Skip to content
Live · Updated every 6 hours
Track every US data breachBreachedBlog
Privacy Policy

How Breached handles privacy, consent, and opt-out requests.

This notice covers intake submissions, site operations, GDPR/EU notices, state privacy rights, consumer health data, Global Privacy Control, and how verified privacy requests are handled. It is not legal advice.

Last updated May 7, 2026
Submit a privacy request
Personal informationMay 7, 2026

Privacy Policy

Explains what Breached collects, why it is collected, when it is shared with attorneys, retention expectations, state privacy rights, Global Privacy Control, privacy choices, and the no-sale/no-sharing commitment.

Information we collect

  • Information you provide in intake forms, such as name, email, phone, ZIP code, case-fit answers, and notes.
  • Technical information such as IP-derived security data, user agent, timestamps, pages requested, and abuse-prevention signals.
  • Breach-page interaction data needed to operate the service, diagnose errors, and understand aggregate usage.
  • Public breach-source information about companies and incidents, not victim lists.

CCPA personal information categories

  • Identifiers, such as name, email, phone number, IP-derived security data, and similar contact or device information.
  • California Customer Records information, such as contact details submitted through an intake form.
  • Internet or network activity, such as requested pages, timestamps, user agent, security logs, and abuse-prevention signals.
  • Geolocation approximations, such as ZIP code you provide or coarse location inferred from request metadata for security and legal workflow purposes.
  • Professional, preference, or inference information only if you provide it in notes or case-fit answers and only as needed for the intake workflow.
  • Please do not submit sensitive personal information through public intake forms. If a case team later needs sensitive details, they will collect them through a secure attorney-controlled process.

Sources of personal information

  • You, when you submit an intake form, newsletter signup, privacy request, correction, or other message.
  • Your browser or device, through request headers, server logs, security signals, and opt-out preference signals such as Global Privacy Control.
  • Public sources, regulators, courts, companies, security researchers, and news sources for company breach information, not victim lists.
  • Partner law firms, service providers, or authorized case-support providers when they help operate the specific case process.

Information we avoid collecting

  • Do not submit Social Security numbers, full dates of birth, government ID numbers, account passwords, or payment card numbers through public intake forms.
  • Breached does not publish lists of individual breach victims by name.
  • Sensitive follow-up questions belong with the responsible attorney or a secure partner process, not the public site.

How we use information

  • Operate breach search, breach pages, intake forms, abuse prevention, and support workflows.
  • Route an intake submission to attorneys or staff evaluating the specific case when you separately consent to sharing and a case team is identified in the intake workflow or selected by name for future evaluation of that same matter.
  • Keep an interest or notification submission when no attorney is currently investigating the case through Breached.
  • Send transactional messages about your submission or a case you asked about.
  • Improve source quality, security, accessibility, and reliability.
  • Maintain compliance records, consent records, opt-out records, and audit logs.

Business and commercial purposes

  • Provide breach search, breach pages, intake forms, newsletter features, privacy request handling, and support workflows.
  • Perform security, fraud prevention, debugging, rate limiting, auditing, deduplication, and compliance recordkeeping.
  • Evaluate and route intake submissions for the specific breach matter when you consent, a signed service-provider or equivalent agreement is in place with the receiving partner law firm, and the firm was identified or selected by name in the intake workflow.
  • Maintain proof of consent, opt-out signals, policy versions, request verification, and legal compliance records.
  • Improve source quality, site reliability, accessibility, and aggregate product operations without selling personal information.

Sharing

  • With attorneys, law firms, or case teams evaluating a breach matter when you ask for follow-up, separately consent to sharing, and that case team is identified in the intake workflow or selected by name for future evaluation of that same matter.
  • If no attorney is currently investigating through Breached, Breached does not route your intake details to a law firm unless you selected that named participating firm before submitting, or that status changes and you give fresh sharing consent after a different case team is identified.
  • With partner law firms only after Breached has a signed Service Provider Agreement or equivalent written restriction that limits use to the disclosed case workflow.
  • With service providers that host, secure, email, analyze, or maintain the service under written restrictions that limit use, require reasonable safeguards, and support deletion or return where appropriate.
  • With regulators, courts, or other parties when required by law or to protect rights, safety, and security.
  • Breached does not sell personal information and does not share it for cross-context behavioral advertising.

CCPA/CPRA rights

  • California residents may request to know, access, correct, delete, or receive a portable copy of personal information, subject to legal exceptions.
  • California residents may opt out of sale or sharing for cross-context behavioral advertising. Breached does not sell personal information or share it for cross-context behavioral advertising.
  • California residents may limit use or disclosure of sensitive personal information where applicable, although Breached does not use sensitive personal information to infer characteristics.
  • Breached will not discriminate against you for exercising privacy rights, but some data may be necessary to provide a requested intake or case-notification workflow.
  • Use the verified privacy request form at /privacy/request to submit a request. Breached may ask you to verify control of the email address tied to the request before acting on it.

Other state privacy rights

Residents of states with comprehensive privacy laws may have additional rights depending on residence, legal thresholds, exemptions, and Breached's role for the processing. The State Privacy Rights Notice explains the current multi-state rights workflow, appeal process, and opt-out handling.

Consumer health data

Some breach matters involve health, medical, biometric, reproductive, gender-affirming care, or similar sensitive information. Breached's public intake forms are designed to avoid collecting those details unless a secure attorney-controlled process specifically asks for them. The Consumer Health Data Notice explains the extra rules for Washington, Nevada, and similar health-data regimes.

GDPR and EU/EEA/UK notices

  • Breached is a US-focused service operated by Bloc Claims LLC and does not intentionally target EU, EEA, or UK residents unless Breached expressly says otherwise.
  • When GDPR or UK GDPR applies, Breached treats Bloc Claims LLC as the controller for the public site, intake storage, newsletter, security, and privacy request workflows, unless a signed partner agreement states that Breached acts as a processor for a law firm.
  • Potential legal bases include consent for intake sharing and newsletters, legitimate interests for security, abuse prevention, source quality, and service operations, legal obligation for compliance records, and establishment or defense of legal claims where applicable.
  • EU/EEA/UK residents may request access, correction, deletion, restriction, objection, portability, or consent withdrawal through /privacy/request. They may also complain to their local data protection authority.
  • Breached does not use intake submissions for solely automated decisions with legal or similarly significant effects.

International transfers

Breached and its core vendors are primarily US-based. If GDPR, UK GDPR, or Swiss data-transfer rules apply to a Breached interaction, Breached relies on an adequacy decision, Standard Contractual Clauses, a UK International Data Transfer Addendum or equivalent safeguard, or another lawful transfer basis where appropriate.

EU representative and DPO

Breached is not currently an EU-targeted service. If Breached later offers EU-targeted activity that requires an Article 27 representative or Data Protection Officer, Breached will publish the required contact information.

Global Privacy Control

Breached treats a recognized Global Privacy Control signal, including the HTTP header Sec-GPC: 1, as an automatic opt-out of sale or sharing for cross-context behavioral advertising. Intake records created with that signal are tagged with the opt-out at write time.

Retention

Breached retains intake and consent records long enough to operate the case workflow, prove consent, comply with legal obligations, resolve disputes, and maintain security. Records are deleted or de-identified when they are no longer needed for those purposes, subject to legal exceptions.

Security

Breached uses administrative, technical, and organizational safeguards intended to protect personal information. No online service can guarantee perfect security, so Breached limits collection to information needed for the stated purposes.

Your choices

  • You can ask Breached to stop marketing or case-update messages.
  • You can request access, correction, deletion, or a copy of personal information at /privacy/request, subject to legal limits.
  • You can withdraw consent for future sharing, though prior case-routing actions may already have occurred.
  • State privacy rights may vary based on your residence and Breached's legal thresholds.

Contact

Use /privacy/request for privacy requests, corrections, deletion requests, opt-outs, and consent-withdrawal requests. Include the email address you used for intake and enough detail for Breached to identify the relevant submission. For security concerns, use the privacy contact published by Breached.