Privacy Policy — LeakTrace

01 Information We Collect

We collect personal information at various stages of your interaction with LeakTrace. The following describes what we gather and how.

Initial Security Notification (SMS or Email)

Contact information — your phone number (for SMS) or email address (for email), sourced from monitored criminal-targeting sources as anchor points.
Consent response — when you reply "YES" to our SMS or click the link in our email, we log your consent to proceed with a breach check.

Sign-Up

Identification information — full name, phone number, and country (Canada or USA), used to verify your anchor points against breach data.
Contact information — email address, used to further tie to your anchor points.
Authentication information — password to secure your account.

Breach Check Process

With your explicit consent, we process data found in compromised credential databases and criminal-targeting sources tied to your anchor points — full name, email, or phone. This may include identifying information (e.g., date of birth), contact details (e.g., address), financial data (e.g., masked card numbers), and other personal details (e.g., government-issued identifiers). The specific types of information detected vary based on the breach and sources monitored.
Our proprietary analysis tools, verified by human analysts, first detect your name, phone, and email as primary consent-based identifiers, then scan multiple sources to correlate additional data points, delivering comprehensive breach reports.

Payment and Monitoring Enrolment

Payment information — credit card details processed securely via Stripe for report purchases and ongoing monitoring services. Applicable taxes will be added for Canadian customers based on location; US customers may be subject to tax based on applicable nexus requirements, collected via Stripe.
Monitoring consent — confirmation of your opt-in to ongoing monitoring services.

Security Calls (if applicable)

Verbal consent — if you consent during a call, we log this consent to proceed with a breach check.

1.1 — Scope of Monitored Data

LeakTrace monitors a range of data points, beginning with anchor points (full name, email address, phone number) cross-referenced with compromised credential databases and criminal-targeting sources. Depending on breach findings, we may identify additional data points including:

Digital & Online: Email address, password, IP address, online purchase history, subscription and membership data.
Identity Security & Protection: Social Insurance Number (SIN), Social Security Number (SSN), date of birth, phone number, driver's licence number, passport number, Tax Identification Number (TIN), physical address, employment history, government benefits information, security questions and answers, Vehicle Identification Number (VIN).
Financial Fraud Alerts & Protection: Credit card number, bank account number, routing number, payment card PINs, financial transaction history, credit score, loan application monitoring.
Sensitive Information: Medical records, health insurance information.
Additional Monitoring: Phishing attack alerts, data deletion requests.

The availability of these data points depends on breach findings and is not guaranteed. See our Pricing page for the full monitored data list.

02 How We Use Your Information

We use your personal information to provide and improve our services. Specifically:

Service Delivery: Our proprietary analysis tools, verified by human analysts, analyse breach data tied to your anchor points to generate breach reports and alerts. We assign confidence scores to prioritise risks and ensure timely alerts.
Ongoing Monitoring: If you enrol in our monitoring service, we continuously monitor criminal-targeting sources for new detections linked to your anchor points and notify you promptly.
Payment Processing: Facilitate secure transactions through Stripe for report purchases and monitoring subscriptions.
Communication: Send security alerts and confirmations via SMS, email, or phone (if consented) based on your anchor points detected in breaches.
Compliance and Auditing: Log user actions (e.g., consent, report downloads) to ensure compliance with privacy laws and improve our outreach effectiveness.

2.1 — Data Processing

LeakTrace uses proprietary analysis tools to enhance our services. These tools process data starting with three consent-based identifiers — full name, email address, phone number — to cross-reference with compromised credential databases and criminal-targeting sources, potentially identifying additional data points (e.g., credit card numbers, Social Security Numbers) if present in breaches.

To protect your privacy, all data is anonymised and stripped of personal identifiers before processing. All data — both anchor points and potential findings — is encrypted using AES-256 for data at rest and TLS 1.3 for data in transit, in alignment with our Security Standards.

While we utilise automated tools for initial detection, all critical security reports and breach severity assessments undergo manual review by human security analysts before a client is notified.

03 Cold Outreach Compliance

LeakTrace conducts security notifications in compliance with CASL (Canada) and TCPA/CAN-SPAM (US):

We only notify individuals whose consent-based identifiers — full name, phone number, or email — have been detected in monitored criminal-targeting sources.
Outreach is conducted as a legitimate consumer protection measure, not for marketing, to alert you to risks tied to your anchor points.
Users must opt in via "YES" reply or link click to receive breach checks or ongoing alerts — pre-signup notifications are one-time unless consented.
Recipients can opt out at any time by replying "STOP" (SMS), clicking "Unsubscribe" (email), or emailing [email protected].
LeakTrace conducts outreach under the "Balance of Interest" and "Public Safety" provisions. Our notifications are classified as non-marketing security alerts designed to prevent imminent financial fraud. We strictly adhere to CASL and TCPA/CAN-SPAM by providing immediate opt-out mechanisms and limiting outreach to individuals with verified data exposure.

04 How We Share Your Information

We limit sharing and disclose information only as follows:

Twilio: Processes SMS, email, and call communications using your anchor points for outreach and alerts.
Stripe: Processes payment details securely for report purchases and subscriptions.
Breach Data Sources: We retrieve data tied to your consent-based identifiers from these sources but do not share your personal information with them.
Other Third-Party Tools: We may use additional services (e.g., analytics or hosting providers) to support our operations, bound by strict confidentiality agreements.
International Data Transfers: Your data may be transferred between Canada and the US for hosting, analytics, or other operational purposes. We ensure compliance with Canadian and US privacy laws using standard contractual clauses and encryption.
Legal Obligations: We may disclose your information if required by law, court order, or law enforcement request.
No Selling: We do not sell personal information to third parties.

05 Data Retention

Account & Profile Data: Retained until you request deletion — includes anchor points provided at signup (name, email, phone).
Breach Reports: Retained for 24 months after generation, then deleted.
Payment Information: Retained for 7 years to comply with financial regulations — encrypted and stored separately from breach data.
Consent & Logs: Retained for 3 years for legal auditing.

5.1 — User Control and Data Deletion

You have full control over your data. You may request deletion of your information at any time by contacting [email protected]. We will permanently remove your data at your request, except where legally required to retain it.

LeakTrace practises data minimisation. We only retain the specific anchor points necessary to monitor for threats. We do not build permanent profiles on users who have not enrolled in our active monitoring service. Unused or non-consented data is purged from our temporary cache every 30 days.

06 Data Security

We use industry-standard measures to protect your personal information:

Encryption: AES-256 for data at rest and TLS 1.3 for data in transit.
Breach Notification: If a data breach occurs affecting your account, we will notify affected individuals as soon as feasible via email or SMS.
Limitation of Liability: To the fullest extent permitted by law, LeakTrace is not liable for unintended data breaches beyond our reasonable control, provided we act promptly to address such incidents. See Terms of Service Section 10.

07 User Acknowledgment of Security Notifications

By interacting with LeakTrace, users acknowledge:

Breach notifications are a consumer security service, not unsolicited marketing, targeting your consent-based identifiers detected in monitored criminal-targeting sources.
Users consent to receive security alerts via SMS, email, or phone by replying "YES" or clicking links in outreach — pre-signup notifications are one-time unless opted into ongoing monitoring.
LeakTrace retains records of all opt-ins and outreach logs for auditing.
Users can opt out at any time by replying "STOP" (SMS), clicking "Unsubscribe" (email), or emailing [email protected].

08 Children's Privacy

Our services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete such information promptly. If you believe we have collected information from a child under 13, please contact us at [email protected].

09 California Privacy Rights (CCPA & CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Your Rights

Right to Know: You may request disclosure of the categories of personal information we collect, the sources from which we collect it, the purposes for collection, and the categories of third parties with whom we share it. See Sections 1 and 4 for details.
Right to Delete: You may request deletion of your personal information by contacting [email protected]. We will delete your data at your request, except where legally required to retain it.
Right to Correct: Under the CPRA, you have the right to request correction of inaccurate personal information we hold about you.
Right to Limit Use of Sensitive Personal Information: Under the CPRA, you have the right to limit our use and disclosure of sensitive personal information to what is necessary to perform the services you have requested.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA or CPRA rights.

We do not sell personal information as defined under the CCPA/CPRA. To exercise your rights, contact us at [email protected].

10 Canadian Privacy Rights (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

Your Rights

Right to Access: You may request access to the personal information we hold about you.
Right to Correct: You may request correction of inaccurate or incomplete personal information.
Right to Withdraw Consent: You may withdraw consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions, by contacting [email protected].

To exercise your rights, contact us at [email protected].

11 Cookies & Tracking Technologies

We use cookies and tracking technologies to enhance your experience, manage sessions, and analyse usage — for example, tracking link clicks from outreach emails or website interactions post-signup.

Session Cookies: Used to maintain your login session and provide core platform functionality. These are deleted when you close your browser.
Analytics Cookies: Used to understand how visitors interact with our website. Data is aggregated and anonymised.
Outreach Tracking: We track link clicks and email opens in outreach communications to log consent and measure outreach effectiveness.

You may disable cookies through your browser settings. Disabling session cookies may affect platform functionality. Disabling analytics cookies does not affect your use of the platform.

We do not use cookies for advertising or share cookie data with advertising networks.

12 Evidence Handling

For credibility and audit purposes, we provide verifiable evidence (e.g., anonymised text extracts or logs from the Compliance Audit Trail) post-consent and post-payment. Specific sources are withheld to protect proprietary methods. If requested, we share anonymised examples without visual reproduction of original breach material.

13 Contact Us

For privacy enquiries, reach us at:

Privacy: [email protected]
Support: [email protected]
Mail: LeakTrace Inc., 1200 Bay Street, Suite 1201, Toronto, ON M5R 2A5, Canada