Privacy Policy

FindTheBreach ("we," "us," "our," or the "Company"), headquartered in Bothell, Washington, United States, operates the website located at findthebreach.com and provides a software-as-a-service (SaaS) penetration testing and vulnerability scanning platform (collectively, the "Service").

This Privacy Policy ("Policy") describes how FindTheBreach collects, uses, stores, processes, shares, transfers, and protects information obtained from and about individuals who visit our website, create accounts, subscribe to our services, interact with our platform, use our APIs, or otherwise engage with us (collectively, "you" or "Users"). This Policy also describes your rights and choices with respect to your personal information and how you may contact us regarding our privacy practices.

This Policy applies to all information collected through the Service, as well as any related services, sales, marketing, events, and communications. It does not apply to information collected by third parties, including any third-party websites, services, or applications that may be linked to or integrated with the Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with the terms of this Policy, please do not access or use the Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

FindTheBreach is committed to protecting your privacy and handling your data with transparency, integrity, and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Washington My Health My Data Act, and other applicable federal, state, and international privacy laws.

For purposes of this Privacy Policy, the following definitions shall apply:

• "Personal Information" or "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person or household.
• "Scan Data" means all data generated as a result of a vulnerability scan, penetration test, or security assessment initiated through the Service, including vulnerability findings, severity ratings, CVSS scores, CVE references, remediation recommendations, and associated metadata.
• "Target Data" means information about systems, domains, IP addresses, URLs, or infrastructure submitted by Users for scanning or assessment through the Service.
• "Usage Data" means information automatically collected about how Users interact with the Service, including pages visited, features used, scan configurations, access times, and clickstream data.
• "Technical Data" means information about the device, browser, operating system, network, and connection used to access the Service.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Controller" means the entity that determines the purposes and means of Processing Personal Data. FindTheBreach acts as the Data Controller for Personal Data collected through the Service.
• "Data Processor" means an entity that processes Personal Data on behalf of the Data Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is being processed.
• "Cookies" means small text files placed on your device by the Service to store information about your browsing activity and preferences.

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we process your Personal Data only when we have a valid legal basis to do so under the General Data Protection Regulation (GDPR) or equivalent applicable data protection law. The legal bases we rely on include:

• Performance of a Contract (Article 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract. This includes processing necessary to provide you with the Service, manage your account, process payments, and deliver scan results.
• Consent (Article 6(1)(a) GDPR): You have given clear, informed, and unambiguous consent to the processing of your Personal Data for one or more specific purposes. This applies to marketing communications, non-essential cookies, and certain analytics. You may withdraw your consent at any time.
• Legitimate Interests (Article 6(1)(f) GDPR): Processing is necessary for the purposes of our legitimate interests, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include improving and optimizing the Service, preventing fraud and unauthorized access, ensuring network and information security, conducting business analytics, and marketing our services to existing customers.
• Legal Obligation (Article 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which we are subject, such as tax reporting, responding to lawful requests from public authorities, and maintaining records as required by law.
• Vital Interests (Article 6(1)(d) GDPR): Processing is necessary to protect the vital interests of you or another natural person, such as in emergency situations involving threats to health or safety.

Where we rely on consent as the legal basis, you have the right to withdraw your consent at any time by contacting us at contact@findthebreach.com or by using the unsubscribe mechanism provided in our communications. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

We use the information we collect for the following purposes:

• Service Delivery: To provide, operate, maintain, and improve the vulnerability scanning and penetration testing services, including initiating scans, generating reports, and delivering results
• Account Management: To create, manage, and maintain your account, authenticate your identity, and manage access permissions
• Payment Processing: To process transactions, manage subscriptions, send invoices, and handle billing inquiries
• Communications: To send you technical notices, security alerts, scan completion notifications, product updates, administrative messages, and customer support responses
• Marketing: To communicate with you about products, services, offers, promotions, and events that may be of interest to you (subject to your communication preferences and applicable opt-out rights). FindTheBreach's email communications comply with: (a) the CAN-SPAM Act (15 U.S.C. § 7701 et seq.), including accurate header information, honest subject lines, identification as advertisements where applicable, valid physical postal address, and prompt opt-out processing within 10 business days; (b) Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23), including obtaining consent before sending commercial electronic messages to Canadian recipients; and (c) the EU ePrivacy Directive (2002/58/EC) as implemented in EU Member States, requiring prior consent for direct marketing. Transactional emails (service alerts, security notifications, scan completion notices) are sent without opt-in consent as they are necessary for the performance of the service contract.
• Analytics and Improvement: To monitor, analyze, and improve the Service, including usage trends, scan performance, feature utilization, and user experience
• Security and Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, unauthorized access, abuse of the Service, and other illegal activities
• Personalization: To personalize your experience, provide content and features that match your usage patterns and preferences
• Compliance: To comply with applicable legal obligations, regulatory requirements, law enforcement requests, and industry standards (including SOC 2, GDPR, CCPA/CPRA, HIPAA, and PCI DSS where applicable)
• Research and Development: To conduct research using aggregated, de-identified data to develop new features, improve scanning algorithms, and generate industry security benchmarks
• Legal Protection: To establish, exercise, or defend legal claims, enforce our Terms of Service, and protect the rights, property, and safety of FindTheBreach, our Users, and the public
• Authorization Verification: To verify that Users have proper authorization to scan targets submitted to the Service, including reviewing authorization documentation when required

We use AI/ML technologies to process scan data and provide security insights. Specifically:

• AI analysis occurs in real-time and does not involve long-term storage of AI-processed data beyond standard scan result retention
• We do NOT use your Personal Information or Scan Data to train general-purpose AI models
• Automated decision-making (per GDPR Article 22) is not used for decisions that produce legal or similarly significant effects on individuals
• You may request human review of any AI-generated security assessment by contacting support@findthebreach.com

Right to Human Review: You have the right to request human involvement in any automated processing that significantly affects you. To exercise this right, contact privacy@findthebreach.com. We will respond to all such requests within fifteen (15) business days.

Given the sensitive nature of vulnerability scan results, FindTheBreach implements heightened safeguards for Scan Data:

FindTheBreach uses cookies and similar tracking technologies to collect and store information when you access the Service. The types of cookies we use include:

Cookie Management. You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. However, if you block or delete essential cookies, certain features of the Service may not function properly. For more information about the cookies we use, please refer to our Cookie Policy.

Other Tracking Technologies. In addition to cookies, we may use web beacons (also known as pixel tags or clear GIFs), local storage, and similar technologies to collect Usage Data and Technical Data. These technologies may be used in our emails to track open rates and click-through rates.

FindTheBreach does not sell your Personal Information. We may share your information in the following limited circumstances:

• Service Providers: We share information with trusted third-party service providers who perform services on our behalf, as described in Section 10. These providers are contractually obligated to use your information only for the purposes for which it was disclosed and to maintain appropriate security measures.
• Legal Compliance: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to comply with a subpoena, court order, or similar legal mechanism.
• Law Enforcement: We may disclose information to law enforcement authorities if we have a good faith belief that such disclosure is necessary to: (a) prevent or detect criminal activity, including unauthorized scanning; (b) protect the safety of any person; (c) prevent fraud or abuse of the Service; or (d) protect the rights, property, or safety of FindTheBreach.
• Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, dissolution, sale of all or substantially all of our assets, or similar transaction, your information may be transferred as part of the transaction. We will notify you via email and/or prominent notice on the Service of any change in ownership or uses of your Personal Information.
• With Your Consent: We may share your information with third parties when you have provided your explicit consent to such sharing.
• Aggregated or De-identified Data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you, for research, analysis, benchmarking, and industry reporting purposes.

FindTheBreach is committed to transparency in handling government and law enforcement requests for user data:

1. Legal Process Required: We require valid legal process (subpoena, court order, or warrant) before disclosing any user data to government entities. We do not voluntarily provide user data to government agencies absent legal compulsion.
2. Narrow Scope: We interpret all legal demands narrowly, providing only the specific data legally required and nothing more.
3. User Notification: Where legally permitted, we will notify affected users of government data requests before disclosing their data, providing them an opportunity to challenge the request. We will seek to lift gag orders that prevent such notification.
4. No Backdoors: FindTheBreach does not build backdoors into our platform, weaken encryption, or provide government agencies with special access to user data or scanning infrastructure.
5. Transparency Reporting: We are committed to publishing an annual transparency report disclosing the number and types of government data requests received, complied with, and challenged.
6. Warrant Canary: As of the date of this policy, FindTheBreach has not received any National Security Letters (NSLs), FISA orders, or gag orders from any government agency. We have not been required to provide direct access to our servers or scanning infrastructure to any government entity.

We engage third-party companies and individuals to perform functions on our behalf. These service providers have access to your Personal Information only to the extent necessary to perform their designated functions and are contractually prohibited from using it for any other purpose. Categories of third-party service providers we use include:

• Cloud Infrastructure and Hosting Providers: For hosting, data storage, computing resources, and content delivery
• Payment Processors: For processing subscription payments, managing billing, and fraud detection (PCI DSS-compliant)
• Email and Communication Service Providers: For sending transactional emails, scan notifications, marketing communications, and customer support correspondence
• Analytics Providers: For website and application usage analytics, performance monitoring, and error tracking
• Customer Support Platforms: For managing support tickets, live chat, and customer communications
• Security and Monitoring Services: For DDoS protection, intrusion detection, web application firewall services, and infrastructure monitoring
• Identity Verification Services: For verifying User identity and preventing fraudulent account creation
• Backup and Disaster Recovery Services: For data backup, replication, and business continuity

We require all third-party service providers to enter into data processing agreements that include appropriate data protection provisions, confidentiality obligations, and security requirements. We regularly review and assess our service providers to ensure they maintain adequate security standards.

FindTheBreach is headquartered in Bothell, Washington, United States. Your information, including Personal Data, may be transferred to and processed in the United States and other countries where our service providers operate, which may have data protection laws that differ from those in your jurisdiction.

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we ensure that international data transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses as the primary mechanism for transferring Personal Data outside the EEA to countries that have not been deemed to provide an adequate level of data protection
• Adequacy Decisions: Where applicable, we transfer data to countries that have received an adequacy decision from the European Commission
• EU-U.S. Data Privacy Framework: Where applicable, we rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework for transfers to the United States
• Supplementary Measures: Where required, we implement additional technical and organizational measures (such as encryption and pseudonymization) to ensure an adequate level of protection

By using the Service, you acknowledge and consent to the transfer of your information to the United States and other jurisdictions as described in this Policy. You may request a copy of the safeguards we have in place for international data transfers by contacting us at contact@findthebreach.com.

For detailed information about our EU-US Data Privacy Framework (DPF) participation, Standard Contractual Clauses, Transfer Impact Assessments, and data residency commitments, please see our GDPR Compliance page.

FindTheBreach implements comprehensive technical and organizational security measures designed to protect your Personal Information and Scan Data from unauthorized access, alteration, disclosure, destruction, and other forms of unlawful processing. Our security program is aligned with industry best practices and applicable compliance frameworks, including SOC 2 Type II, GDPR, and PCI DSS requirements. Our security measures include:

• Encryption in Transit: All data transmitted between your browser or API client and our servers is encrypted using TLS 1.2 or TLS 1.3 with strong cipher suites
• Encryption at Rest: All sensitive data, including Scan Data and Personal Information, is encrypted at rest using AES-256 encryption
• Access Controls: Role-based access controls (RBAC) and the principle of least privilege are enforced for all systems and data. Multi-factor authentication (MFA) is required for administrative access
• Network Security: Firewalls, intrusion detection and prevention systems (IDS/IPS), web application firewalls (WAF), and network segmentation protect our infrastructure
• Vulnerability Management: We conduct regular vulnerability assessments and penetration testing of our own infrastructure. Security patches are applied in a timely manner
• Logging and Monitoring: Comprehensive audit logging and continuous monitoring of access to systems and data. Security events are reviewed and investigated promptly
• Secure Development: Our software development lifecycle incorporates security reviews, code analysis, and security testing. Dependencies are regularly audited for known vulnerabilities
• Employee Security: All employees and contractors undergo background checks and receive security awareness training. Access to Personal Data is restricted to authorized personnel only
• Physical Security: Our infrastructure is hosted in data centers with appropriate physical security controls, including access restrictions, surveillance, and environmental controls
• Incident Response: We maintain a documented incident response plan that is regularly tested and updated. See Section 19 for details on our data breach notification procedures

While we implement commercially reasonable and industry-standard security measures to protect your data, no method of transmission over the Internet, method of electronic storage, or computer system is completely secure. We cannot guarantee the absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.

We retain your information for as long as necessary to fulfill the purposes for which it was collected, provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

• Account Data (name, email, credentials): Retained for the duration of your active account. Upon account deletion request, account data is deleted within thirty (30) days, except as required for legal compliance or legitimate business purposes.
• Scan Data and Results: Retained for ninety (90) days by default. Retention periods may be configurable under certain Subscription Plans (e.g., extended retention for Enterprise plans). Users may request early deletion at any time.
• Payment and Billing Data: Transaction records and invoices are retained for seven (7) years as required by applicable tax, accounting, and financial regulations (including IRS requirements and applicable state tax laws).
• Usage Logs and Analytics Data: Retained for twelve (12) months for security monitoring, fraud prevention, and analytical purposes. Aggregated, anonymized analytics data may be retained indefinitely.
• Customer Support Records: Retained for three (3) years after resolution of the support inquiry for quality assurance, training, and legal compliance purposes.
• Marketing Communication Preferences: Opt-out preferences and consent records are retained for as long as necessary to honor your preferences and demonstrate compliance with applicable laws.
• Server and Security Logs: Retained for twelve (12) months for security incident investigation, forensics, and compliance purposes.

When the retention period for any category of information expires, we will securely delete or anonymize the information in accordance with our data disposal procedures. In some cases, we may retain certain information for longer periods as required by law, legal proceedings, or to establish, exercise, or defend legal claims.

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent applicable law:

• Right of Access (Article 15): You have the right to request confirmation as to whether your Personal Data is being processed and, if so, to obtain access to your Personal Data and information about how it is processed, including the purposes, categories of data, recipients, retention periods, and your rights.
• Right to Rectification (Article 16): You have the right to request the correction of inaccurate Personal Data and the completion of incomplete Personal Data concerning you.
• Right to Erasure / Right to be Forgotten (Article 17): You have the right to request the deletion of your Personal Data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, when you object to processing, or when the data has been unlawfully processed. This right is subject to certain exceptions, including where retention is necessary for compliance with legal obligations.
• Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of our legitimate grounds.
• Right to Data Portability (Article 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and to transmit that data to another controller without hindrance.
• Right to Object (Article 21): You have the right to object, on grounds relating to your particular situation, to the processing of your Personal Data based on our legitimate interests. You also have the right to object to the processing of your Personal Data for direct marketing purposes at any time.
• Right Not to be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you.
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement if you believe that the processing of your Personal Data violates the GDPR.

To exercise any of these rights, please submit a request to contact@findthebreach.com with the subject line "GDPR Data Subject Request." We will verify your identity before processing your request and will respond within thirty (30) days. In certain circumstances, we may extend this period by an additional sixty (60) days, in which case we will inform you of the extension and the reasons for it.

If you are a California resident, you have specific privacy rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). These rights include:

• Right to Know: You have the right to request that we disclose: (a) the categories of Personal Information we have collected about you; (b) the categories of sources from which the Personal Information was collected; (c) the business or commercial purpose for collecting or selling the Personal Information; (d) the categories of third parties with whom we share Personal Information; and (e) the specific pieces of Personal Information we have collected about you.
• Right to Delete: You have the right to request the deletion of Personal Information we have collected from you, subject to certain exceptions provided by law (such as information needed to complete transactions, detect security incidents, comply with legal obligations, or for certain internal uses).
• Right to Correct: You have the right to request the correction of inaccurate Personal Information that we maintain about you.
• Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your Personal Information for cross-context behavioral advertising. FindTheBreach does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising purposes.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information. FindTheBreach uses sensitive personal information only for purposes permitted under the CPRA.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA/CPRA privacy rights. We will not deny you goods or services, charge you different prices, provide a different level or quality of service, or suggest that you may receive a different price or quality of service as a result of exercising your rights.

Categories of Information. In the preceding twelve (12) months, we have collected the following categories of Personal Information as defined by the CCPA: identifiers (name, email, IP address); commercial information (transaction records, subscription history); internet or other electronic network activity (Usage Data, browsing history); geolocation data (approximate location derived from IP address); and professional or employment-related information (job title, company name).

Exercising Your Rights. To exercise your CCPA/CPRA rights, you may submit a verifiable consumer request by emailing contact@findthebreach.com with the subject line "CCPA Request." You may also designate an authorized agent to make a request on your behalf. We will verify your identity (and your agent's authorization) before processing any request. We will respond to verifiable consumer requests within forty-five (45) days. If we need additional time, we will notify you of the extension (up to an additional 45 days) and the reason for it.

Automated Decision-Making Technology (ADMT)

Effective January 1, 2026, FindTheBreach provides the following disclosures regarding our use of Automated Decision-Making Technology as required by the California Consumer Privacy Act (CCPA) updated regulations:

• AI Security Copilot: Uses automated analysis to provide vulnerability remediation suggestions. This feature does not make decisions that produce legal or similarly significant effects on individuals.
• Threat Intelligence Scoring: Automated risk scoring (Real Risk Score) combines CVSS, EPSS, CISA KEV, and asset criticality data. Scores are advisory and require human review before action.
• Vulnerability Auto-Categorization: Automated classification of findings by OWASP/compliance framework. Results are informational and do not restrict access to services.

Your ADMT Rights (Effective January 1, 2027): Under the CCPA as amended, California residents have the following rights regarding automated decision-making technology:

• Right to Opt Out: You may opt out of the use of ADMT for decisions that produce legal or similarly significant effects on you. To exercise this right, contact privacy@findthebreach.com or use the preference controls in your Account Settings.
• Right to Information: You may request information about our use of ADMT, including the logic involved, the intended output, and the categories of personal information processed.
• Right to Human Review: You may request human review of any decision made with substantial reliance on ADMT where such decision produces legal or similarly significant effects.

Note: FindTheBreach's AI/ML features (AI Security Copilot, Threat Intelligence Scoring, Vulnerability Auto-Categorization) are advisory tools designed to assist human security professionals. They do not autonomously make decisions that produce legal or similarly significant effects on individuals without human oversight.

Cybersecurity Audits & Risk Assessments. In compliance with the CCPA 2025 amendments, FindTheBreach conducts regular cybersecurity audits and maintains detailed risk assessments covering all processing activities that present significant privacy or security risks. Summaries of these assessments will be made available to the California Privacy Protection Agency (CPPA) as required by applicable regulations. Our cybersecurity program is designed to meet or exceed the technical and organizational requirements specified in the CCPA cybersecurity audit rules.

Compliance Timeline. In accordance with the CCPA 2025 final regulations: (a) risk assessments for high-risk processing activities became effective January 1, 2026; (b) automated decision-making technology (ADMT) consumer rights provisions become enforceable January 1, 2027; and (c) cybersecurity audit certifications must be submitted to the CPPA by April 1, 2028 (businesses with gross revenue over $100 million), April 1, 2029 ($50M–$100M), or April 1, 2030 (under $50M), with annual submissions required by April 1 of each following year. Risk assessment attestations and summaries must be submitted to the CPPA by April 1, 2028, with subsequent submissions by April 1 of the year following each assessment. FindTheBreach maintains documentation of all risk assessments and cybersecurity audit results as required.

As a company headquartered in Bothell, Washington (King County), FindTheBreach is committed to compliance with the Washington My Health My Data Act and other applicable Washington state privacy and data protection laws.

Under applicable Washington state law, you may have rights including:

• The right to know whether your personal data is being collected and processed
• The right to access your personal data
• The right to correct inaccurate personal data
• The right to delete your personal data
• The right to data portability in a commonly used format
• The right to opt out of targeted advertising, sale of personal data, and certain profiling activities

FindTheBreach does not collect, process, or share health data through the Service. If health-related data is inadvertently collected as part of Scan Data (e.g., through scanning healthcare-related systems), we will handle such data in accordance with the Washington My Health My Data Act and applicable HIPAA requirements.

Washington My Health My Data Act (RCW 19.373). As a Washington State entity, FindTheBreach complies with the My Health My Data Act. FindTheBreach does not collect, share, or sell consumer health data as defined under the Act. In the event that scan data processed through the Service contains health-related information (e.g., scanning healthcare infrastructure), such data is treated with the same protections as Scan Data under this Policy and is not used, shared, or sold for any purpose beyond providing the Service. Washington residents may exercise their rights under the Act by contacting privacy@findthebreach.com.

To exercise your rights under Washington state privacy law, please contact us at contact@findthebreach.com with the subject line "Washington Privacy Request." We will respond to your request within the timeframe required by applicable law.

In addition to California (CCPA/CPRA) and Washington, residents of the following states have specific privacy rights under their respective state laws:

• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA): Right to access, correct, delete, and port your data. Right to opt out of targeted advertising and profiling. Right to appeal denied requests within 30 days. We will respond within 45 days (Virginia/Connecticut) or 45 days (Colorado).
• Texas (TDPSA), Oregon (OCPA), Montana (MCDPA): Similar rights to access, delete, correct, and obtain a portable copy of your data. Opt-out rights for sale of personal data and targeted advertising. Response within 45 days (extendable by 45 days with notice).
• Delaware (DPDPA), Iowa, Indiana, Tennessee: Right to access, correct, delete, and opt out of targeted advertising. Varying response windows from 45 to 90 days depending on jurisdiction.
• New Jersey, New Hampshire, Nebraska, Maryland, Minnesota: Comprehensive privacy protections effective 2024-2026 including access, deletion, correction, and opt-out rights.
• Kentucky (KCDPA, effective January 1, 2026), Rhode Island (RICDPA, effective January 1, 2026): Right to access, correct, delete, and obtain a portable copy of personal data. Right to opt out of targeted advertising and the sale of personal data. We will respond within 45 days (extendable by 45 additional days with notice).

Universal Opt-Out Mechanisms: FindTheBreach honors recognized universal opt-out preference signals (such as the Global Privacy Control, or GPC) as required by applicable state laws. When we detect such a signal, we treat it as a valid request to opt out of the sale or sharing of Personal Information.

To exercise any state-specific privacy rights, contact privacy@findthebreach.com. We will respond within the timeframe required by your state's law (typically 30-45 days). You may also designate an authorized agent to make requests on your behalf.

In addition to GDPR (covered separately at /gdpr), residents of the following countries have specific privacy rights:

• India (Digital Personal Data Protection Act 2023): If you are a resident of India, you have the right to access, correct, and erase your personal data. You may nominate a representative to exercise your rights. We process data based on consent or legitimate purposes as defined under the DPDP Act. To exercise your rights, contact privacy@findthebreach.com.
• Brazil (Lei Geral de Proteção de Dados — LGPD): If you are a resident of Brazil, you have rights including confirmation of processing, access, correction, anonymization, portability, deletion, and information about shared data. Our legal bases include consent, contractual necessity, and legitimate interest under LGPD Articles 7 and 11. The Brazilian National Data Protection Authority (ANPD) may be contacted at www.gov.br/anpd.
• Canada (PIPEDA): If you are a resident of Canada, you have the right to access your personal information, challenge its accuracy, and withdraw consent. We process personal information in accordance with PIPEDA's ten fair information principles. You may file a complaint with the Office of the Privacy Commissioner of Canada (OPC).
• Australia (Privacy Act 1988 / APPs): If you are a resident of Australia, your personal information is handled in accordance with the Australian Privacy Principles (APPs). You have the right to access and correct your personal information and to make a complaint to the Office of the Australian Information Commissioner (OAIC).

For all international privacy requests, contact privacy@findthebreach.com with the subject line "International Privacy Request" and your country of residence.

FindTheBreach will respond to verified data subject requests within the following timeframes, as required by applicable law:

Where we require additional time to respond to a request, we will notify you of the extension and the reasons therefor within the initial response period. All timelines begin from the date we receive a verified, complete request.

To submit a data subject request, contact privacy@findthebreach.com with the subject line "Data Subject Request" and your country/state of residence.

Some web browsers transmit "Do Not Track" (DNT) signals to the websites and online services that a user visits. There is currently no universally accepted standard for how companies should respond to DNT signals. At this time, FindTheBreach does not respond to DNT signals transmitted by web browsers. However, we do not engage in cross-site tracking of our Users, and we do not sell Personal Information or share it for cross-context behavioral advertising purposes.

FindTheBreach honors the Global Privacy Control (GPC) signal as a valid opt-out request under the CCPA/CPRA for California residents. If we detect a GPC signal from your browser, we will treat it as a request to opt out of the sale or sharing of Personal Information associated with that browser.

The Service is not intended for, directed at, or designed to attract individuals under the age of eighteen (18). FindTheBreach does not knowingly collect, solicit, or maintain Personal Information from anyone under the age of eighteen (18). The Service involves professional cybersecurity tools that are intended exclusively for use by adults in professional and business contexts.

In compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. 6501-6506, we do not knowingly collect Personal Information from children under the age of thirteen (13). If we become aware that we have collected Personal Information from a child under the age of thirteen (13), we will take immediate steps to delete such information from our servers and records. If you believe that we may have inadvertently collected Personal Information from a child under thirteen (13), please contact us immediately at contact@findthebreach.com so that we can take appropriate action.

FindTheBreach maintains a comprehensive incident response plan and data breach notification procedure. In the event of a confirmed data breach involving Personal Information or Scan Data, we will:

• Detection and Containment: Upon detection of a suspected data breach, our security team will immediately initiate containment measures to limit the scope and impact of the breach, preserve evidence for forensic investigation, and prevent further unauthorized access.
• Investigation: We will conduct a thorough investigation to determine the nature, scope, and cause of the breach, identify the categories and approximate number of affected individuals, and assess the potential risk of harm to affected individuals.
• Notification to Affected Individuals: We will notify affected individuals without undue delay and, in any event, no later than seventy-two (72) hours after becoming aware of the breach (or as otherwise required by applicable law). Notification will include: a description of the nature of the breach; the categories and approximate number of data records concerned; the name and contact details of our privacy contact; a description of the likely consequences of the breach; and a description of the measures taken or proposed to address the breach and mitigate its effects.
• Notification to Supervisory Authorities: Where required by the GDPR (Article 33), we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons.
• Notification to State Authorities: We will comply with all applicable state data breach notification laws, including the Washington State data breach notification law (RCW 19.255.010) and the California data breach notification law (Cal. Civ. Code 1798.82), within the timeframes required by such laws.
• Remediation: We will take all necessary steps to remediate the breach, implement measures to prevent similar incidents in the future, and update our security practices as appropriate. We will provide affected individuals with guidance on steps they can take to protect themselves.

The Service may contain links to third-party websites, services, or applications that are not owned or controlled by FindTheBreach. These links are provided for your convenience and informational purposes only. FindTheBreach has no control over, and assumes no responsibility for, the content, privacy policies, practices, or security of any third-party websites or services.

We strongly encourage you to review the privacy policy and terms of service of every third-party website or service that you visit or interact with. FindTheBreach shall not be liable for any damages or losses arising from your use of or reliance on any third-party website, service, or application. The inclusion of a link to a third-party website does not imply endorsement, sponsorship, or recommendation by FindTheBreach.

FindTheBreach reserves the right to update, modify, or replace this Privacy Policy at any time in its sole discretion. When we make changes, we will update the "Last Updated" date at the top of this Policy.

If we make material changes to how we treat your Personal Information, we will notify you by one or more of the following methods: (a) posting a prominent notice on the Service; (b) sending an email to the address associated with your Account; or (c) providing an in-app notification. Material changes include, but are not limited to, changes to the categories of Personal Information collected, changes to the purposes for which Personal Information is used, changes to the categories of third parties with whom Personal Information is shared, and changes to data retention periods.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Service after any changes to this Policy constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you must discontinue your use of the Service and close your Account.

Previous versions of this Privacy Policy are available upon request by contacting contact@findthebreach.com.

FindTheBreach has designated a Privacy Contact responsible for overseeing compliance with this Privacy Policy and applicable data protection laws. The Privacy Contact is responsible for:

• Receiving and responding to data subject access requests (DSARs) under GDPR, CCPA/CPRA, and other applicable laws
• Overseeing the implementation and maintenance of data protection policies and procedures
• Conducting data protection impact assessments (DPIAs) for high-risk processing activities
• Serving as the point of contact for data protection supervisory authorities
• Monitoring compliance with internal data protection policies and applicable laws
• Managing data breach response and notification procedures

You may contact the Privacy Contact for any privacy-related inquiries, concerns, or requests at:

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy, our data practices, or your Personal Information, please contact us using the information below:

When contacting us regarding a privacy matter, please include the following information to help us process your request efficiently: your full name, the email address associated with your FindTheBreach Account (if applicable), a detailed description of your request or concern, and the specific right you wish to exercise (if applicable). We will acknowledge receipt of your request within five (5) business days and provide a substantive response within the timeframe required by applicable law.

If you are not satisfied with our response to your privacy concern, you may have the right to lodge a complaint with the applicable data protection supervisory authority in your jurisdiction.

This Privacy Policy is effective as of February 1, 2026. This Policy applies to all Users who access or use the Service on or after the effective date. For Users who accessed the Service prior to the effective date, your continued use of the Service after the effective date constitutes your acceptance of this Privacy Policy.

This Privacy Policy shall remain in effect until updated or replaced by a revised policy. In the event of a conflict between this Privacy Policy and any other agreement between you and FindTheBreach, the terms of such other agreement shall control to the extent of the conflict with respect to data protection matters.

Previous versions of this Privacy Policy are available upon request by contacting contact@findthebreach.com.