HaveIBeenPwned.com (HIBP) is owned and operated by Superlative Enterprises Pty Ltd ABN 62 085 442 020 ("Superlative", "we" or "us"), a small business based in the state of Queensland, Australia. We have created this policy to explain what limited personal information we collect when you use the HIBP site and how we handle and protect your personal information.
HIBP's purpose is to help individuals and organisations combat violations of privacy by enabling them to identify when information has been involved in a data leak. HIBP helps create visibility as to how personal data spreads. Individuals and organisations may no longer be able to control information once it is breached, however, they can at least understand what has been leaked, where it has been leaked from and what precautionary measures should be taken as a result.
HIBP delivers a range of free and paid services to individuals and organisations anywhere in the world to help them determine if they have been impacted by a data breach, including:
When we use the term personal information, we mean any information or an opinion about an individual who is identified or reasonably identifiable to us. Personal information is sometimes also referred to as personal data. We only collect the limited personal information we need for the purposes of providing our services.
We collect and hold email addresses for the purposes of providing our subscription services to verified email addresses.
We collect and hold only the bare minimum logging information required to keep the service operational and combat malicious activity. This includes transient web server logs, Google Analytics to assess usage patterns and Application Insights for performance metrics. These logs may include information submitted in a form by the user, browser headers such as the user agent string and, in some cases, the user's IP address.
We do not collect or store your personal information when you conduct a search in the HIBP database. Searching for an email address or phone number only ever retrieves the data from storage then returns it in the response. The data from the search is not explicitly stored anywhere.
We also store some lists of data classes that were impacted in a particular data leak that is loaded into HIBP. For example, we will state that email addresses and passwords appeared in a leak but will not provide any information about which email addresses had corresponding compromised passwords.
The information we collect is not always personal information, as it may not relate to an identified individual or we otherwise may not be able to identify you from it.
The Pwned Passwords feature searches compromised passwords from data leaks for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP following the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover the original password. No identifying information about who the password belongs to is stored.
Sensitive information is a subset of personal information that includes health information and other forms of sensitive personal information, and generally requires a higher level of privacy protection than other types of personal information. We do not collect sensitive information.
Collection
We collect personal information:
Storage
When a data breach is loaded into HIBP by Superlative, the email addresses are stored in the online system. In limited cases, phone numbers are loaded in separately where they exist in an isolated data store not attached to any other personal information. Phone numbers are not linked to any corresponding email addresses. No other data of any kind (like names) is stored on data load.
Superlative securely stores the personal information we hold in a Western United States of America Microsoft Azure data centre.
Uses
We use the personal information we hold for the purpose of providing our services.
Our subscriber database is checked when new breach data is loaded to establish if the subscriber appears in a new breach, and to send an email notification to the subscriber if required. These email notifications are only ever sent to subscribers who ‘double' opt-in to receive notifications. This involves entering an email address on the notification page or domain search page, and then successfully proving control of the email address through email verification. The verification email contains a unique link which must be followed to confirm the subscriber opts-in. Anti-automation measures are in place to limit attempts to subscribe email addresses in bulk.
Sensitive data breaches
Data breaches that we flag as sensitive are not returned in public searches, they can only be viewed by using the subscription service and verifying ownership of the relevant email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. For more information about how we flag sensitive breaches, see Here's how I'm going to handle the Ashley Madison data.
We only disclose the limited personal information required for the purposes of providing our services.
Domain searches
Domain searches allow the exposure of all email addresses on that domain to be returned in a single search. Only someone who controls the domain or the website it is bound to can perform a search via one of the verification processes:
If you ask Superlative to notify you of future appearance of email addresses on that domain and you provide your email address so it can be notified, that email address is also stored. Anti-automation measures are in place to limit attempts to automate searches.
When someone subscribes to notifications or searches a domain, that information is not passed to any third parties under any circumstances other than to send email using the SendGrid service.
We store all personal information securely in a Western United States of America Microsoft Azure data centre. This data is not shared or disclosed to any third parties overseas.
Security on HIBP is handled by a "defence in depth" approach, that is the service employs many different layers of security including (but not limited to):
Access
You may access the limited information we hold about you in the HIBP platform in real time. Where there are sensitive breaches, we verify that the requester is the person to whom the information relates prior to allowing access.
Correction
To ensure the quality and accuracy of the information we publish, we limit the information we collect and take steps to verify identified and reported breaches. Once we receive personal information known to be involved in a verified data breach, the information cannot be changed retroactively.
Sensitive data breaches
Data breaches flagged as sensitive are not returned in public searches. If you wish to prevent any other breached information from being publicly associated with your email address, please utilise our opt-out feature detailed below.
In certain circumstances, subscribers may request correction to their personal information, such as their contact email address, by contacting us. Our contact details are set out below.
By email
Every breach notification email that we send contains an unsubscribe link in the footer. If you would like to unsubscribe but cannot find a recent email from us, use the notification service to send another email to yourself and that will contain the unsubscribe link.
Using our opt-out feature
Superlative provides an opt-out feature for HIBP that, if used, removes an email address from public visibility. The opt-out feature provides you with 3 different ways to control how your personal data is stored and accessed:
If you have any questions, concerns or complaint about the way in which we have handled your personal information, you should contact us in the first instance. Our contact details are set out below.
We will endeavour to reply to you within a reasonable time following receipt of the complaint and, where appropriate, will advise you of the general reasons for the outcome of the complaint.
If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor. There is more information and guidance on the website of the Office of the Australian Information Commissioner (www.oaic.gov.au) about protecting your privacy.
If you have any questions, please contact us at:
Superlative Enterprises
Level 11
2 Corporate Court
Bundall 4217
Queensland
Australia
support.haveibeenpwned.com
support@haveibeenpwned.com
From time to time, we may change our Privacy Policy on how we handle personal information or the types of personal information which we hold. Any changes to our Privacy Policy will be published on our website.
You may obtain a copy of our current Policy from our website or by contacting us at the contact details above.