Legal Aspects and Privacy Policy

2. Sources and Types of Data Processed

We obtain information from publicly accessible sources where data breach information is disclosed, including forums, leak sites, and specialized cybersecurity repositories that publish information about ransomware incidents.

Ransomware breaches can expose a wide variety of data. However, our service focuses primarily on indexing and making searchable **identifiers** (such as email addresses, usernames) that allow users to verify potential exposure.

We do not store or make searchable passwords in clear text or in an easily reversible format. If passwords are present in the original breach (e.g., hashed), we do not index them for direct search in this service.

The underlying information collected from breaches is stored securely using encryption and strict access controls.

3. Legal Basis for Processing (Legitimate Interest)

We process personal data (primarily identifiers like email addresses) under the legal basis of **legitimate interest** (Article 6(1)(f) of the GDPR).

Our legitimate interest consists of:

• Providing a cybersecurity awareness tool that allows users to detect if they have been affected by public data breaches, especially from ransomware.
• Helping to prevent identity theft, fraud, and other cyberattacks resulting from data exposure.
• Contributing to collective information security.

We have conducted a balancing test between our legitimate interest (and the public interest in security) and the fundamental rights and freedoms of data subjects. We consider that, given we process data already publicly exposed (albeit illicitly by third parties), minimize the data exposed in our service (only searchable identifiers), apply robust security measures (encryption, pseudonymization where applicable), and offer clear opt-out mechanisms, our legitimate interest does not unduly override the rights of individuals.

Processing is carried out respecting the principles of lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, integrity, and confidentiality (Article 5 of the GDPR).

4. Processing of Special Categories of Personal Data (Article 9 GDPR)

We are aware that data breaches, including those from ransomware, may incidentally contain special categories of personal data (revealing racial or ethnic origin, political opinions, religious beliefs, health data, etc.).

Our policy is to **actively avoid the indexed processing and display** of special categories of data through our public search service. We implement filters and processes to minimize the inclusion of this type of data in search results.

If, despite our efforts, you believe that your special category data is being incorrectly displayed or indexed by our service, please contact us immediately at [email protected] to request its priority removal. We do not rely on legitimate interest as a basis for deliberately processing special category data for our public search function.

5. Data Subject Rights

You have the right to:

• Access: Verify if your data (e.g., your email address) is in our database of indexed breaches.
• Rectification: Request the correction of inaccurate data (although we generally reflect the data as it appears in the breach).
• Erasure (Right to be Forgotten): Request the deletion of your data from our indexed database. We will address these requests without undue delay.
• Objection: Object to the processing of your data based on our legitimate interest. We will evaluate your request on a case-by-case basis.
• Restriction of Processing: Request the restriction of processing under certain circumstances.
• Data Portability: Request to receive the data you have provided to us in a structured format (generally not applicable to breach data you did not provide directly to us).

To exercise these rights, please contact us at:
[email protected]

You also have the right to lodge a complaint with the competent data protection supervisory authority if you believe that the processing of your data infringes applicable regulations (e.g., the Information Commissioner's Office (ICO) in the UK, or the authority in your EU country of residence).

6. Security and Confidentiality

We implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data at rest and in transit.
• Strict role-based access controls.
• Regular security monitoring and audits.
• Pseudonymization where applicable and technically feasible.

7. Data Retention

We retain indexed breach data only for as long as necessary to fulfill the purpose of informing users about potential exposures and allowing them to verify their status. We periodically review stored breaches and delete or de-index those that are no longer relevant, accurate, or whose retention is no longer justified by our legitimate interest. Data will be deleted sooner if you exercise your right to erasure.

8. Disclaimers / Limitation of Liability

This service provides information based on data found in third-party security breaches that have been made public. We do not guarantee the accuracy, completeness, or timeliness of the underlying data from the original breach.

HIBR is not responsible for the original security breaches or the actions of the actors who caused them. Our service is a notification and information tool based on publicly available data following such incidents. Use of this service is at your own risk.

9. Policy Updates

We may update this Privacy Policy periodically. We will notify you of any significant changes by posting the new policy on our website. We encourage you to review this page regularly.

Last updated: April 12, 2025

10. Contact

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:

Contact Email: [email protected]