'%3e%3cstop%20offset='.116'%20stop-color='%23023047'/%3e%3cstop%20offset='1'%20stop-color='%23000000'/%3e%3c/linearGradient%3e%3c/defs%3e%3cstyle%3e%20.s0%20{%20fill:%20%23000000%20}%20.s1%20{%20fill:%20url(%23g1)%20}%20%3c/style%3e%3cg%20id='OBJECTS'%3e%3cg%20id='<Group>'%3e%3cg%20id='<Group>'%3e%3c/g%3e%3cg%20id='<Group>'%3e%3cpath%20id='<Compound%20Path>'%20class='s0'%20d='m396.4%20413.1c-2.3%201.4-4.8%202.7-7.3%203.8v7.5h-13.4v-2.3c-4.9%201.5-9.9%202.5-15%203-24.9%202.7-50.2-4.4-67.2-19.7-6.7-6.1-6.3-16%201-21.6q4.2-3.1%208.8-6h-6.1v-13.4h36.9c5.9-1.7%2011.9-2.9%2017.9-3.7%2016.5-2%2033.4-0.7%2049.3%203.7h54.9c-0.7-3.5-2.4-6.7-4.9-9.4h-99.4v-13.4h43.4l-7.8-1.2c-32.9-5-66.8-1.1-97%2011.3l-40.5%2016.6-40.5-16.6c-30.2-12.4-64.1-16.3-97-11.3l-50%207.6c-11.1%201.7-19.1%2010.1-19.1%2019.8v22.3c0%2015.1%208.5%2029.3%2022.7%2037.9l31.8%2019.5c33.3%2020.3%2077.9%2018.5%20108.9-4.3l43.2-32.1%2043.2%2032.1c31%2022.8%2075.6%2024.6%20108.8%204.3l2.8-1.7h-73.1v-13.4h95.1l7.1-4.4c1.9-1.1%203.6-2.3%205.3-3.6h-42.8zm26.8-35.2c1%202.9%201%206.2-0.3%209.3h33.7v-9.3zm-10.7%2022.8c-3.8%203.8-8.1%207.3-12.8%2010.3h51.2c1.9-3.2%203.3-6.7%204.3-10.3zm-67.8-59.1v13.5h-13.4v-13.5zm-138.3%2063.8c-17%2015.4-42.2%2022.5-67.2%2019.8-24.8-2.7-48.2-16.6-60.8-35.5-5.1-7.6-1.7-17.4%207.4-21%2019.3-7.7%2041.1-10.5%2062.1-8%2021.2%202.7%2041.4%2010.9%2057.5%2023.2%207.4%205.6%207.8%2015.5%201%2021.5zm83.5-41v13.5h-13.4v-13.5zm34.5%2068v13.5h-13.5v-13.5z'/%3e%3cpath%20id='<Compound%20Path>'%20class='s0'%20d='m499.8%20247.6c0.3-2.6%200.2-5.2-0.3-8h-103.1v-13.5h97.8c-2.5-3.9-5.5-7.3-9-10.3h-138v-13.5h114.8c-11.3-4.5-23.4-7.3-34-9.3h-130.8v-13.5h114.9c-1.3-3.1-2.6-6.2-3.8-9.3h-56.4v-13.5h51c-1.2-3.1-2.5-6.2-3.7-9.3h-74.2v-13.4h68.8c-1.2-3.2-2.5-6.3-3.7-9.4h-31v-13.5h25.6c-5-12.4-10-24.9-15-37.4-5.2-12.9-11.3-27-23-32.4-17.2-8.1-35.7%206.8-49%2021.6-12%2013.2-27.7%2026.5-45.4%2028.3-20.9%202.1-36-12.9-50-28.3-13.3-14.8-31.8-29.7-49-21.6-11.6%205.4-17.8%2019.5-23%2032.4-15.6%2039.1-31.3%2078.2-46.9%20117.3-24.6%204.2-68.1%2011.8-80.5%2040.7-12.2%2028.3%2017%2044.5%2035.9%2051.1%2074.2%2025.7%20154.7%2041.4%20232.5%2036.7%2064-3.9%20128.5-15.5%20189.9-36.7%2011-3.8%2025.5-10.9%2033.3-21.8h-162.8v-13.4zm-110.7-21.5v13.5h-13.4v-13.5zm-44.4-69.4v13.5h-13.5v-13.5zm7.1-45.6v13.5h-13.4v-13.5zm-34.1%2022.9v13.4h-13.5v-13.4zm-27.8%2045.5v13.5h-13.4v-13.5zm34.5%2068.1v13.4h-13.5v-13.4zm15.5-45.3v13.5h-13.4v-13.5z'/%3e%3cg%20id='<Group>'%3e%3cg%20id='<Group>'%3e%3cpath%20id='<Path>'%20class='s1'%20d='m174.6%20155q-0.4%200.3-0.9%200.5v-0.5z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Privacy Policy
Effective: January 2025
1. Controller (Data Controller)
The entity responsible for data processing is:
[email protected]
2. Contact for Data Protection
If you have any questions about this Privacy Policy or the processing of your personal data, or if you wish to exercise your rights as a data subject (see Section 9), please contact:
[email protected]
3. Scope and Purpose of the Service
Our service (“Am I Dumped?” or Leak-Checker) allows users to check, based on their email address or password hash prefixes, whether these appear in publicly disclosed data leaks (“Leaks”). This helps you determine if your account may have been compromised. Password hashes
4. Processing Activities
4.1 Server Logfiles (IP Address)
Each time our service (API/website) is accessed, information automatically transmitted by your browser or client is collected:
- IP address
- Date and time of the request
- Requested resource (e.g., API endpoint)
- HTTP status code and browser type/version
Purpose of processing
- Technical provision and security of the service
- Prevention of misuse (e.g., protection against DDoS attacks)
- Error detection and troubleshooting
Legal basis
- Legitimate interest (Art. 6(1)(f) GDPR). Our interest lies in the secure and stable operation of our services.
Storage duration
- Log data is generally stored for a short period (e.g., 24–72 hours), unless longer retention is required to investigate misuse.
4.2 Input and Checking of Email Addresses
When you submit your email address (or username) to check whether it has appeared in a data leak, the following data is processed:
- Email address (in plain text only during the check and delivery process; hashed for rate-limiting)
- IP address of the requesting client (hashed for rate-limiting)
Processing procedure
- Rate-limiting: To prevent misuse, we collect your IP address and hash it. This hashed IP address is stored in our database for a maximum of 48 hours to limit the number of incoming requests per IP (IPLimit). Your email address is also hashed to prevent you from receiving unwanted emails if someone else performs a query for your email.
- Database query: We use your (temporarily) plain-text email address to search our leak database for potential matches. The email address is used for this search.
- Result notification: We send the results of the check to you via email. Your plain-text email address is transferred to our email service (Brevo) for this purpose. Once the sending process has been initiated, we delete your plain-text email address from our systems, except in the database where all leaked data is saved. However, if your email address is found in any of the underlying leaked datasets we hold, it remains stored in plain text within those leaked data records indefinitely, because the original leak data is retained as-is to facilitate future checks.
Purpose of processing
- Conducting the leak check at your request
- Protection against misuse (rate-limiting)
Legal basis
- Consent (Art. 6(1)(a) GDPR), since you knowingly provide your email address and thereby agree to its processing.
- Legitimate interest (Art. 6(1)(f) GDPR) for technical protection measures against misuse.
Storage duration
- Hashed IP address: up to 48 hours
- Hashed email address: also up to 48 hours
- Plain-text email address (for the check): stored only during the check and until successful dispatch, then deleted unless it is part of the original leaked dataset. Where the email appears in the leaked data we possess, it is retained indefinitely in plain text as part of the leaked information.
4.3 Querying Password Prefixes (“Pwned Password” Check)
We also offer a password leak check: you only submit the first 5 characters (prefix) of your password hash. We compare this prefix with our database to determine whether a corresponding hash is known there.
Data processed
- 5-character hash prefix (calculated on the client side)
- IP address (hashed) for rate-limiting
Purpose
- Secure check to see if your password appears in leaks without revealing the password itself
Legal basis
- Consent (Art. 6(1)(a) GDPR)
Storage duration
- The hashed IP address is retained in the database for a maximum of 48 hours for rate-limiting, as described above.
- The password prefix is queried directly and generally not stored permanently, except in anonymized form in our cache/log systems (where technically necessary).
4.4 Email Dispatch via Third Parties (Brevo / Sendinblue)
The result emails are dispatched via the service provider Brevo (Sendinblue), which acts as our processor (Art. 28 GDPR). Your email address is transmitted to Brevo so we can send you the results.
- Provider: Sendinblue / “Brevo,” France (EU)
- Legal basis: Consent (Art. 6(1)(a) GDPR)
- Further information: https://www.brevo.com/legal/privacypolicy/
4.5 Additional Third-Party Services
4.5.1 Cloudflare Web Analytics
We use Cloudflare Web Analytics to gather basic usage information (e.g., device details, user language, and general usage data) to help us improve performance and security.
- Personal Data processed: device information, language, Usage Data
- Purpose: Analytics (site performance and user metrics)
- Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
4.5.2 Google Fonts
We integrate Google Fonts (provided by Google) to display uniform text and enhance the user experience.
- Personal Data processed: Trackers, Usage Data
- Purpose: Visual display of fonts (typeface integration)
- Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
4.5.3 Cloudflare Bot Management
To detect and filter malicious or automated traffic, we employ Cloudflare Bot Management.
- Personal Data processed: app information, Application opens, browser information, browsing history, city, clicks, country, county, custom events, device information, device logs, geography/region, interaction events, IP address, keypress events, language, latitude (of city), launches, longitude (of city), metro area, motion sensor events, mouse movements, number of sessions, operating systems, page events, page views, province, scroll position, scroll-to-page interactions, search history, session duration, session statistics, state, touch events, Trackers, Usage Data, video views, ZIP/Postal code.
- Purpose: Protecting our site from spam, unauthorized bots, and malicious activity
- Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
4.5.4 Cloudflare (Traffic Optimization and Distribution)
We also rely on Cloudflare to optimize traffic, provide faster load times, and protect against DDoS attacks.
- Personal Data processed: Trackers; various types of Data as stated in Cloudflare’s privacy policy
- Purpose: Improved performance, distribution, and security (routing and caching of content)
- Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)
4.6 Subscription to Email Notifications
In addition to the one-time result emails described in Section 4.4, users may also subscribe to receive periodic email notifications from us. These notifications typically include:
- Alerts if your subscribed email address appears in new or updated leaks in our database.
- Occasional security news, advisories, and updates related to data breaches and personal data protection.
Data processed
- Email address: collected at the time of subscribing to notifications.
Processing procedure
- When you opt in to receive periodic email notifications, we store your email address in our subscription list.
- You may unsubscribe at any time via the link provided in each email or by contacting us at [email protected].
- We do not share your subscription information with third parties, except for our designated email service provider (Brevo) acting as a processor under Art. 28 GDPR.
Purpose of processing
- Providing proactive breach alerts and occasional security-related content to interested users.
Legal basis
- Consent (Art. 6(1)(a) GDPR), as you explicitly request these notifications when subscribing.
Storage duration
- Your email address remains in our subscription database until you unsubscribe or request its removal.
5. Cookie and Tracker Policy
Cookie & Tracker Policy for phantombreach.org
This document explains how phantombreach.org (the “Application”) uses certain technologies that support the objectives described here. These technologies give the Owner the ability to store or retrieve data (e.g., using a Cookie) or to run scripts on a User’s device while the User interacts with the Application.
Throughout this document, all such technologies are called “Trackers,” except when it is necessary to make distinctions. For instance, although Cookies can be employed in both desktop and mobile web browsers, they are generally not used in mobile applications (as they are browser-specific). Therefore, whenever this text mentions “Cookies,” it is specifically referring to that browser-based type of Tracker.
Some uses of these Trackers may also call for User consent. Whenever a User provides such consent, it can be withdrawn at any point by following the instructions in this document.
The Trackers implemented by this Application may be administered directly by the Owner (referred to as “first-party” Trackers) or by external providers (“third-party” Trackers). Unless otherwise specified, third-party providers may independently access the Trackers they manage.
The length of time that Cookies or similar Trackers remain active depends on expiry periods set by the Owner or the relevant third-party provider. Some may expire when the User’s browsing session ends, while others last for a certain term.
In addition to the details outlined under the respective categories below, Users can consult third-party privacy policies or contact the Owner to learn about specific Tracker lifespans and any additional relevant information, such as the presence of other Trackers.
How this Application uses Trackers
Necessary Trackers
This Application relies on “technical” Cookies and similar Trackers that are essential for running or delivering the Service. Such Trackers enable core functions or are strictly required for the Service to work properly.
Trackers administered by third parties
Cloudflare Bot Management (Cloudflare, Inc.)
Cloudflare Bot Management is a service from Cloudflare, Inc. that detects and filters automated or potentially harmful traffic.
- Personal Data processed: app information, Application opens, browser specifications, browsing history, city, clicks, country, county, custom events, device details, device logs, geographic region, interaction events, IP address, keystrokes, language, approximate latitude/longitude (city-based), launches, metro area, motion sensor events, mouse movements, session counts, operating systems, page events, page views, province, scroll details (including scroll position and scroll-to-page interactions), search history, session duration, session statistics, state, touch events, Trackers, Usage Data, video views, ZIP/Postal code.
- Location of processing: United States – Privacy Policy.
Tracker durations:
- __cf_bm: 3 seconds
- __cfruid: active only during session
- _cfuvid: indefinite
- cf_clearance: 30 minutes
- cf_ob_info: 3 seconds
- cf_use_ob: 3 seconds
- cfmrk_cic: 3 months
Cloudflare (Cloudflare, Inc.)
Cloudflare is also used to optimize and distribute traffic. Since it mediates all exchanges between this Application and the User’s browser, it may collect analytics data from the Application in the process.
- Personal Data processed: Trackers and other details as described in the service’s Privacy Policy.
- Location of processing: United States – Privacy Policy.
Tracker durations:
- _cfuvid: indefinite
- cf_clearance: 30 minutes
Experience
The Application employs certain Trackers to improve User experience and facilitate interactions with content, networks, and external platforms.
Trackers administered by third parties
Google Fonts
Google Fonts is a service from Google LLC or Google Ireland Limited (depending on the Owner’s setup) that integrates different font styles into this Application.
- Personal Data processed: Trackers and Usage Data.
- Locations of processing: United States – Privacy Policy; Ireland – Privacy Policy.
How to manage preferences on this Application
Users may view or adjust their choices via the dedicated privacy choices panel on the Application.
For third-party Trackers, Users can manage their settings through the applicable opt-out link (if available), by following the instructions in the relevant third-party privacy policy, or by contacting that third party directly.
How to control or delete Cookies and similar technologies via device settings
Each User’s browser may allow them to:
- View which Cookies or similar technologies are on their device,
- Block some or all Cookies or similar technologies,
- Remove Cookies or similar technologies already stored in the browser.
However, most browser settings do not permit very specific or “per-category” control.
Users can find guidance for managing Cookies on commonly used browsers via:
On mobile devices, certain Tracker categories can often be managed via the built-in settings (e.g., device advertising settings) or by disabling tracking entirely under the device settings.
Consequences of denying the use of Trackers
While it is the User’s choice to enable or block Trackers, please note that some functionalities rely on them, which can enhance the overall experience. Blocking Trackers may prevent the Application from offering certain features or an optimal experience.
Owner and Data Controller
Phantom Breach
[email protected]
Because the Owner does not entirely control third-party Trackers, any references to them should be taken as indicative. For complete details, Users are encouraged to check the privacy policies of the listed third-party providers.
Given the intricate nature of tracking technologies, Users may contact the Owner with any additional questions or for in-depth clarifications on the use of these tools in the Application.
Definitions and legal references
Personal Data (or Data): Any piece of information that identifies or can lead to the identification of an individual when combined with other data (including personal ID numbers).
Usage Data: Data automatically gathered by the Application (or third-party services employed within it), which can include IP or domain addresses of User devices, the Uniform Resource Identifier (URI) addresses, the times of requests, the methodology used to submit requests to the server, the sizes of files returned, numeric codes indicating server responses (e.g., success or errors), the User’s country of origin, User browser or operating system details, timestamps for each page visit, the route within the Application (i.e., sequence of visited pages), and other details about the User’s IT environment or device settings.
User: The individual engaging with this Application, usually synonymous with the Data Subject.
Data Subject: The natural person to whom the Personal Data belongs.
Data Processor (or Processor): A natural or legal entity, public authority, agency, or other body that processes Personal Data for the Controller, as described in this policy.
Data Controller (or Owner): A natural or legal entity, public authority, agency, or other body that determines the purposes and means of processing Personal Data, including security measures for the Application. Unless stated otherwise, the Controller is the Owner of this Application.
This Application: The platform (website or software) by which Users’ Personal Data is collected and processed.
Service: The service provided by this Application, defined in any related terms or as shown on this site/application.
European Union (or EU): Unless stated otherwise, references to the European Union here also cover all current EU Member States and European Economic Area (EEA) countries.
Cookie: A type of Tracker comprising small sets of data stored within a User’s browser.
Tracker: Any technology—such as Cookies, unique IDs, web beacons, embedded scripts, e-tags, or fingerprinting—that can track Users by accessing or storing data on their devices.
Legal information: This statement is prepared based on requirements from multiple jurisdictions and applies solely to this Application unless otherwise stated.
Latest update: January 27, 2025
iubenda hosts these contents and only processes the minimal Personal Data necessary for delivery of this policy.
Show the complete Privacy Policy
6. Disclosure of Data to Third Parties
Your personal data will only be transferred to third parties in the following cases:
- Processors (e.g., Brevo for email dispatch, hosting providers, database providers) that perform services on our behalf and may have access to personal data. We have concluded data processing agreements (DPAs) with these providers in accordance with Art. 28 GDPR.
- Legal requirements: Where we are legally obligated to disclose data or in response to official requests (e.g., from law enforcement authorities).
No data is shared for advertising or marketing purposes.
7. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, and misuse. These include:
- Hashing and/or tokenizing IP addresses/email addresses
- Encrypted connections (TLS/SSL/HTTPS)
- Separate storage mechanisms for email addresses and password hashes to prevent cross-referencing>
- Up-to-date security standards and access authorizations based on the “need-to-know” principle
8. Storage Duration
We only store your data for as long as it is required for the stated purposes, or until you withdraw your consent or object to the processing (see Section 9). Specifically:
- Hashed IP and email data (rate-limiting): max. 48 hours
- Server logfiles: typically 24–72 hours (unless extended retention is necessary to investigate misuse)
- Plain-text email address: stored only during the leak check and email dispatch, then deletedunless contained within a leaked dataset we store, in which case it remains indefinitely as part of the original leaked records.
9. Your Rights as a Data Subject
You have the following rights in particular:
- Right of access (Art. 15 GDPR): to information about your stored personal data.
- Right to rectification (Art. 16 GDPR): to correct inaccurate or incomplete data.
- Right to erasure (Art. 17 GDPR): to delete your data, unless there is a legal retention obligation. (Contact the provided E-Mail address.)
- Right to restriction of processing (Art. 18 GDPR): to restrict processing under certain conditions.
- Right to data portability (Art. 20 GDPR): to receive your data in a common, machine-readable format.
- Right to object (Art. 21 GDPR): to object to data processing based on legitimate interests if there are grounds relating to your particular situation.
- Right to withdraw consent (Art. 7(3) GDPR): to withdraw your consent at any time with effect for the future.
If you wish to exercise any of these rights, please contact the address provided in Section 2. We may need to request additional information to confirm your identity.
Right to lodge a complaint:If you believe that the processing of your data violates applicable data protection law. In this case please contact us first at [email protected]
10. Automated Decision-Making / Profiling
No automated decision-making within the meaning of Art. 22 GDPR takes place. Rate-limiting and leak detection do not constitute legal or similarly significant decisions about you; they serve only to protect the service and the requested checks.
11. Changes to This Privacy Policy
We reserve the right to adapt this Privacy Policy if necessary, for example, due to changes in the law or in our data processing. The current version is always available on our website or in the app.
12. Contact
For further questions regarding data protection or the deletion of your data, please contact:
[email protected]