Privacy Policy (Last updated: November 14, 2025)

LeakRadar.io (the Service) processes personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable French law.

Alexandre Vandamme, Sole proprietorship, 24 rue Henri Matisse, 59150 Wattrelos, France. VAT FR67951723667 – VAT collected for customers in France and EU consumers (reverse charge available for EU businesses with a valid VAT number). Contact: [email protected].

• Account creation, authentication, breach searches you perform and notifications you request - contract.
• Billing and bookkeeping - legal obligation.
• Indexing data from publicly accessible breaches and stealer logs and operating our leak intelligence platform - legitimate interest in securing information systems and in detecting and responding to data breaches (GDPR art. 6(1)(f) and recital 49).
• Security logging, fraud detection and rate-limiting - legitimate interest in protecting the Service and its users.
• Marketing cookie campaign_code (30 days) and analytics (_ga, _gcl_au, 30 days) - consent.

• First and last name, email address, hashed password (bcrypt cost 12).
• Postal address, phone number, country, VAT number (for invoices).
• Technical and security data: IP addresses at sign-up and login, your account identifier, the type of searches you perform (for example email search, domain search or raw search) and audit logs of unlock operations (timestamp, account identifier and internal leak identifier).
• Cookies: twk_uuid_, TawkConnectionTime, _ga, _gcl_au, campaign_code - each limited to 30 days.
• Breach and leak datasets: personal data contained in breaches and stealer logs that were accessible on the internet without our involvement in the original incident. Depending on the source this may include email addresses, usernames, passwords or password hashes and other profile or technical data that were present in the leaked file.

• Inactive accounts: deleted after 12 months.
• Server access logs and security logs: kept for up to 12 months to detect incidents and abuse.
• Encrypted backups: 12 months.
• Invoices: 10 years (French accounting rules).
• Breach and leak datasets: raw breach files and stealer logs are kept for as long as they remain relevant to detect and remediate security incidents and as long as they are still technically accessible from their original public sources. When a dataset is no longer relevant or accessible we delete it or reduce it to a minimal index.

OVH (France), Cloudflare (DNS / WAF), Stripe, NOWPayments, Mailtrap, Tawk.to, Slack and Telegram. Each provider relies on GDPR Standard Contractual Clauses or the EU-US DPF when processing outside the EEA.

Data may transit through Cloudflare, Stripe, Slack, Tawk.to or Telegram servers located outside the EEA. These transfers are covered by the SCC referenced in each vendor's Data Processing Addendum.

All connections use TLS 1.3. User passwords are salted + hashed (bcrypt 12). Leaked credentials are stored in clear text for full-text search; access is rate-limited, logged and restricted to authenticated users. You acknowledge this residual risk when using the Service.

You may access, rectify, erase, restrict, object to or port your data. Requests: [email protected]. We reply within one month.

You can lodge a complaint with the CNIL (www.cnil.fr).

Material changes will be announced at least 30 days in advance (email and in-app banner).