Privacy Policy

1. Who We Are

LeakJar is a breached-credential detection service operated by SEW INC ("LeakJar," "we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you visit our website, create an account, or use our Services. SEW INC is the entity responsible for the personal information described in this policy.

• Data controller: SEW INC (operator of LeakJar)
• Postal address: SEW INC, 200 Continental Dr Ste 401, Newark DE 19713-4337
• Privacy contact: privacy@leakjar.com

2. Scope & Our Roles (Controller and Processor)

Our role under data-protection laws depends on the type of data involved:

• Controller for account and website data. For information relating to your account, billing, and use of our website (such as your name, email, and analytics data), we act as the data controller and determine how and why that data is processed.
• Processor for customer-submitted screening data. When a business customer submits data to be screened against known breaches via our APIs, we act as a processor (service provider) and process that data only on the customer's instructions to deliver the requested service.

We do not collect or store plaintext passwords. Credential screening uses privacy-preserving techniques, including k-anonymity and cryptographic hashing, so that complete credentials are never transmitted to or retained by us.

For business customers, a Data Processing Addendum (DPA) governing our processing of customer-submitted data is available on request. To obtain a copy, contact privacy@leakjar.com.

3. Information We Collect

We collect information in the following ways when you use our Services:

Account Information

When you create an account, we collect your name, email address, company name, and billing information necessary to provide and manage your account. This information is provided directly by you.

API Usage Data

We log API requests for rate limiting, abuse prevention, and analytics. These logs include request timestamps, endpoints accessed, response codes, and API key identifiers. We do not log request payloads containing credential data.

Website Usage Data

We collect standard web analytics data such as pages visited, referral sources, browser type, and device information, automatically through cookies and similar technologies, to improve our website and Services.

We collect personal information from three main sources: information you provide directly (such as account and billing details), information generated automatically through your use of the Services (such as logs and analytics), and, for screening requests, data submitted to us by our business customers.

4. How We Use Your Information & Legal Bases

We use the information we collect to:

• Provide, maintain, and improve our Services.
• Process transactions and send related billing information.
• Send transactional emails, service updates, and security alerts.
• Monitor and prevent abuse of our platform.
• Comply with legal obligations and enforce our Terms of Service.
• Generate aggregated, anonymized analytics to improve our products.

We do not use credential data submitted via our APIs for any purpose other than providing the requested screening service.

Legal Bases for Processing (GDPR Article 6)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): to create and manage your account and provide the Services you request.
• Legitimate interests (Art. 6(1)(f)): to secure our platform, prevent abuse, and improve our Services, balanced against your rights and interests.
• Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and other applicable laws.
• Consent (Art. 6(1)(a)): where required, for example for certain cookies or optional communications, which you may withdraw at any time.

5. Cookies, Analytics & Tracking Signals

We use cookies and similar technologies to keep you signed in, remember your preferences, secure the Services, and understand how our website is used. Some cookies are strictly necessary for the site to function; others support analytics and are used only where permitted. You can control or delete cookies through your browser settings, though disabling some cookies may affect functionality.

We honor recognized browser privacy signals. Where supported by applicable law, we treat Global Privacy Control (GPC) signals as a valid request to opt out of any sharing of personal information for targeted advertising. Because there is no common industry standard for "Do Not Track" (DNT), we respond to DNT signals as described here rather than through a separate mechanism.

6. How We Share Information & Sub-processors

We do not sell or share your personal information. We disclose personal information only to service providers who process it on our behalf under contract, and only as needed to operate the Services. We currently rely on the following sub-processors:

• Convex— application and backend platform.
• Stripe— payment processing and billing.
• SendGrid— transactional email delivery.
• ClickHouse— analytics and log storage.
• Vercel— application hosting and delivery.
• Cloudflare— network security, content delivery, and abuse prevention.

We may also disclose information where required by law, to respond to lawful requests from public authorities, to enforce our Terms of Service, or in connection with a merger, acquisition, or sale of assets, subject to appropriate safeguards.

7. International Data Transfers

We operate primarily from the United States, and our service providers may process information in countries other than your own. Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs), together with the UK International Data Transfer Addendum where applicable, and implement additional safeguards as appropriate.

8. Data Retention

We retain your account information for as long as your account is active. API usage logs are retained for up to 90 days for operational purposes. Billing records are retained as required by applicable tax and financial regulations.

When you delete your account, we will remove your personal information within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention).

9. Security & Breach Notification

We implement industry-standard security measures to protect your information, including encryption in transit (TLS) and at rest, access controls, regular security audits, and infrastructure monitoring. However, no method of transmission over the Internet or electronic storage is 100% secure.

In the event of a personal-data breach that affects your information, we will notify affected users and, where required, the relevant supervisory authorities and our business customers without undue delay and within the timeframes required by applicable law.

10. Your Privacy Rights (GDPR / UK)

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Rectification: Request correction of inaccurate or incomplete information.
• Erasure: Request deletion of your personal information, subject to legal obligations.
• Portability: Request a machine-readable copy of your data.
• Objection: Object to certain processing activities, such as direct marketing.
• Restriction: Request that we limit how we process your information in certain circumstances.
• Withdraw consent: Withdraw any consent you previously gave, without affecting processing already carried out.
• Lodge a complaint: Lodge a complaint with your local data-protection supervisory authority.

To exercise any of these rights, please contact us at privacy@leakjar.com. We will respond within 30 days. If your data was submitted to us by a business customer for screening, please direct your request to that customer, and we will assist them as their processor.

11. US State Privacy Rights (CCPA/CPRA & Similar Laws)

If you are a resident of California or another US state with a comprehensive privacy law, you may have rights to know about, access, correct, and delete the personal information we hold about you, and to opt out of the "sale" or "sharing" of personal information as those terms are defined under applicable law.

We do not sell or share your personal information, and we do not use sensitive personal information for purposes that would require an opt-out. We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us at privacy@leakjar.com. We may need to verify your identity before responding, and you may use an authorized agent where permitted by law.

12. Children's Privacy

Our Services are intended for businesses and professionals and are not directed to children. We do not knowingly collect personal information from anyone under the age of 16 (or 18 where required by local law). If we learn that we have collected personal information from a child without appropriate consent, we will delete it promptly. If you believe a child has provided us with personal information, please contact privacy@leakjar.com.

13. Changes to This Policy & Contact

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Services or by email. Your continued use of the Services after an update takes effect constitutes acceptance of the revised policy.

As noted above, a Data Processing Addendum (DPA) is available to business customers on request. If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@leakjar.com
• Web: leakjar.com/contact
• Postal: SEW INC, 200 Continental Dr Ste 401, Newark DE 19713-4337