Privacy Policy

We collect different categories of information depending on how you interact with ExposedMap:

• Exposure checks: Email addresses submitted for breach checking are processed transiently and are not stored after the check completes
• Lead capture: If you sign up for breach alerts or early access, we store the email address you provide until you request deletion
• Account data: Registered users provide an email and authentication credentials, which are stored for the lifetime of the account
• Automatically collected: Privacy-respecting usage analytics (page views, feature usage), device and browser information, and IP addresses hashed with a daily-rotating salt for rate limiting and abuse prevention

We use the information we collect to:

• Provide breach checking and exposure alerts
• Send email notifications you have opted into
• Enforce rate limits and prevent platform abuse
• Improve platform reliability and performance
• Generate aggregate, non-identifying usage statistics

We do not sell your personal data. We do not share it with advertisers or use it for ad targeting. We process data on the basis of legitimate interest (breach monitoring, security, abuse prevention), consent (alerts and lead capture), and contractual necessity (registered accounts). You may withdraw consent at any time via the unsubscribe mechanism or by contacting us.

ExposedMap uses a minimal set of cookies and similar technologies:

• Session cookies: Required for authenticated users to maintain login state
• Bot protection: Our bot protection service may set cookies to verify that requests come from real users
• Analytics: We use privacy-respecting web analytics that do not track individuals across sites
• Performance monitoring: We use web performance monitoring to detect and resolve errors

We do not use advertising cookies, retargeting pixels, or third-party tracking scripts.

We aggregate breach metadata from publicly available sources including government regulatory portals, breach notification databases, cybersecurity news feeds, and official company disclosures. Organization metadata (headquarters location, industry, logos) is enriched from public knowledge bases and data sources.

We display breach metadata only—we do not store or have access to actual breached records such as passwords, financial data, or personal documents.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• GDPR (EEA/UK): Right to access, rectification, erasure, data portability, restriction of processing, and objection to processing
• CCPA (California): Right to know what data is collected, right to delete, and right to opt out of the sale of personal information. We do not sell personal information
• Australian Privacy Act: Right to access and correct personal information held about you

To exercise any of these rights, contact us at support@exposedmap.com. We will respond within 30 days.

We implement industry-standard security measures to protect your data:

• All data encrypted in transit via HTTPS/TLS
• Data encrypted at rest in our database infrastructure
• Authentication credentials are hashed and never stored in plaintext

Retention periods:

• Exposure check emails: not stored (transient processing only)
• Rate-limit counters: auto-expire within 24 hours
• Lead capture emails: retained until you request deletion
• Account data: retained for the lifetime of your account and deleted upon account closure
• Analytics data: aggregated and non-identifying