Privacy Policy
Last Updated: January 2026
1. Introduction
This Privacy Policy is issued by LeakLoop (ABN 79 390 265 966) ("we," "our," or "us").
LeakLoop provides an identity breach monitoring and remediation platform. We help organizations ("Customers") protect their workforce by identifying compromised credentials found in public data breaches.
This Privacy Policy outlines how we collect, use, and safeguard information. Important: If you are an employee of a Customer ("Authorized User" or "Employee"), please note that we process your data solely at the direction of your employer.
2. Distinction: Controller vs. Processor
To clarify our role under laws like the GDPR and Australian Privacy Principles (APP):
- The Customer (Employer): Is the Data Controller. They decide whose data is monitored and why. They are responsible for obtaining necessary consents and providing notices to employees.
- LeakLoop: Is the Data Processor. We act only on the Customer's instructions to scan for breaches and automate remediation.
3. Information We Collect
A. Information from the Customer (Admin Data)
When a Customer subscribes, we collect:
- Account Details: Name, business email, company name, and billing details (processed via Stripe).
- Authentication Data: Hashed passwords and MFA device tokens (used for securing the Admin account).
B. Employee Data (Monitored Data)
To provide the Service, the Customer provides us with Employee Data, either manually or via integrations (e.g., Google Workspace, Microsoft 365, Slack). This includes:
- Identity Information: Employee email addresses, names, and department/group associations.
- Integration Tokens: Access tokens required to sync user lists or send notifications to your Slack/Teams workspace.
Note: We do not access the content of employee emails (inboxes), private Slack messages, or browsing history. Our scanning is strictly limited to checking email addresses against third-party breach datasets (e.g., Have I Been Pwned).
C. Breach Data
We collect public breach indicators from third-party intelligence providers regarding the monitored emails, such as:
- Source of the breach (e.g., "LinkedIn 2012").
- Data types exposed (e.g., "Password," "IP Address").
We do not store or process the actual unencrypted passwords found in breaches.
4. How We Use Your Information
We use information to:
- Provide the Service: Sync employee lists from your directory and check them against known data breaches.
- Automate Remediation: Send alerts to Admins via dashboard/Slack/Teams and, if configured by the Admin, send remediation instructions directly to Employees via email.
- Security: Protect the integrity of our platform using MFA and audit logging.
- Billing: Process subscription payments.
5. Data Sharing and Disclosure
We do not sell data. We share data only as required to operate the Service:
| Category | Recipient & Purpose | Location |
|---|---|---|
| Breach Intelligence | Have I Been Pwned (HIBP): We submit employee email addresses to the HIBP API to check breach exposure. We do not submit passwords. | Global / USA |
| Infrastructure | Supabase & Vercel: Hosting database and API services. | USA / Global |
| Communications | Resend: To deliver remediation emails to employees. | USA |
| Integrations | Google, Microsoft, Slack: We exchange data with these platforms only when you explicitly connect them to sync users or send alerts. | USA / Global |
International Transfers: By using LeakLoop, you acknowledge that data (including Employee Data) is transferred to and processed in the United States and other jurisdictions where our sub-processors operate. We take reasonable steps to ensure these providers maintain high security standards comparable to the Australian Privacy Principles.
6. Security Measures
We implement defense-in-depth security controls inspired by ISO 27001 principles:
- Encryption: Industry-standard TLS encryption for data in transit (provider-supported); AES-256-GCM for data at rest.
- Access Control: Optional MFA via TOTP authenticator apps (e.g., Google Authenticator, Authy), with backup recovery codes and 30-day trusted device tokens. Role-Based Access Control (RBAC) and Supabase Row-Level Security (RLS) enforce strict data isolation between organizations.
- Security Headers: Strict Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are enforced across the application.
- Hashing: Sensitive fields (like passwords) are bcrypt hashed.
- Audit Logs: Critical actions are logged. PII in logs is redacted or securely hashed.
7. Data Retention
- Customer Data: Retained as long as the subscription is active. Upon cancellation, data is deleted within 60 days unless legally required otherwise.
- Breach History: Historical breach reports are retained to show remediation progress over time.
- Employee Rights: If an Employee requests deletion, the Customer (Admin) must process this request via the LeakLoop dashboard.
8. Your Rights & Options
For Customers (Admins)
You can access, correct, or delete your account data directly via the Settings portal.
For Employees (Monitored Users)
If your email is being monitored by a LeakLoop Customer and you wish to exercise your rights (access, correction, or deletion), please contact your Employer directly. As a Data Processor, we cannot legally fulfill data subject requests without the Controller's authorization.
9. Notice for Healthcare Customers (HIPAA)
If you are a "Covered Entity" under HIPAA (USA), please contact us before using the service with protected health information. We can provide a Business Associate Agreement (BAA) upon request.
10. Subprocessors
LeakLoop engages the following subprocessors to deliver the Service. Each subprocessor is granted only the minimum permissions (least-privilege scopes) necessary for its function.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database & Authentication | Account data, employee data, breach metadata, auth tokens | USA |
| Have I Been Pwned (HIBP) | Breach Intelligence | Employee email addresses (plaintext, not hashed) | Global / USA |
| Resend | Transactional Email Delivery | Recipient email addresses, notification content | USA |
| Stripe | Payment Processing | Billing details, subscription status | USA |
| Vercel | Application Hosting & CDN | HTTP request metadata, application logs | USA / Global |
| Google Workspace API | Directory Sync (read-only scopes) | User directory listings (names, email addresses) | USA / Global |
| Microsoft Graph API | Directory Sync (e.g., User.Read.All) | User directory listings (names, email addresses) | USA / Global |
We will provide at least 30 days' advance notice before adding or replacing a subprocessor. If you object to a new subprocessor, you may terminate the Service by providing written notice before the change takes effect. Upon termination, all integration tokens are revoked and Customer data is deleted in accordance with Section 7.
11. Data Processing Addendum (DPA)
This section constitutes a lightweight Data Processing Addendum between the Customer (Controller) and LeakLoop (Processor).
Subject Matter & Duration
LeakLoop processes personal data on behalf of the Customer for the purpose of providing breach monitoring and remediation services. Processing continues for the duration of the Customer's subscription, plus any retention period described in Section 7.
Categories of Data & Data Subjects
- Data Subjects: Customer employees and other individuals whose email addresses are submitted for monitoring.
- Data Categories: Email addresses, names, department/group associations, breach metadata (breach source, data types exposed), and integration tokens.
Processor Obligations
- Confidentiality: All personnel authorised to process personal data are bound by confidentiality obligations.
- Security: We implement the technical and organisational measures described in Section 6 of this Privacy Policy.
- Subprocessors: We engage only the subprocessors listed in Section 10 and provide 30 days' notice of changes.
- Deletion: Upon termination or expiry of the subscription, we will delete all Customer personal data within 60 days, unless retention is required by applicable law.
- Assistance: We will reasonably assist the Customer in responding to data subject access requests and fulfilling obligations under applicable data protection laws.
Breach Notification
In the event of a personal data breach affecting Customer data, LeakLoop will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) and provide sufficient detail for the Customer to meet its own notification obligations under applicable law.
International Transfers
Where personal data is transferred outside the Customer's jurisdiction, LeakLoop relies on the safeguards described in Section 5 (International Transfers) and ensures each subprocessor is bound by equivalent data protection obligations.
12. Contact Us
If you have questions about this Privacy Policy, please contact us at:
- Privacy inquiries: privacy@leakloop.com
- General support: support@leakloop.com