Privacy Policy

This draft describes the intended privacy posture. It must be updated to match the final hosting, analytics, payment, and email providers.

Data We Expect to Collect

• Account details such as display name and email address.
• Saved tools, notes, learning progress, and preferences.
• Security and abuse-prevention logs.
• Consent-based breach-check metadata, stored as hashes where practical.

Data We Should Not Collect

We should not collect plaintext passwords, unauthorized breach dumps, private keys, payment data outside approved processors, or unnecessary sensitive personal data.

How Data Is Used

Data is used to run accounts, save workspace state, improve learning content, prevent abuse, and provide consent-based exposure awareness.

Retention

Production systems should define retention periods for account data, logs, breach-check history, deleted accounts, and backups.

Security

Production systems should use HTTPS, encryption at rest where supported, MFA for admins, least-privilege database access, monitoring, backups, and audit logs.

User Rights

Users should be able to request export, correction, or deletion of their account data, subject to security, abuse-prevention, and legal obligations.