1011+ breaches tracked — check free
EmaiLeaked
travel_explore Email checker lock Password checker database Recent breaches menu_book Data breach guide article Blog group About
search Check my email now
Privacy Terms Contact Editorial standards Disclaimer

Privacy Policy

Last updated: May 2026

Who we are and how to reach us

EmailLeaked ("we," "us," or "our") operates the website EmailLeaked.com, a free data breach checking and security education service. We are based in Texas, United States. For privacy-related inquiries, contact us at privacy@emailleaked.com or through our contact form.

Scope of this policy

This Privacy Policy describes how EmailLeaked collects, uses, retains, and discloses information when you use EmailLeaked.com (the "Service"). It applies to all visitors regardless of location. Where your jurisdiction grants specific legal rights — including the European Economic Area, United Kingdom, California, and Texas — those rights are described in the applicable sections below. By using the Service you acknowledge that you have read and understood this policy.

What the breach checker does with your email address

When you enter an email address into the breach checker, that address is transmitted to our server-side API function for the sole purpose of querying industry-standard breach data sources in real time. The email address is used only for that query and is discarded immediately thereafter. We do not write it to any database, log file, analytics property, marketing list, or server-side storage of any kind. It is not retained after the API request completes. It is not used to send you unsolicited communications. It is not associated with your IP address, browser fingerprint, or any persistent identifier in our systems.

A clean result — meaning no breaches found — does not guarantee your data has never been exposed. It means your address was not found in the datasets checked at the time of your query. Coverage is determined by the upstream providers and changes as new data is verified and ingested.

Information we collect and why

Contact form submissions. If you submit a message through our contact form, we collect your name, email address, and message content. This data is used solely to respond to your inquiry. It is stored securely by our form processing provider and is not used for marketing, sold to third parties, or combined with other datasets.

Newsletter subscriptions. If you choose to subscribe to our newsletter, we collect your email address and store it until you unsubscribe. We use this address only to send you the newsletter you requested. You may unsubscribe at any time by clicking the unsubscribe link included in every email. Upon unsubscription your address is removed promptly from our active mailing list.

Analytics data (consent-gated). We use Google Analytics 4 ("GA4") to understand how the Service is used so we can improve it. GA4 is not loaded unless you have provided explicit consent via our cookie consent banner. If you decline consent, no analytics data is collected. If you provide consent, GA4 may collect information including pages visited, time on page, general geographic region (country/city level), browser type, device type, and referral source. This data is retained in GA4 for 26 months and then automatically deleted. We do not enable GA4 user-ID tracking, and email addresses from the breach checker are never included in analytics.

Advertising data (consent-gated). We display advertising through Google AdSense. AdSense is not loaded unless you have provided explicit consent. If you provide consent, Google may serve personalized or non-personalized advertisements and collect data in accordance with Google's own privacy policy. You can review and manage Google's ad personalization settings at adssettings.google.com.

Infrastructure and server logs. Our hosting infrastructure (Cloudflare) processes standard technical request data including IP addresses, request URLs, timestamps, HTTP response codes, and browser user-agent strings as part of normal web hosting operations. This data is retained and processed in accordance with Cloudflare's privacy policy. We do not combine server log data with personal information you provide through forms or subscriptions.

What we never collect or store

We never store email addresses entered into the breach checker. We never collect or store passwords in any form — plaintext, hashed, or otherwise. We never create user accounts. We never purchase, sell, rent, trade, or share personal information with third parties for their own commercial purposes. We never send unsolicited marketing emails. We never use email addresses from the breach checker for remarketing, behavioral advertising, or any purpose other than the immediate API query.

Google Consent Mode v2

We have implemented Google Consent Mode v2 on the Service. Before you make a consent choice, Google Analytics and Google AdSense are set to a "denied" state — meaning they do not load, set cookies, or collect data. Consent signals are passed to Google only after you make an explicit choice through the cookie banner. Modeling (cookieless pings) operates in accordance with Google's Consent Mode specifications for users who decline. You may change your consent preferences at any time by clicking the privacy settings link in our site footer.

Cookies and tracking technologies

Before you interact with the consent banner, only technically essential infrastructure requests occur — no analytics or advertising cookies are set. After you provide consent, GA4 sets first-party measurement cookies (typically _ga, _ga_*, and related identifiers) with a default lifetime of up to 13 months. AdSense may set third-party cookies associated with advertising. If you decline cookies, the Service remains fully functional — the breach checker, educational content, and all pages are accessible without cookies.

You may also control cookies through your browser settings, though this may affect how certain features behave. The following browser extensions allow granular control: uBlock Origin, Privacy Badger, and similar tools. Opting out of Google Analytics across all websites is possible via the Google Analytics Opt-out Browser Add-on.

Third-party services and data processors

Cloudflare, Inc. — Our hosting, content delivery, and DDoS protection provider. Processes infrastructure-level request data. Privacy policy: cloudflare.com/privacypolicy.

Google LLC — Provider of Google Analytics 4 and Google AdSense. Processes analytics and advertising data after consent. Privacy policy: policies.google.com/privacy.

Google Fonts — We may load typefaces from Google Fonts, which involves a request to Google's servers. Google may log the request including your IP address. We are evaluating self-hosting fonts to eliminate this transfer.

Contact form processor — Processes contact form submissions. Data is used solely to deliver your message to us and is subject to the processor's own privacy terms.

Industry-standard breach data providers — When you use the breach checker, your email address is passed to upstream breach data APIs in real time. These providers do not receive any persistent identifier or additional personal data. EmailLeaked is independent of these providers and is not affiliated with them.

Data retention

Contact form data is retained for as long as necessary to respond to your inquiry and for a reasonable period thereafter in case of follow-up questions, and is then deleted. Newsletter subscriber email addresses are retained until you unsubscribe, at which point they are removed. Analytics data in GA4 is retained for 26 months. Cloudflare infrastructure logs are retained in accordance with Cloudflare's retention policies. Breach checker email addresses are not retained at all — they are discarded immediately after the API response is returned.

International data transfers

EmailLeaked is operated from Texas, United States. If you access the Service from outside the United States, including from the EEA, UK, or other jurisdictions, your information may be transferred to and processed in the United States. The United States does not have a data protection law equivalent to the EU GDPR. Where required, we rely on appropriate transfer mechanisms, including the EU-U.S. Data Privacy Framework where applicable to our processors, and Standard Contractual Clauses in our agreements with sub-processors.

Children's privacy (COPPA)

The Service is not directed at children under the age of 13 in the United States, or under 16 in the EEA (or such higher age as required by applicable law). We do not knowingly collect personal information from children under these ages. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@emailleaked.com and we will delete that information promptly. If we become aware that we have collected personal information from a child without verifiable parental consent, we will take immediate steps to delete it.

Your rights — EEA and UK residents (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation or UK GDPR, as applicable:

Right of access. You may request a copy of the personal data we hold about you.

Right to rectification. You may request correction of inaccurate personal data.

Right to erasure. You may request deletion of your personal data where there is no lawful basis for its continued processing.

Right to restriction. You may request that we restrict processing of your personal data in certain circumstances.

Right to data portability. Where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of your data.

Right to object. You may object to processing based on legitimate interests.

Right to withdraw consent. Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

Right to lodge a complaint. You have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, contact us at privacy@emailleaked.com or via our contact form. We will respond within 30 days. We may need to verify your identity before processing certain requests.

Your rights — California residents (CCPA and CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

Right to know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share it.

Right to delete. You may request deletion of personal information we have collected from you, subject to certain exceptions.

Right to correct. You may request correction of inaccurate personal information.

Right to opt out of sale or sharing. We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising. No opt-out mechanism is required, but you may submit a request at any time and we will confirm our practices.

Right to limit use of sensitive personal information. We do not collect or process sensitive personal information as defined under CPRA beyond what is necessary for the purpose for which it was submitted.

Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a California privacy request, contact us at privacy@emailleaked.com or via our contact form. We will respond within 45 days of receipt of a verifiable request. You may designate an authorized agent to make requests on your behalf; the agent must provide signed written permission and we may verify your identity directly.

Categories of personal information collected in the past 12 months: contact information (name and email from contact form submissions), email address (newsletter subscriptions), analytics usage data (if consent given), advertising identifiers (if consent given). We do not sell or share any of these categories.

Your rights — Texas residents (TDPSA)

If you are a Texas resident, the Texas Data Privacy and Security Act (TDPSA) provides you with rights including the right to access, correct, delete, and obtain a portable copy of personal data we have collected, and the right to opt out of the processing of personal data for targeted advertising or the sale of personal data. We do not sell personal data and do not use personal data for targeted advertising in ways that require opt-out mechanisms under TDPSA. To submit a request under TDPSA, contact us at privacy@emailleaked.com. If we decline a request, you may appeal by contacting us within a reasonable time, and if we deny the appeal, you may contact the Texas Attorney General.

Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our API is served over HTTPS. Contact form data is encrypted in transit. We limit access to personal information to those who need it to respond to your inquiry. No method of transmission over the internet or method of electronic storage is 100% secure, however, and we cannot guarantee absolute security. If you have a security concern about the Service, please contact security@emailleaked.com.

Legal bases for processing (EEA/UK)

For EEA and UK residents, we rely on the following legal bases under Article 6 GDPR: consent for analytics and advertising cookies (Art. 6(1)(a)); contract performance for processing contact form submissions to respond to your inquiry (Art. 6(1)(b)); legitimate interests for infrastructure security logging where our interest in maintaining service availability and security does not override your privacy rights (Art. 6(1)(f)). Newsletter subscription processing is based on consent (Art. 6(1)(a)) — you can withdraw consent at any time by unsubscribing.

Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no consistent industry standard for responding to DNT signals, and because we already implement consent-gated analytics and advertising, we do not alter our data practices based on DNT signals. Our consent mechanism provides a more granular and legally consistent control mechanism than DNT.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of this page. Material changes will be flagged on the Service for a reasonable period. Your continued use of the Service after a change is posted constitutes acceptance of the updated policy. We encourage you to review this page periodically.

Contact

Privacy inquiries: privacy@emailleaked.com. Security disclosures: security@emailleaked.com. General questions: contact form or info@emailleaked.com.