Terms of use

The terms of use for the HIBP API


Thanks for your interest in the Have I Been Pwned (HIBP) API. Further down this page you'll find the terms of use, written up by Australian lawyers (HIBP is owned and operated out of Australia), I just wanted to give a brief “friendlier” introduction before the formal bits.

The intention of the terms of use is to ensure that HIBP is used, as I've always said, "to do good things after bad things happen". Data breaches are an unfortunate reality of increasingly online lives, but post-breach we can use that data to help reduce the impact on breach victims. Using the API to do that is awesome, whereas using the API to disadvantage breach victims, is not (that includes using it to pitch them services or "ambulance chase"). You're welcome to go and build amazing things that use the API, my ask is that if you do that and display information from HIBP, that you clearly indicate the source.

Most of what you'll read in the terms is obvious and common sense: don't deliberately attempt to disrupt the service, don't redistribute your API key to other parties (this is your secret), if you don't pay a recurring invoice for your API key, it'll be cancelled and so on and so forth. By necessity, some of it is a bit "legal speak" which is why I wanted to set the context for why upfront.

I hope you use the API service to create something wonderful that helps breach victims, thank you for reading this and for your interest in HIBP.

Troy Hunt
Founder, Have I Been Pwned


Welcome to Have I Been Pwned, operated by Superlative Enterprises Pty Ltd trading as “Have I Been Pwned” (we or us). We provide an online resource which facilitates the searching of email addresses allowing users to quickly assess if they may have been put at risk due to their online accounts having been compromised or “pwned” in a data breach via our API.

These Terms of Use (Terms) (last updated on 4 November 2022) set out the terms on which we offer access to our API to subscribers (referred to as you or your). These Terms set out your rights and responsibilities when using your API Key, your API Key Dashboard and our Website.

You may purchase an API Key through our website – haveibeenpwned.com (Website). By purchasing an API Key, you agree to be bound by these Terms. If you do not agree with these Terms, you are not entitled to purchase or receive an API Key. If you have any questions, complaints, or comments about your API Key Subscription or your API Key Dashboard, please contact us on the information provided below. To find out more information about us please visit our FAQ page at support.haveibeenpwned.com



1.1 Access to our API

(a) Anyone can access our Website. However, you will not be able to access and use our API unless you purchase an API Key Subscription. The API Key Subscriptions we offer are available for your review and selection on our Website.

(b) In order to purchase an API Key Subscription, you must provide a valid email address and any other information required on our Website. We do not allow API Key Subscriptions to be purchased by automated means (i.e bots).

(c) Once you have purchased an API Key Subscription, we will grant you a non-exclusive, non-transferable and revocable licence for the Subscription Period to access and use our API solely via the provided API Key for the Permitted Purpose in accordance with the Documentation.

(d) You will be able to access your API Key Dashboard to access your API Key Subscription details and make changes to your API Key Subscription as required.

(e) Unless otherwise agreed in writing by us, you must not give a third-party access to your API Key. You are responsible for:

(i) maintaining the confidentiality and security of your API Key; and

(ii) for all activities which occur using your API Key.

(f) The licence in this clause is granted subject to your ongoing compliance with these Terms and our Documentation.

1.2 Changes to our API

(a) From time to time we may update, modify or remove features or functionality of our API to reflect developments in technology. We will post any updates on our Website and amend our Documentation as required. In the event of any Material Change, we will endeavour to provide you with written notice via your email address.

(b) If you do not agree with the changes we make to our API you may discontinue your use of your API Key Subscription via your API Key Dashboard at any time. In the event of a Material Change, you are entitled to contact us within 30 days of receiving notice of the Material Change to arrange for a refund for any unused pre-paid portion of the Subscription Fee. Our contact details are outlined in clause 15.

1.3 No guaranteed support services

Unless otherwise agreed to in writing, we do not guarantee any individual support (including technical support), maintenance, or other services (or level of service) related to your API Key or your use of our API.

2. Subscription Term

(a) Your API Key will be provided to you on the date you purchase an API Key Subscription from us and it will continue to be valid for the period set out on your API Key Dashboard (Subscription Period). Your Subscription Period will automatically renew for an additional period of the same length unless you cancel your Subscription prior to the end of the then current Subscription Period.

(b) You can cancel your API Key Subscription at any time through your API Key Dashboard. Subject to any rights which cannot be excluded by applicable law or as otherwise outlined in these Terms, you will not be entitled to a refund for any pre-paid Subscription Fees for the remainder of the Subscription Period but may continue to access your API Key Dashboard and use your API Key until the last day of your paid-up Subscription Period.


(a) You must pay the Subscription Fee associated with your API Key Subscription, as outlined on our Website.

(b) Payment for your API Key Subscription is made through your API Key Dashboard. We use a third-party service provider, Stripe Payments Australia Pty Ltd (Stripe) to provide the payment gateway services for our services. Stripe and its global affiliates process transactions (including payment transactions) for us. Unless otherwise agreed in writing we only accept payments via Stripe. We do not store your payment information. For more information about Stripe, including how Stripe processes your payment information and their end user terms of service, please visit stripe.com/au.

(c) We may increase the Subscription Fee for a new Subscription Period by providing you with at least 60 days written notice. If you do not agree with the changes made to the Subscription Fee you can cancel your API Key Subscription at any time via your API Key Dashboard.

4. GST

(a) Except where otherwise defined in the Terms, capitalised expressions set out in this clause 4 bear the same meaning as those expressions in the A New Tax System (Goods and Services Tax) Act 1999 (Cth).

(b) Except where express provision is made to the contrary, and subject to this clause, any amount that may be payable under the Terms is exclusive of any GST. If a party makes a Taxable Supply in connection with the Terms for a Consideration which represents its Value, then the Recipient of the Taxable Supply must also pay, at the same time and in the same manner as the Value is otherwise payable, the amount of any GST payable in respect of the Taxable Supply. A party's right to payment under this clause is subject to a valid Tax Invoice being delivered to the Recipient of the Taxable Supply.

5. YOUR obligations

(a) You are not permitted to:

(i) access our API or use your API Key:

(A) for any purpose other than the Permitted Purpose;

(B) for the benefit of a third party (including for use by a related entity) other than as expressly permitted by the Terms;

(C) to provide an outsourced or white label service without identifying us as the source of the data and following our brand usage guidelines available on our Website from time to time.

(ii) modify, reproduce, revise, transmit, distribute, reverse engineer or alter your API Key, our API or HIBP Data, including redistributing your API Key or its configuration to any other party;

(iii) use our API to query email addresses belonging to individuals or organisations in a way that would disadvantage them or be construed as solicitation;

(iv) use our API in a way that has the potential to, or will, damage our goodwill or reputation or endanger, jeopardise or prejudicially affect our business in any manner.

(v) interfere with or disrupt the integrity of the performance of our API in any way, including:

(A) attempting to gain unauthorised access to our API or its related systems and networks;

(B) accessing or using our API in a manner that introduces malicious programs into our API including viruses, worms, trojan horses and e-mail bombs;

(C) modifying, reproducing, revising, transmitting, distributing, reverse engineering or altering our API; or

(D) using our API in a manner that could harm or impair anyone else's use of our API.

(b) You are responsible for obtaining all computer hardware, software, network, internet, mobile telecommunications and any other necessary equipment required to access and use our API.

(c) You must ensure that your access to and use of our API does not contravene any applicable laws and that you have all relevant approvals, licences and permissions relevant to the activities you are undertaking using our API.

(d) It is your responsibility to ensure you have appropriate backup measures in place outside of our API as we are not responsible for loss, delay, interception or corruption in relation to Subscriber Data or your inability to access our API.

6. Intellectual prOperty Rights

6.1 Ownership of Intellectual Property Rights

(a) You acknowledge and agree that we and our licensors, as applicable, are the owners of, and will retain all rights, title and interest in all Intellectual Property Rights in the:

(i) API Key;

(ii) API;

(iii) Documentation; and

(iv) any improvements, enhancements or modifications to your API Key, our API, or Documentation.

(b) You grant us a non-exclusive, non-transferable, royalty free licence to use the Subscriber Data for the purpose of making our service available to you or improving our services.

(c) You represent and warrant that the Subscriber Data you provide to us does not infringe the Intellectual Property Rights of any third party and is provided to us in accordance with all laws that are applicable to you.

6.2 Feedback

You hereby grant us a worldwide, perpetual, irrevocable, royalty-free licence to use and commercialise any feedback, suggestions, improvements, requests, enhancements, or corrections relating to our API you provide to us from time to time.


7.1 General privacy obligations

(a) Each party will perform their obligations under these Terms in accordance with their respective obligations under Privacy Laws.

(b) If either party collects, holds, uses or discloses Personal Information in the course of or relating to these Terms that party must:

(i) handle all Personal Information in accordance with that party's privacy policy and applicable Privacy Laws;

(ii) only use Personal Information for the purpose of performing its obligations under these Terms; and

(iii) not disclose Personal Information to any third party without the other party's prior written consent or as required by law

7.2 Your acknowledgement

(a) You are responsible for:

(i) establishing, maintaining and enforcing information security controls against the unauthorised access, destruction, loss, alteration, disclosure or misuse of Subscriber Data; and

(ii) where, and to the extent necessary, obtaining all necessary consents from individuals whose Personal Information is included as part of the Subscriber Data to enable us to perform our obligations or exercise our rights under the Terms.

8. WARRANTIES and disclaimer

8.1 Disclaimer regarding your API Key and our API

(a) You acknowledge and agree that:

(i) your entry into the Terms is neither:

(A) contingent upon the future functionality or features, or the expected performance, of our API; or

(B) dependent upon any oral or written public comments made by us with respect to the future functionality, performance or features of our API;

(b) Subject to 8.2, your access to our API is provided on an “as is” basis. Any representation, warranty, condition or undertaking that would be implied in these Terms by legislation, common law, equity, trade, custom or usage is excluded to the maximum extent permitted by law. We disclaim all other warranties (whether express, implied or statutory) and conditions, including fitness for purpose, availability, ongoing functionality, quality, accuracy, merchantability or non-infringement of our API.

(c) You are solely responsible for the accuracy, quality, integrity, legality, reliability, and appropriateness of the Subscriber Data and any information which is inputted into our API.

(d) We are in no way responsible for your use of the information retrieved from our API. By providing or granting access to our API, we provide no advice or recommendations to you and we are not in the business of providing advice of any kind. You assume sole responsibility and entire risk as to the suitability and results obtained from use of our API and we have no liability to you for any decisions made or actions or omissions taken based on your access or use of our API (and you will hold us harmless from any liability to third parties as a result of such use by you).

8.2 No exclusion

Nothing in these Terms excludes, restricts or modifies any condition, warranty, right or remedy conferred by the Australian Consumer Law (as set out in Schedule 2 of the Competition and Consumer Act 2010 (Cth)) or any other applicable law that cannot be excluded, restricted or modified by agreement.


(a) To the fullest extent permitted by applicable law, neither party will be liable to the other party, whether in contract, tort (including negligence) or otherwise, for any special, indirect or consequential loss, loss of profits, loss of sales or business, loss of production, loss of agreements, loss of business opportunity, loss of anticipated savings, loss of or damage to goodwill, loss of reputation, and loss of use or corruption of software, data or information arising under, or in connection with, the Terms.

(b) Subject to clause 9(a) and to the extent permitted by applicable law, our aggregate liability in respect of any claims arising out of or in connection with the Terms, whether in contract or tort (including negligence) or otherwise, will not, under any circumstances, exceedthe Subscription Fee paid during the 12 months preceding the date on which the relevant cause of action arose.

(c) To the fullest extent permitted by law, our liability for a breach of a non-excludable condition or warranty is limited at our option (where permitted by the Australian Consumer Law (as set out in Schedule 2 of the Competition and Consumer Act 2010 (Cth)) to:

(i) in the case of goods, any one or more of the replacement of the goods or the supply of equivalent goods, the repair of the goods, the payment of the cost of replacing the goods or acquiring equivalent goods or the payment of the cost of having the goods repaired; or

(ii) in the case of services, the supplying of the services again or the payment of the cost of having the services supplied again.


(a) You will indemnify us against any loss, damage, liability, charge, expense, outgoing or cost (including all legal and other professional costs on a full indemnity basis) of any nature or kind, howsoever arising, whether present, unascertained, immediate, future or contingent arising out of or in connection with any claim arising from:

(i) your use of your API Key or our API in an unlawful manner or in violation of the Terms;

(ii) any negligence, fraud, wilful misconduct or breach of law by you; and

(iii) any claim by a third party that our use of Subscriber Data in accordance with these Terms is unlawful or in violation of any third party rights (including Intellectual Property Rights).


(a) We may, with or without notice to you and at our discretion, limit or suspend your right to access or use our API if we reasonably believe you are not complying with the Terms (including your payment obligations under clause 3).

(b) Without prejudice to any right or action or remedy which has accrued, or which may accrue in our favour, we may immediately terminate the Terms where you:

(i) have breached a material term of these Terms;

(ii) fail to comply with its payment obligations as outlined in clause 3 of the Terms; or

(iii) are subject to a change of control or become insolvent.

(c) On termination or expiry of the Terms under this clause 11 you will cease accessing our API and using your API Key immediately.

(d) Expiry or termination of the Terms will not affect the operation of the provisions of the Terms which by their nature survive termination or expiry of the Terms.

(e) Termination or expiry of the Terms will not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry.

12. General

(a) These Terms are governed by and must be construed in accordance with the laws in force in Queensland.

(b) The parties submit to the exclusive jurisdiction of the courts of Queensland and the Commonwealth of Australia in respect of all matters arising out of or relating to the Terms, its performance or subject matter.

(c) The Terms contains the entire agreement between the parties concerning the subject matter of the agreement.

(d) A party must do all things and execute all documents that are reasonably necessary to give full effect to the Terms.

(e) We will not be in breach of the Terms or liable for any loss to the extent this arises from matters outside of our control.

13. Changes to these terms

(a) We may, from time to time amend these Terms. We will endeavour to provide you with prior written notice on our Website of any such amendments. If you do not agree with any amendments to these Terms, you may cancel your API Key Subscription at any time via your API Key Dashboard.

(b) You agree that if you use your API Key after the date on which such changes to the Terms have occurred, we will treat your use of our API as acceptance of the changed Terms.

14. Definitions and interpretation

14.1 Definitions

In the Terms, the following terms have the meaning set out below.

API Key Dashboard means the account you create following your purchase of an API Key Subscription.

Affiliate means anyentity which (directly or indirectly) controls, is controlled by or is under common control of a party.

API means the application programming interface and accompanying Documentation that facilitates your access and use of your API Key.

API Key means the unique confidential key provided to you to access our API as outlined in the Documentation on the Website.

Commencement Date means the date you purchase a Subscription from us.

Confidential Information means:

(a) your API Key and the HIBP Data, algorithm information and any other information that at the time of disclosure by a Disclosing Party is identified to the Receiving Party as being confidential or which the Receiving Party knows, or ought reasonably to be expected to know, is confidential to the Disclosing Party or any Affiliate of the Disclosing Party; and

(b) all other information belonging or relating to a Disclosing Party, or any Affiliate of that Disclosing Party, that is not generally available to the public at the time of disclosure other than by reason of a breach of the Terms.

Disclosing Party means the party to whom information belongs or relates.

Documentation means information, as updated by us from time to time, containing technical specifications and other usage requirements and restrictions which govern your use of our API as outlined on our Website and expressly incorporated into the Terms by reference.

HIBP Data means any Material that is provided to you by us in order for you to use our API.

Intellectual Property Rights means any and all intellectual and industrial property rights throughout the world, whether subsisting now or in the future, including rights of any kind in:

(a) inventions, discoveries and novel designs, whether or not registered or registrable as patents, innovation patents or designs, including developments or improvements of equipment, technology, processes, methods or techniques;

(b) literary works, dramatic works, musical works, artistic works, cinematograph films, television broadcasts, sound broadcasts, published editions of works and any other subject matter in which copyright (including future copyright and rights in the nature of or analogous to copyright) may, or may upon creation of the subject matter, subsist anywhere in the world;

(c) registered and unregistered trade marks and service marks, including goodwill in the business concerned in the relevant goods and services;

(d) trade, business or company names;

(e) internet domain names; and

(f) proprietary rights under the Circuit Layouts Act 1989 (Cth),

whether created or in existence before or after the date of the Terms and includes any thing, whether tangible or intangible, which incorporates, embodies or is based on any of the things referred to in paragraphs (a) to (f) inclusive of this definition.

Material means material in whatever form and includes email addresses, domains, hash prefixes other data, documents, reports, information, images, content or sounds (together with any database made up of any of these), business process and software.

Material Changes means any material change to your API Key Subscription or the functionality of our API.

Permitted Purpose means running on-demand queries of email addresses for breaches and pastes up to a certain rate limit as outlined in the Documentation.

Personal Information has the meaning given in the Privacy Act 1988 (Cth) and includes “Sensitive Information” (as that term is defined in the Privacy Act 1988 (Cth)).

Privacy Laws means any applicable law, statute, regulation, ordinance, code, standard or requirement of any government, governmental or semi-governmental body which relates to privacy, including without limitation the Privacy Act 1988 (Cth) and the Australian Privacy Principles under the Privacy Act, and the Spam Act 2003 (Cth), as amended from time to time.

Receiving Party means the party to whom information is disclosed or who possesses or otherwise acquires information belonging or relating to a Disclosing Party.

Subscriber Data means all Material you supply or make available to us, (including any Personal Information) in connection with the Terms.

Subscription means the subscription purchased by you in order to use your API Key and access our API.

Subscription Fee means the subscription fee outlined on your API Key Dashboard and on our Website.

Subscription Period means the period described as such associated with your API Key Subscription and outlined on your API Key Dashboard.

Terms consists of the following:

(a) the Terms of Use; and

(b) the Documentation

14.2 Interpretation

In the Terms, unless the context requires otherwise:

(a) the headings are used for convenience only and do not affect the interpretation of the Terms;

(b) “include” or any similar expressions must be construed as if it were followed by “(without being limited to)”; and

(c) money amounts are in Australian currency.


HIBP's services are provided by Superlative Enterprises Pty Ltd (ABN 62 085 442 020). Our contact details are: