Privacy

Privacy Policy

Effective 2026-05-13. Plain-English first, with the GDPR / CCPA sections you need at the bottom.

1. Who we are

Leakwarden ("we", "us") is operated as a sole proprietorship by an individual based in Illinois, United States. For the purposes of EU/UK data-protection law we are the data controller of your personal information. Contact: [email protected].

2. What we collect

  • Scan submissions: the domain or URL you submit, the IP address making the request, and a timestamp.
  • Account information: email address (to send magic-link sign-in tokens, which are stored hashed — never raw), Stripe customer ID once you've paid, your verified domains.
  • Scan results: the findings produced by scans you initiate. Findings are treated as sensitive — see §4.
  • Disclosure-pipeline records: if our certificate-transparency monitoring identifies a finding on a domain you didn't submit, we record the discovery, the outreach we sent (if any), and your opt-out status if you reply STOP.
  • Analytics: aggregate page, referrer, and country via our self-hosted Umami instance at stats.gorgan.dev. No cookies are set, no individual visitor profile is built, no data is shared with third-party analytics vendors.
  • Server logs: standard web-server logs (IP, user-agent, requested path, response code) retained ≤30 days for operational and security purposes.

We do not use Google Analytics, Facebook Pixel, Hotjar, or any third-party advertising or fingerprinting tool.

3. How we use it (lawful bases)

Under GDPR Article 6, the lawful bases we rely on are:

  • Performance of a contract (Art. 6(1)(b)) — running scans you've requested, authenticating you, providing the dashboard, processing payments.
  • Legitimate interests (Art. 6(1)(f)) — abuse prevention (rate limiting, IP-based blocks), aggregate analytics, security monitoring, and (where applicable) sending unsolicited disclosure emails to operators of leaking domains we've identified. The legitimate-interest balancing test for disclosures specifically favors the affected party's interest in being informed.
  • Compliance with a legal obligation (Art. 6(1)(c)) — responding to lawful requests from authorities with jurisdiction.
  • Consent (Art. 6(1)(a)) — never relied on for core service operation; we don't run advertising or marketing trackers that would require it.

4. How findings are handled

  • Findings are encrypted at rest in Postgres via column-level encryption (pgcrypto).
  • Free-tier findings are auto-deleted 7 days after the scan completes.
  • Paid one-shot findings are auto-deleted 90 days after the scan completes, unless you're on an active monitoring subscription that retains them.
  • Monitoring-subscription findings are retained for the lifetime of the subscription plus 30 days of grace after cancellation, then deleted.
  • We never email full credential values. Reports show last-4 characters plus length only. Re-scan from your dashboard if you need the raw value.
  • Findings are accessible only to the customer who initiated the scan and to operators of Leakwarden infrastructure for service operation and abuse investigation.

5. Retention summary

  • Account record (email, hashed tokens, Stripe ID): kept while your account is active, plus 90 days after deletion for refund/dispute window, then purged.
  • Web-server logs: 30 days.
  • Findings: as above (7 / 90 days / subscription-bound).
  • Disclosure-pipeline opt-outs: indefinite (this is the whole point of an opt-out list).
  • Aggregate analytics: indefinite, but contains no personal identifiers.

6. Who we share with

  • Stripe, Inc. — payment processing. You provide payment information to Stripe directly via Stripe Checkout; we receive only the customer ID and event webhooks.
  • Brevo (Sendinblue SAS) — transactional email delivery (magic links, scan completion notifications, disclosure emails). They process recipient email + message contents for the purpose of delivery only.
  • Cloudflare, Inc. — DNS, CDN, DDoS protection, and Turnstile (anti-bot challenge). Cloudflare sees request metadata (IP, headers) for traffic to our domain.
  • Our hosting provider (a VPS provider physically located in the Netherlands) for server operation.
  • Nobody else. We do not sell, rent, license, share for advertising, or trade customer data. There is no "marketing partners" category.

Where these sub-processors transfer data outside the EU/UK, the transfers are covered by Standard Contractual Clauses (SCCs) or equivalent safeguards published by the relevant sub-processor.

7. Disclosure pipeline

If our certificate-transparency monitoring identifies a finding on a domain you control via WHOIS or standard administrative addresses, we may contact you at security@, abuse@, or the WHOIS contact. Our outreach is:

  • Always free. Payment is never a condition of the disclosure or any fix.
  • Always identifiable (clear sender, clear opt-out instructions, link to this policy).
  • Always offers an opt-out: reply STOP and we add the apex domain to a permanent do-not-contact list.
  • Never published publicly within 30 days of first notification, regardless of whether you respond.

Full conduct constraints are in our Acceptable Use Policy §4. You may also opt out preemptively by emailing [email protected] with the apex domain.

8. Your rights

You can export or delete your account data anytime from your dashboard, or by emailing [email protected]. We respond within 30 days. The specific rights below apply depending on where you reside.

For EU / UK / EEA residents (GDPR)

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — have us delete data subject to limited exceptions (e.g. legal-retention obligations).
  • Restriction — limit our processing while a dispute is resolved.
  • Portability — receive your data in a machine-readable format.
  • Object — to processing based on legitimate interest, including disclosure-pipeline contact.
  • Withdraw consent — where processing is consent-based (rarely, for us).
  • Lodge a complaint with your national data-protection supervisory authority. A list is at edpb.europa.eu.

We do not have an EU representative under GDPR Art. 27 because we do not engage in large-scale or systematic processing of EU residents' data. Direct correspondence to [email protected].

For California residents (CCPA / CPRA)

You have the right to:

  • Know — what personal information we collect, the sources, the purposes, and which categories of third parties we share with. All of this is documented above.
  • Delete — request deletion of personal information we hold.
  • Correct — inaccurate personal information.
  • Opt out of sale / sharing — though we don't sell or share personal information for cross-context behavioral advertising, so there's nothing to opt out of. We honor Global Privacy Control signals as confirmation of this preference anyway.
  • Non-discrimination — we will not deny service, charge different prices, or provide a lower quality of service because you exercise any CCPA right.

To exercise these rights, email [email protected] from the address on your account or, for non-customers, with enough detail to confirm your identity.

9. Cookies and tracking technologies

Leakwarden sets one cookie: lw_session, used to maintain your authenticated session if you are signed in. It is HttpOnly, Secure, and SameSite=Lax. We set no third-party cookies. Our analytics (self-hosted Umami) operates without cookies entirely. We do not use localStorage or other client-side trackers for analytics.

10. Children's privacy

Leakwarden is a professional security tool not directed at children. We do not knowingly collect personal information from anyone under 13 (under 16 in the EU/UK). If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

11. Security

We follow industry-standard measures: TLS in transit, encrypted column-level storage for findings, hashed magic-link tokens (SHA-256), no plaintext credential storage anywhere in the stack, principle-of-least-privilege for sub-processor access, and an explicit storage-shape policy for our own infrastructure secrets. No security control is perfect; we make best-effort commitments, not guarantees.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where required under GDPR Art. 33, the relevant supervisory authority within 72 hours of becoming aware of it.

12. Changes to this policy

Material changes — anything affecting the scope of data collected, retention periods, sharing parties, or your rights — will be emailed to active account holders at least 30 days before taking effect. Non-material changes (clarifications, formatting, contact-address updates) take effect on publication; the effective date at the top of this page reflects the most recent change.

13. Contact

Privacy questions, rights requests, complaints: [email protected]. We respond within 30 days (sooner where required by applicable law).

Abuse reports (someone scanning your domain without authorization): [email protected] — response within one business day.