Privacy Policy (Last updated: June 8, 2026)

LeakRadar.io (the Service) processes personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable French law.

Radar Forge SAS, 60 rue François 1er, 75008 Paris, France. VAT FR60100187533 – VAT collected for customers in France and EU consumers (reverse charge available for EU businesses with a valid VAT number). Contact: contact@leakradar.io.

• Account creation, authentication, breach searches you perform and notifications you request - contract.
• Billing and bookkeeping - legal obligation.
• Indexing data from publicly accessible breaches and stealer logs and operating our leak intelligence platform - legitimate interest in securing information systems and in detecting and responding to data breaches (GDPR art. 6(1)(f) and recital 49).
• Security logging, fraud detection and rate-limiting - legitimate interest in protecting the Service and its users.
• Marketing cookie campaign_code (30 days) and analytics (_ga, _gcl_au, 30 days) - consent.

• First and last name, email address, hashed password (bcrypt cost 12).
• Postal address, phone number, country, VAT number (for invoices).
• Technical and security data: IP addresses at sign-up and login, your account identifier, the type of searches you perform (for example email search, domain search or raw search) and audit logs of unlock operations (timestamp, account identifier and internal leak identifier).
• Cookies: twk_uuid_, TawkConnectionTime, _ga, _gcl_au, campaign_code - each limited to 30 days.
• Breach and leak datasets: personal data contained in breaches and stealer logs that were accessible on the internet without our involvement in the original incident. Depending on the source this may include email addresses, usernames, passwords or password hashes and other profile or technical data that were present in the leaked file.
• Special categories of data: we do not seek to index special categories of personal data (such as data revealing health, political opinions, religious beliefs, trade-union membership, sexual orientation or sex life) or data relating to criminal convictions and offences. Where we become aware that such data is present in a dataset, we filter, restrict or remove it.

• Inactive accounts: deleted after 12 months.
• Server access logs and security logs: kept for up to 12 months to detect incidents and abuse.
• Encrypted backups: 12 months.
• Invoices: 10 years (French accounting rules).
• Breach and leak datasets: raw breach files and stealer logs are kept for as long as they remain relevant to detect and remediate security incidents and as long as they are still technically accessible from their original public sources. When a dataset is no longer relevant or accessible we delete it or reduce it to a minimal index.

OVH (France), Hetzner (Finland), Cloudflare (DNS / WAF), Stripe, NOWPayments, Mailtrap, Zoho Mail, Tawk.to, Slack, Discord and Telegram. Each provider relies on GDPR Standard Contractual Clauses or the EU-US DPF when processing outside the EEA.

Data may transit through Cloudflare, Stripe, Slack, Discord, Tawk.to or Telegram servers located outside the EEA. These transfers are covered by the SCC referenced in each vendor's Data Processing Addendum.

All connections use TLS 1.3. User passwords are salted + hashed (bcrypt 12). Leaked credentials are stored in clear text for full-text search; access is rate-limited, logged and restricted to authenticated users. You acknowledge this residual risk when using the Service.

You may access, rectify, erase, restrict, object to or port your data. Requests: contact@leakradar.io. We reply within one month.

You can lodge a complaint with the CNIL (www.cnil.fr).

Material changes will be announced at least 30 days in advance (email and in-app banner).

Most of the personal data we index in our leak datasets does not come directly from you. It comes from breaches and stealer logs that were exposed by third parties without our involvement in the original incident.

Source of the data. We collect this data from sources that were technically accessible on the internet (for example public forums, paste sites, messaging channels or shared links) and from threat intelligence feeds that rely on such sources. We do not hack systems, bypass authentication, break encryption, buy stolen databases or pay for access to closed criminal forums.

Legal basis. Our legal basis is our legitimate interest, and the legitimate interest of our customers, in detecting and responding to data breaches and securing information systems (GDPR art. 6(1)(f) and recital 49).

Information of affected persons (art. 14(5)(b)). Because these datasets may concern very large numbers of people and are often incomplete or hard to link to reliable contact details, informing each affected person individually would be impossible or would involve a disproportionate effort within the meaning of GDPR article 14(5)(b). This public notice therefore serves as the information measure foreseen by that provision.

Your rights. If your personal data appears in our index, you may at any time ask whether we hold data about you, request a copy, ask us to erase it or restrict its use, and object at any time to processing carried out on the basis of legitimate interest (GDPR art. 21). We provide an easy and free removal procedure. Requests can be sent to contact@leakradar.io and we answer within one month where possible.