← Back to home

Privacy Policy

Last updated: 19 March 2026

1. Who we are

This service is run by Am I Being Pwned LLC. Email us at hello@amibeingpwned.com with any privacy questions.

Am I Being Pwned? is operated by Am I Being Pwned LLC. References to "we", "us", or "our" in this policy refer to Am I Being Pwned LLC.

If you have any questions about this policy or how we handle your data, contact us at hello@amibeingpwned.com.

2. What data we collect

Free scans: your extension IDs are sent to our server and matched against our database. No name, email, or IP is collected. Accounts: your name and email via Google. Enterprise: device IDs + extension IDs/versions only. We never touch browsing history, keystrokes, or page content.

We collect only the data necessary to provide our service.

Free one-time scan

When you run a free scan, your browser extension IDs are sent to our server and matched against our threat intelligence database. We retain the list of extension IDs submitted in each scan to help us prioritise which extensions to analyse next. We do not collect your name, email address, IP address, or any other identifying information in connection with a free scan. Extension lists are not associated with any individual user.

Account registration

If you create an account, we collect your email address and name via Google OAuth. We do not store your Google password.

Enterprise fleet monitoring

The managed Chrome extension reports the following data for each enrolled device:

  • A device identifier you control (set by your MDM)
  • Extension IDs, version numbers, and declared permissions

We do not collect browsing history, form data, keystrokes, credentials, or any content from web pages your employees visit.

3. How we use your data

We use your data to run the service and send security alerts (enterprise only). We never sell it or use it for ads.

  • To match extension IDs against our risk intelligence database and generate security reports.
  • To operate, maintain, and improve the service.
  • To send transactional communications such as alert notifications and security findings (enterprise customers only).
  • To comply with legal obligations.

We do not sell your data, use it for advertising, or share it with third parties except as described in section 5.

4. Legal basis for processing (GDPR)

EEA/UK users: we process your data because it's needed to deliver the service you signed up for, to keep the service secure, or because the law requires it.

If you are located in the European Economic Area or United Kingdom, we rely on the following legal bases:

  • Contract - processing your data to provide the service you have requested.
  • Legitimate interests - improving service security and reliability, where those interests are not overridden by your rights.
  • Legal obligation - where we are required to process data by applicable law.

5. Data sharing

We do not sell, rent, or trade your data. The only people who can ever access it are the infrastructure providers running this service, and they're bound by contract to protect it. That's it.

We do not sell, rent, or trade your personal data. We do not share it with advertisers, data brokers, or any third party for their own purposes. The only circumstances in which data is ever disclosed are:

  • Service providers - trusted infrastructure and hosting providers that process data on our behalf to operate the service. They are contractually prohibited from using it for any other purpose.
  • Legal requirements - if we receive a valid legal order requiring disclosure, we will comply. Where permitted by law, we will notify affected users before responding.
  • Continuity of service - if the business is acquired or restructured and the service continues to operate, data may transfer to the new operator solely to keep the service running. Any new operator would be required to honour the commitments in this policy. We will give users advance notice and the option to delete their data before any such transfer takes effect.

6. Data retention

Free scan extension lists are retained to prioritise our analysis pipeline but are never linked to any individual. Account data is kept until you delete your account. Enterprise data is deleted 30 days after your subscription ends.

We retain personal data only as long as necessary to provide the service or as required by law.

  • Free scan extension lists are retained indefinitely in aggregate form to help us prioritise which extensions to analyse. They are never linked to an identifiable user.
  • Account data is retained until you delete your account.
  • Enterprise fleet data is retained for the duration of your subscription plus 30 days, after which it is deleted.

7. Data storage and security

All data is stored in the EU, encrypted in transit and at rest, and only accessible to authorised staff. Found a vulnerability? Email vulnerabilities@amibeingpwned.com.

All data is processed and stored within the European Union. We use industry-standard encryption in transit (TLS 1.2+) and at rest. Access to production systems is restricted to authorised personnel only.

If you believe you have found a security vulnerability in our service, please disclose it responsibly to vulnerabilities@amibeingpwned.com.

8. Cookies and tracking

We only use a session cookie to keep you logged in. No ad cookies, no tracking pixels, no Google Analytics.

We use a session cookie to keep you signed in when you have an account. We do not use advertising cookies or third-party tracking pixels. We do not use Google Analytics or similar services.

9. Your rights

You can access, correct, delete, or export your data at any time. Email us and we'll respond within 30 days. EEA/UK users can also escalate to their local data authority.

Depending on your location you may have the following rights regarding your personal data:

  • Access the data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict certain processing
  • Data portability (where applicable)

To exercise any of these rights, email hello@amibeingpwned.com. We will respond within 30 days.

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

10. Children

This service is not for anyone under 16. If we accidentally collected a child's data, contact us and we'll delete it immediately.

Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.

11. Changes to this policy

If we make significant changes, we'll update the date at the top and email enterprise customers. Continued use of the service means you accept the updated policy.

We may update this policy from time to time. If we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify enterprise customers by email. Continued use of the service after the effective date constitutes acceptance of the updated policy.