Privacy Policy

1. Introduction

The protection of personal data is important to us, the Identeco GmbH & Co. KG. In this privacy policy, we provide information about which personal data we collect in the context of use of the Leak Inspector and related risk analysis products, how we use it and what rights you have in relation to your data.

2. Responsibility

Responsible for the processing of personal data in the context of the use of the Leak Inspector is

Identeco GmbH & Co. KG
Joachimstraße 8
53113 Bonn, Germany
Email: support@leak-inspector.de
Phone: +49 (0) 228 286 285 81

3. Collected Data and Its Usage

3.1 Usage of the Leak Inspector

In the context of using the Leak Inspector, we collect the following personal data:

• Master Data: Email address, IP address, hostname.
• Technical Data: IP address, hostname, browser type, operating system, date, and time of access.
• Access Data: Information regarding access to the personal risk analysis, including the time and validity period of the request as well as a unique report ID.

3.2 Origin and Usage of Leak Data Used for the Analysis

As part of the analysis by the Leak Inspector and other risk analysis products, we process personal leak data that originates from the following sources:

• Publicly Accessible Places on the Internet: Leak data that has been made publicly accessible due to security incidents on the internet, such as in the Darknet or Deep Web.
• Leak Data from Third Parties: Leak data provided to us free of charge by third parties who have lawfully collected this information.

We would like to point out that we do not generate or acquire this data ourselves, but exclusively access information already published on the internet that has been made available in relevant databases, forums, or similar sources.

Processed Data Categories:

• Leaked Login Data: Email addresses, usernames, passwords, telephone numbers and other access data that have been made publicly accessible due to security incidents.
• Domain-Related Data: Information affecting a domain, that cannot be directly associated with a person.

Usage of Leak Data in Risk Analysis Products:

• Leak Inspector: The collected leak data is stored anonymously and used to conduct an individual risk analysis. The user gains access to an analysis of potential risks if a corresponding request is made via the Leak Inspector or on behalf of an organization.
• Domain-Based Risk Analysis: Analyses conducted based on the domain of email addresses to create a situational overview for companies or organizations, without direct association with a person.
• Risk Analysis of Portal and Company Accounts: Risk analyses to ensure account security can be carried out on behalf of authorized organizations.

Anonymization and Protection of Data:

All collected data is stored anonymously by us and treated with strict confidentiality. Access to this data by unauthorized third parties is excluded. The data is processed exclusively for the purpose of providing users or organizations with a well-founded risk analysis and ensuring account security.

3.3 Interactive Features in the Leak Inspector

The Leak Inspector offers users various interactive features to evaluate and manage analysis results. For example, it is possible to mark leaks as resolved or assess their relevance. This data is processed to provide these functionalities and to ensure that the selected preferences are considered in future requests. Assessments also help us continuously improve the quality of our services for all users, including other customers and organizations.

Storage Duration and Deletion Options:

The assessments and markings made are stored to provide a personalized user experience and to continuously improve our service. Assessments and completion statuses can be independently changed or removed. The corresponding function is available in the Leak Inspector.

In the case of a risk analysis commissioned by an organization, anonymized evaluations of the status of marked leaks and the relevance assessments of the results are provided to the responsible party within the organization. Personal data, such as login or password information, is not shared.

3.4 Processing in Commissioned Risk Analyses by Organizations

If the Leak Inspector is used as part of a risk analysis commissioned by an organization, the following additional data is collected and processed:

• Feedback ID: This ID is stored in the access token and is used to report the status of the delivery, receipt, and access to the personal risk analysis, as well as the extent of performed leak evaluations and markings, to the responsible party of the commissioning organization.

It is explicitly noted that the Feedback ID is only introduced and used in the context of commissioned risk analyses by organizations. There is no access to personal leak data, particularly login or password data. When the Leak Inspector is used by an individual, no Feedback ID is generated or processed.

3.5 Web Analysis with Matomo

We use Matomo, an open-source software for the statistical evaluation of visitor access. Matomo is hosted locally on our servers, so no data is passed on to third parties. The following data is collected for analysis purposes:

• Anonymized IP Address: The IP address is anonymized before it is stored, so no conclusions can be drawn about individual users.
• Usage Data: Information about the usage behavior on the website, including the pages visited, duration of stay, source of access (e.g., referrer), and device and browser information used.

The data processing by Matomo is based on our legitimate interest in optimizing and analyzing our web offering in accordance with Art. 6 para. 1 lit. f GDPR.

To ensure the functionality of the opt-out feature, we set a cookie named MATOMO_SESSID. It stores a random session ID, serves exclusively to prevent CSRF attacks, and expires after 14 days. No personal data is stored in this cookie.

In addition, we use a persistent local storage entry named flutter.matomo_opt_out to save your opt-out status. Both mechanisms are technically necessary.

3.6 User Account and Authentication

To use additional features, users may register a personal account. We process the following data:

• Registration data: Email address, hashed password, timestamps of registration with the service, user agent and IP address.

• Usage Data: Interactions, Timestamps of interactions with the service, user agents and IP addresses.

• Authentication data: A token stored in the browser’s local storage. This token contains no passwords.

• Purpose of processing: To provide user-specific access to the Leak Inspector, secure authentication, and personalized results.

• Storage duration: Data is retained as long as the account exists and as needed to provide the service. Upon account deletion, all related data will be removed shortly after unless legal retention obligations require otherwise.

3.7 Local Storage

We use the browser’s local storage to store the following data, which remains only on the user’s device:

• flutter.matomo_opt_out: Stores the Matomo opt-out setting. Persistent and technically required.

• sb-localhost-auth-token: Stores the authentication token for logged-in users. Set at login, removed on logout. Persistent and technically required.

These entries are essential to provide core functionality without relying on cookies or external tracking services.

4. Purpose of Data Processing

We process personal data for the following purposes:

• Provision of the Leak Inspector: To enable the use of the Leak Inspector, including the display, management, and personalization of analysis results and evaluations.
• User registration and account access: For authentication and delivery of personalized features (e.g. exposure alerts)
• Web Analysis: To analyze user behavior on our website and optimize our offerings using Matomo.
• Ensuring Security: To prevent misuse of the service and ensure the security of processing.
• Service Improvement: We use aggregated and anonymized leak evaluations to continuously improve the quality of our service offerings.
• Processing on Behalf of Organizations: If the analysis is conducted in the context of a risk analysis commissioned by an organization, we process personal data to inform the responsible party about the status and extent of the evaluations. Personal leak data, especially login or password data, is neither shared nor accessed.

5. Legal Basis for Data Processing

The processing of personal data is based on the following legal grounds:

• Consent (Art. 6(1)(a) GDPR): When you voluntarily create a user account
• Contract Performance (Art. 6(1)(b) GDPR): Processing is necessary to fulfill contractual obligations in the context of using the Leak Inspector.
• Legitimate Interests (Art. 6(1)(f) GDPR): Processing is necessary to ensure the security and functionality of the service, prevent misuse, analyze the use of our services, and improve user-friendliness. Additionally, we use aggregated and anonymized leak evaluations to optimize our service offerings without reference to individual users.

6. Processing of Data on Behalf of Organizations

When the Leak Inspector is used as part of a risk analysis commissioned by an organization, data processing is carried out on behalf of the commissioning company:

• Responsibility: The commissioning organization is independently responsible for complying with data protection laws in the context of the analysis.
• Order Processing: We process the data according to the instructions of the commissioning organization and within the framework of contractual agreements.

7. Disclosure and Transfer of Data

Personal data is only disclosed to third parties if it is necessary to fulfill our contractual obligations, if we are legally obligated to do so, or if consent has been provided.

• Service Providers: We use external service providers, described in 7.2, to provide the Leak Inspector, who act on our behalf.
• Legal Obligations: In the event of legal obligations, data may be disclosed to authorities or other governmental bodies.

7.2 External Service Providers

7.2.1 Hosting

We host our services with Hetzner. The provider is Hetzner Online GmbH (hereinafter referred to as Hetzner):

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Deutschland/Germany

E-Mail: info@hetzner.com

For details, please refer to Hetzner’s privacy policy: https://www.hetzner.com/legal/privacy-policy.

Data Processing Agreement: We have entered into a Data Processing Agreement (DPA) with Hetzner. This is a contract required by data protection laws, ensuring that Hetzner processes the personal data of our visitors only in accordance with our instructions and in compliance with the GDPR.

8. Duration of Data Storage

Personal data is only stored for as long as necessary to fulfill the purposes for which it was collected or as long as we are legally required to retain it.

• Risk Reports: Data related to risk reports is stored for the duration of access validity and then deleted in accordance with legal retention periods.
• Evaluations and Markings: Leak evaluations and markings made in the Leak Inspector are stored so they can be presented during future requests. Leak evaluations and markings can be independently changed or removed.
• Anonymized and Aggregated Data: Anonymized and aggregated data used for service improvement are not subject to a fixed storage period, as they do not contain personal information. These data can be stored and used as long as they are relevant for optimizing our service offerings.

9. Data Subject Rights

The following rights apply to personal data in accordance with legal provisions:

• Access: Data subjects have the right to obtain information about the personal data we process.
• Rectification: Data subjects can request the correction of incorrect or incomplete data.
• Deletion: Data subjects have the right to request the deletion of their data, where legally permissible.
• Restriction of Processing: Data subjects can request the restriction of the processing of their data.
• Objection: Data subjects can object to the processing of their data if the processing is based on legitimate interests.
• Data Portability: Data subjects have the right to receive their data in a structured, commonly used, and machine-readable format or to request the transfer to another responsible party.

10. Security Measures

We implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or misuse. These include:

• Encryption of Data Transmission: Accesses and transmissions are conducted via secure connections (SSL/TLS).
• Access via Secure Link: Analysis results are accessible through a one-time, secure link.
• No Storage of Email Addresses: Your email address is only used to generate and send the link and is deleted afterward.
• Dynamic Report Generation: The risk report is generated only when the link is accessed to minimize data storage.
• ID-Based Management: Evaluations and preferences are managed via a unique ID, allowing us to avoid the permanent storage of your email address.

The Leak Inspector can be used without creating an account. The following additional security measures apply to registered user accounts:

• Secure authentication: Authentication tokens are stored only temporarily on the device and deleted upon logout

• Two-Factor Authentication (2FA): We encourage users to enable 2FA to enhance account protection

• Account deletion due to inactivity: Accounts may be deleted after prolonged inactivity. A notification will be sent in advance

• Protection from unauthorized access: Failed login attempts are monitored, and access may be temporarily locked after multiple failed attempts

11. Changes to this Privacy Policy

We reserve the right to amend this privacy policy to reflect changes in legal requirements or in the service and data processing. The current version is always available on our website.

12. Contact

For questions, comments, or to exercise your rights as a data subject in relation to your personal data, please contact:

Identeco GmbH & Co. KG
Joachimstraße 8
53113 Bonn
Email: support@leak-inspector.de
Phone: +49 (0) 228 286 285 81