Privacy Policy

HaveIBeenPwned.com (HIBP) is owned and operated by Superlative Enterprises Pty Ltd ABN 62 085 442 020 ("Superlative", "we" or "us"), a business based in the state of Queensland, Australia. This policy explains what limited personal information we collect when you use the HIBP website, the personal information we collect to provide our services and how we handle and protect your personal information.

HIBP's purpose is to help individuals and organisations combat data breaches which compromise personal information and privacy by enabling them to identify when information has been involved in any type of legitimate data breach (or leak). We help explain and make visible how personal information spreads online and support the use of strong passwords. Individuals and organisations may no longer be able to control information once it is breached, however, they can at least understand what has been leaked, where it has been leaked from and what precautionary measures should be taken as a result.

HIBP delivers a range of free and paid services to individuals and organisations anywhere in the world to help them determine if they have been impacted by a data breach so they can effectively respond and protect themselves and the information, including in relation to data breaches that have been verified and uploaded:

• a point-in-time search to check whether an email address entered by an individual into the HIBP search engine has been involved in a data breach;
• a point-in-time search to find all breached email addresses on a domain verified as controlled by the enquirer;
• a point-in-time search for real world passwords previously exposed in data breaches;
• a subscriber service for verified individuals to be notified of data breaches connected to their email address; and
• a subscriber service for enterprises and individuals to assist in monitoring breaches.

When we use the term personal information, we mean any information or an opinion about an individual who is identified or reasonably identifiable to us. Personal information is sometimes also referred to as personal data.

• To provide our services we receive and collect information sets online by various methods which may include personal information which has or may have been the subject of a current or historical data breach or leak or has otherwise been maliciously harvested by information stealer software. We process these data sets to verify the legitimacy of breach, the stealer logs, the unique email addresses in the data and to identify new breached passwords, and to prepare and upload impacted email addresses and passwords to the HIBP database.
• We only collect the limited personal information we need from individuals who visit HIBP or otherwise engage with us (eg through messaging or contacting our Zendesk) for the purposes of providing our services.
• We collect and hold email addresses for the purposes of providing our subscription services for verified email addresses.

We do not collect or store your personal information when you conduct a search in the HIBP database. Searching for an email address or phone number only ever retrieves the data from storage then returns it in the response. The data result the search is not explicitly stored anywhere.

We also store some lists of data classes that were impacted in a particular data leak that is loaded into HIBP. For example, we will state that email addresses and passwords appeared in a leak but will not provide any information about which email addresses had corresponding compromised passwords.

The information we collect is not always personal information, as it may not relate to an identified individual or we otherwise may not be able to identify you from it.

The information we provide is based on data leaks we have identified and collected. However, it does not represent all leaked information, and there may be breaches or exposures that we are unaware of or have not been made public. As a result, a User’s data could still be compromised even if it is not reflected on our Website

Other Information

The Pwned Passwords feature searches compromised passwords from data leaks for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP following the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover the original password. No identifying information about who the password belongs to is stored.

Sensitive information is a subset of personal information that includes health information and other forms of sensitive personal information, and generally requires a higher level of privacy protection than other types of personal information. We do not aim to collect sensitive information.

Logging and Cookies

We collect and hold only the bare minimum logging information required to keep the service operational and combat malicious activity. This includes transient web server logs to assess usage patterns and Application Insights for performance metrics. These logs may include information submitted in a form by the user, browser headers such as the user agent string and, in some cases, the user's IP address.

We use cookies to support your use of our website and improve its functionality. When you visit our website, it will automatically send you a “cookie” over HTTPS. A cookie is a piece of text or byte sent from a web server to your computer. It is used to identify you, but only by a random number. It does not identify you to us, but it does tell us that your computer has visited our website and the pages you have browsed. You can decline cookies any time by adjusting the “accept cookies” setting in your browser, but it can affect the functionality of the website for you.

We do not use third party cookies or tracking pixels to collect or receive your information from our website and elsewhere on the internet and we don’t conduct targeted marketing or re-targeting, or serve you ads.

Collection

We collect personal information:

• indirectly that may be in data sets received from a range of third party sources known and unknown and from contacts including enforcement bodies, shared directly or published in various forums or online – if your email is verified as being involved in a data breach then you can be notified of that by using our services.
• from individuals directly when they visit our website, use or subscribe to our services, submit a request through our support portal or contact us directly.
• from third parties, such as breached organisations, where Superlative can verify the legitimacy of a breach.
• from individuals we deal with directly, for example who represent our enterprise customers or partners.

Storage

When a data breach is loaded into HIBP by Superlative, the email addresses are stored in the online system. In limited cases, phone numbers are loaded in separately where they exist in an isolated data store not attached to any other personal information. Phone numbers are not linked to any corresponding email addresses. No other data of any kind (like names) is stored on data load.

Superlative securely stores the personal information we hold in a Western United States of America Microsoft Azure data centre.

The data sets from which emails (and passwords) are processed, verified and uploaded, are subsequently archived and separately and securely stored using a range of different measures, so they can be accessed on a restricted basis only, and used from time to time for breach verification or re-verification purposes in connection with our services and to respond to queries from legitimate third parties. We may delete breach data sets we have verified in certain circumstances.

Uses and disclosures

We use and disclose the personal information we hold for the purpose of providing our services.

All payments are processed by an approved third party Stripe so we don’t collect and use individual payment details.

Our subscriber database is checked when new breach data is loaded to establish if the subscriber appears in a new breach, and to send an email notification to the subscriber if required. These email notifications are only ever sent to subscribers who 'double' opt-in to receive notifications. This involves entering an email address on the notification page or domain search page, and then successfully proving control of the email address through email verification. The verification email contains a unique link which must be followed to confirm the subscriber opts-in. Anti-automation measures are in place to limit attempts to subscribe email addresses in bulk.

We may also use and disclose personal information for purposes related to our services such as:

• to gain insights, to aggregate as statistics and to inform and educate the public. affected organisations and researchers about breaches, how personal information can be compromised and how to protect themselves.
• for a purpose you have consented to in the context of providing our services.
• to reach out to impacted organisations.
  if we are required or authorised by law to do so.

Sensitive data breaches

Data breaches that we flag as sensitive are not returned in public searches on the website, they can only be viewed by using the subscription service and verifying ownership of the relevant email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. For more information about how we flag sensitive breaches, see Here's how I'm going to handle the Ashley Madison data .

Domain searches

Domain searches allow the exposure of all email addresses on that domain to be returned in a single search. Only someone who controls the domain or the website it is bound to can perform a search via one of the verification processes:

• Via email address on the WHOIS record
• Via a common security or administrative email address (security@, hostmaster@, postmaster@, webmaster@)
• Via a meta tag with a unique code placed on the website
• Via a file with a unique code uploaded to the website
• Via a txt entry on the DNS record with a unique code

A domain search logs the domain name and requestor's IP address as part of anti-abuse measures. If you ask Superlative to notify you of future appearance of email addresses on that domain and you provide your email address so it can be notified, that email address is also stored. Anti-automation measures are in place to limit attempts to automate searches.

When someone subscribes to notifications or searches a domain, that information is not passed to any third parties under any circumstances other than to send email using the SendGrid service.

We store all personal information securely in a Western United States of America Microsoft Azure data centre. This data is not shared or disclosed to any third parties overseas.

Security on HIBP is handled by a "defence in depth" approach, that is the service employs many different layers of security including (but not limited to):

• all data transmitted over the internet is done over HTTPS;
• Cloudflare is used extensively to block potentially malicious requests;
• rate limits on APIs are implemented at both the code level and via Cloudflare;
• regular security scans are performed to identify code or configuration vulnerabilities;
• firewalls are employed to limit access to services running on Microsoft Azure; and
• disclosure of any security vulnerabilities are encouraged via the security.txt file.
• third party components are kept well-maintained (see OWASP's Using Components with Known Vulnerabilities).
• secure offline archival of data on encrypted storage devices

Access

You may access the limited information we hold about you in the HIBP platform in real time. Where there are sensitive breaches, we verify that the requester is the person to whom the information relates prior to allowing access.

We don’t have any reasonable or practicable way to search for or retrieve and give access to any other personal information involved in a verified data breach and it is not part of our service or purpose. If you have confirmed your verified email address has been in a data breach you should reach out to the relevant impacted organisation if you want to know about any other personal information that was affected.

Correction

To ensure the quality and accuracy of the information we publish, we limit the information we collect that we upload to HIBP after we take steps to verify identified and reported breaches and that we collect directly from you. Once we receive personal information known to be involved in a verified data breach, the information cannot be changed retroactively.

Sensitive data breaches

Data breaches flagged as sensitive are not returned in public searches. If you wish to prevent any other breached information from being publicly associated with your email address, please utilise our opt-out feature detailed below.

In certain circumstances, subscribers may request correction to their personal information, such as their contact email address, by contacting us. Our contact details are set out below.

By email

Every breach notification email that we send contains an unsubscribe link in the footer. If you would like to unsubscribe but cannot find a recent email from us, use the notification service to send another email to yourself and that will contain the unsubscribe link.

Using our opt-out feature

Superlative provides an opt-out feature for HIBP that, if used, removes an email address from public visibility. The opt-out feature provides you with 3 different ways to control how your personal data is stored and accessed:

• Just removal from public searches: The public email address search no longer returns your address. Your address is still stored, you can still see breaches against it by verifying control with the notification service and anyone control the domain your address is on can continue to see breaches against it using the domain search feature.
• Remove all current and future breaches: No existing breaches impacting your address nor any occurring in the future will be stored against your address. No searches of any kind will return a breach associated with your address. Your address is retained alongside instructions to never load future breaches against it.
• Remove the email address entirely: The address and associated breaches are permanently removed. If a future breach is loaded that includes your address, it will become publicly searchable again.

The website and our services are public and available to everyone as long as they agree to our terms - that’s the point. We don’t actively target or monitor anyone and only process limited personal information of users of our website and services. Our Privacy Policy is intended to provide all relevant information about how we collect and process personal information and all the ways you can exercise your right over your personal information.

If you have any questions, concerns or complaint about the way in which we have handled your personal information, you should contact us in the first instance. Our contact details are set out below.

We will endeavour to reply to you within a reasonable time following receipt of the complaint and, where appropriate, will advise you of the general reasons for the outcome of the complaint.

If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor. There is more information and guidance on the website of the Office of the Australian Information Commissioner (www.oaic.gov.au) about protecting your privacy.

If you have any questions, please contact us at:

Superlative Enterprises
Level 11
2 Corporate Court
Bundall 4217
Queensland
Australia
support.haveibeenpwned.com
support@haveibeenpwned.com

From time to time, we may change our Privacy Policy to provide further information about how we handle personal information or the types of personal information which we hold. Any changes to our Privacy Policy will be published on our website.

You may obtain a copy of our current Policy from our website or by contacting us at the contact details above.