Privacy Policy
1. Introduction
BreachWatcher ("we", "us", or "our") provides a data breach monitoring service that alerts you when your email address appears in a known data breach. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have over your data.
By using our website at www.breachwatcher.io or subscribing to any of our plans, you acknowledge that you have read and understood this policy.
Short version: We only collect your email address (and payment details if you subscribe). We use your email address solely to check it against breach databases and to send you relevant alerts and updates. We do not sell your data to anyone.
2. Who We Are
BreachWatcher is a data breach monitoring service operated from Gauteng, South Africa and North Carolina, United States. As the entity that determines the purposes and means of processing your personal information, BreachWatcher is the responsible party (also referred to as the "data controller") under applicable privacy law.
If you have any questions or concerns about this policy or how we handle your data, you can reach us at:
- Email: thebreachwatcher@gmail.com
- Location: Gauteng, South Africa & North Carolina, United States
3. Information We Collect
3.1 Information You Provide
- Email addresses
- You provide one or more email addresses for us to monitor against breach databases. For paid plans, you may provide email addresses on behalf of family members or employees with their consent.
- Payment information
- If you subscribe to a paid plan, billing details (card number, name, billing address) are collected and processed directly by our payment processors (PayFast or Stripe). We do not store full card details on our systems.
3.2 Information Collected Automatically
- Server logs
- Standard web server logs may record your IP address, browser type, pages visited, and timestamps. These are used for security monitoring and diagnosing technical issues, and are not used to build profiles or for advertising.
3.3 Information We Do Not Collect
We do not collect passwords, identity documents, phone numbers, or any sensitive financial information beyond what is necessary for payment processing. We do not use cookies for advertising or behavioural tracking.
4. How We Use Your Information
| Purpose | Data used | Legal basis |
|---|---|---|
| Monitor your email address against breach databases and generate your exposure report | Email address | Performance of contract; legitimate interest |
| Send personalised breach alert emails (paid plans) | Email address | Performance of contract |
| Send platform-wide new breach announcements (all plans) | Email address | Legitimate interest; consent |
| Send cybersecurity tips and security alert emails (paid plans) | Email address | Performance of contract |
| Process subscription payments | Payment details (handled by processor) | Performance of contract |
| Respond to enquiries and provide customer support | Email address | Legitimate interest |
| Prevent fraud, abuse, and security incidents | IP address, email address | Legitimate interest; legal obligation |
| Comply with legal obligations | As required by law | Legal obligation |
5. Third-Party Service Providers
We share data only with trusted service providers who process it on our behalf, under appropriate data processing terms. We do not sell your personal information.
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing for international subscribers | Email address, payment details |
| PayFast | Payment processing for South African subscribers | Email address, payment details |
| EmailJS | Transactional email delivery (subscription confirmation, alerts) | Email address, message content |
| Google Fonts | Loading web fonts for the site | IP address (standard browser request) |
Each provider is contractually bound to use your data only for the purposes we specify and to protect it in accordance with applicable law. We encourage you to review the privacy policies of these providers for more information about how they handle your data.
6. Breach Database Lookups
To deliver our monitoring service, your email address is compared against databases of known breach data. The results of the lookup (which breaches were found) are used only to generate your alerts and are not sold or shared with third parties.
Breach data held in our systems relates to historical incidents perpetrated by third parties; BreachWatcher did not cause any breach and is not liable for the original exposure of that data.
7. Data Retention
- Active subscribers
- We retain your email address and monitoring preferences for as long as your subscription is active.
- After cancellation / account deletion
- We will delete your email address from active monitoring within 30 days. Anonymised or aggregated records that cannot identify you may be kept for statistical purposes.
- Payment records
- Billing records are retained for as long as required by applicable tax and financial regulations (typically 5–7 years depending on jurisdiction).
- Server logs
- Retained for up to 90 days for security and diagnostic purposes.
8. Your Rights
Depending on where you are located, you may have the following rights regarding your personal information:
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion — request that we delete your personal information, subject to legal retention obligations.
- Objection — object to processing based on legitimate interests.
- Restriction — request that we restrict processing in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Withdraw consent — where processing is based on consent (e.g. marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at thebreachwatcher@gmail.com. We will respond within 30 days. We may need to verify your identity before acting on a request.
South African Residents (POPIA)
If you are located in South Africa, you have rights under the Protection of Personal Information Act 4 of 2013 (POPIA). BreachWatcher, as a responsible party, processes your personal information in accordance with the eight conditions for lawful processing set out in POPIA. If you believe we have violated your POPIA rights, you may also lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.
United States Residents
If you are a resident of a US state with a comprehensive consumer privacy law (including but not limited to California, Colorado, Connecticut, Virginia, and Texas), you may have additional rights such as the right to opt out of the sale of personal information. BreachWatcher does not sell your personal information. To exercise any applicable rights, contact us at thebreachwatcher@gmail.com.
9. Marketing Communications
Paid subscribers receive breach notification emails, security alert emails, and cybersecurity tip emails as part of their subscription. These are considered essential service communications and are not optional while your subscription is active.
Free-tier users receive platform-wide new breach announcements. You may opt out of these at any time by contacting us at thebreachwatcher@gmail.com.
10. Security
We take the security of your personal information seriously. We implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include:
- HTTPS encryption for all data in transit.
- Access controls limiting who within our team can access personal data.
- Use of PCI-DSS compliant payment processors so we never handle raw card data.
No method of transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights, we will notify you and any applicable regulator as required by law.
11. Children's Privacy
Our service is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.
12. International Data Transfers
BreachWatcher operates across South Africa and the United States. Your data may be processed in either country. When transferring personal information across borders, we ensure that appropriate safeguards are in place in accordance with applicable law, including POPIA's requirements for cross-border transfers.
Third-party processors such as Stripe and EmailJS may process data in the United States or other countries. We rely on their published data transfer mechanisms and contractual protections.
13. Cookies & Tracking
Our website does not use advertising cookies or behavioural tracking. We do not use Google Analytics or any analytics platform that builds profiles on our visitors. The only external requests your browser makes when visiting our site are to load fonts from Google Fonts and icons from Font Awesome (CloudFlare CDN), which may log your IP address as part of standard CDN operation.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active subscribers by email. Your continued use of our service after a change constitutes acceptance of the updated policy.
15. Contact Us
If you have any questions about this Privacy Policy, want to exercise your rights, or have a privacy concern, please contact us:
- Email: thebreachwatcher@gmail.com
- Location: Gauteng, South Africa & North Carolina, United States
We aim to respond to all privacy enquiries within 30 days.