorithms
• Role-based access controls and authentication mechanisms
• HMAC-SHA256 signature verification for API requests
• Regular security assessments and monitoring
• Access logs and audit trails

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

• Account Data: Retained for the duration of your active account plus a reasonable period afterward for backup and legal compliance purposes.
• Scan Results: Public scan results are retained for 24 hours and accessible via unique URLs during that period to allow sharing and reference.
• Incident Data: Credential exposure incidents are retained for security monitoring, trend analysis, and historical reporting purposes.
• Usage Logs: System logs and access records are retained for security and operational purposes, typically for 12-24 months.

Upon account termination or deletion request, we will delete or anonymize your personal information within 30 days, except where retention is required for legal, regulatory, or legitimate business purposes.

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

• Access: You can access your account information through the dashboard profile section.
• Correction: You can update your profile information, organization details, and notification preferences at any time through your account settings.
• Deletion: You may request deletion of your account and associated data by contacting us at [email protected].
• Data Portability: You can export your incident data, scan results, and analytics in CSV, PDF, or XLSX format through the dashboard export feature.
• Opt-Out of Communications: You can disable email notifications through your organization settings. Transactional emails related to account security and service functionality cannot be disabled.
• Cookie Management: You can control cookie preferences through your browser settings, though disabling certain cookies may limit Service functionality.

To exercise these rights, contact us at [email protected]. We will respond to your request within 30 days.

7. Third-Party Services

Our Service integrates with the following third-party services:

• Google Analytics: We use Google Analytics to analyze Service usage and improve user experience. Google Analytics collects information about your use of the Service through cookies and similar technologies. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Google reCAPTCHA: We use Google reCAPTCHA to prevent automated abuse of our scanner. reCAPTCHA is subject to Google's Privacy Policy and Terms of Service.
• Webhook Services: When you configure webhook notifications, you are responsible for the security and privacy practices of the receiving endpoints (Slack, PagerDuty, custom URLs, etc.).

These third-party services have their own privacy policies. We encourage you to review their policies before using our Service.

8. Credential Exposure Data

Our Service aggregates credential exposure data from publicly accessible sources including breach databases, stealer malware logs, paste sites, and underground forums. This data is collected for the sole purpose of providing security monitoring services.

Important Clarifications:

• We do not hack, breach, or steal credentials. We monitor publicly available leak sources.
• We do not sell, trade, or redistribute compromised credentials to any party.
• Detected credentials are used exclusively to alert affected organizations and enable security response.
• Access to detailed credential data (passwords, usernames) is restricted to authenticated users with legitimate security purposes.

9. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will delete such information from our systems.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside your jurisdiction where data protection laws may differ. By using our Service, you consent to the transfer of your information to our facilities and the third-party service providers with whom we share it as described in this Privacy Policy. We take appropriate safeguards to ensure your information remains protected in accordance with this Privacy Policy.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: We do not sell personal information, so there is no opt-out required for sales.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at [email protected] with "California Privacy Request" in the subject line.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

• Legal Basis for Processing: We process your information based on your consent, contract performance, legitimate interests, and legal obligations.
• Access and Portability: You can access your personal data and receive it in a structured, commonly used format.
• Rectification: You can correct inaccurate personal data.
• Erasure: You can request deletion of your personal data ("right to be forgotten").
• Restriction: You can request restriction of processing in certain circumstances.
• Objection: You can object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, you can withdraw it at any time.
• Lodge a Complaint: You can lodge a complaint with your local data protection authority.

To exercise these rights, contact us at [email protected] with "GDPR Request" in the subject line.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. For significant changes, we will provide prominent notice or seek your consent where required by law. We encourage you to review this Privacy Policy periodically for any updates.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us through the appropriate channel: