ScanMyPassword
Sign In

Privacy Notice

Last updated: 19th June 2026

This Privacy Notice explains how ScanMyPassword collects and uses personal data when you use ScanMyPassword.com and our breach-checking and monitoring service.

ScanMyPassword helps users check whether email addresses have appeared in known data breaches, understand what to do next, and monitor for future breach alerts.

1. Who we are

ScanMyPassword is the controller of the personal data described in this notice.

Trading name
ScanMyPassword
Website
ScanMyPassword.com

We are based in the United Kingdom.

2. Who can use the service

ScanMyPassword is intended for users aged 18 or over.

You may use ScanMyPassword to check and monitor your own email addresses. You may also monitor email addresses belonging to family members or friends, but only if you have their permission.

You must not check or monitor someone else’s email address without authorisation.

3. What personal data we collect

We may collect and use:

  • your email address;
  • email addresses you submit for breach checking or monitoring;
  • breach-checking results;
  • breach names, dates, descriptions, affected data types, and alert history;
  • remediation guidance shown to you;
  • account and subscription status;
  • limited payment and billing information from Stripe;
  • service email records;
  • support messages if you contact us;
  • website, cookie, analytics, and advertising data.

We do not ask you to enter your passwords into ScanMyPassword for breach checking, and we do not store your passwords for breach checking.

Payments are handled by Stripe. We do not store your full card details.

4. How we use personal data

We use personal data to:

  • provide breach checks;
  • monitor email addresses for future breaches;
  • show breach results in your account;
  • send breach alerts and subscription-related service emails;
  • manage subscriptions, renewals, cancellations, and account deletion;
  • provide support;
  • protect the service from fraud, abuse, and unauthorised use;
  • understand how people use the website and product;
  • measure website and advertising performance;
  • comply with legal, tax, accounting, and regulatory obligations.

We do not currently send marketing emails.

5. Our lawful bases

We use personal data where needed to provide the service you have requested, manage your subscription, comply with legal obligations, protect our service, or where you have given consent.

  • account, breach-checking, monitoring, alerts, and subscription data are used to provide the service;
  • payment and accounting records are kept where required for legal, tax, or accounting reasons;
  • security and abuse-prevention data may be used for our legitimate interests;
  • optional analytics and advertising cookies, including PostHog and Meta Pixel, are used only where you have consented.

6. Cookies and analytics

We use essential cookies to make the website and account features work.

We also use PostHog for product analytics and Meta Pixel for advertising measurement. These are optional and are only used where you have consented through our cookie banner or cookie settings.

You can change or withdraw your cookie consent at any time through our cookie settings.

For more information, see our Cookie Policy.

7. Who we share data with

We use trusted service providers to operate ScanMyPassword, including:

  • Vercel for website hosting and deployment;
  • Supabase for database and backend services;
  • Stripe for payments and subscriptions;
  • Resend for service emails;
  • Have I Been Pwned for breach data checks;
  • PostHog for analytics;
  • Meta for pixel and advertising measurement.

We may also share data where required by law, with regulators or authorities, with professional advisers, or if needed to protect our legal rights.

We do not sell your personal data.

8. International transfers

Some of our providers may process personal data outside the United Kingdom.

Where this happens, we rely on appropriate safeguards or transfer mechanisms required by data protection law.

9. How long we keep data

We keep personal data only for as long as we need it.

If your account is active, we keep your account, monitoring, and breach-result data so we can provide the service.

If you cancel your subscription through Stripe, we may keep your account data for up to 12 months after cancellation for account recovery, support, billing administration, fraud prevention, security, and legal compliance.

If you delete your account through your account settings, we aim to delete your personal data within 24 hours. Breach monitoring and service alerts linked to your account will stop.

We may keep limited records where required or permitted for legal, tax, accounting, fraud-prevention, security, or dispute-resolution purposes.

Security and operational logs may be kept for up to 12 months, unless a longer period is needed to investigate fraud, abuse, security incidents, or legal claims.

10. Security

We take reasonable steps to protect personal data, including using HTTPS, limiting access to personal data, using multi-factor authentication for internal access where available, and working with providers that offer security controls.

No online service can guarantee complete security.

11. Your rights

Depending on where you live and the circumstances, you may have rights to:

  • access your personal data;
  • correct inaccurate data;
  • delete your data;
  • restrict or object to certain uses of your data;
  • receive a copy of your data;
  • withdraw consent where we rely on consent;
  • complain to a data protection authority.

To make a request, contact us at support@scanmypassword.com.

If you are in the UK, you can also complain to the Information Commissioner’s Office at ico.org.uk.

12. Changes to this notice

We may update this Privacy Notice from time to time. The latest version will be available on ScanMyPassword.com.