Privacy Policy

Last updated: March 2026

1. Information We Collect

We collect information you provide directly:

  • Account Information: Email address, name, password (stored as a secure hash, never in plain text)
  • Uploaded Data: CSV/XLSX files containing PII submitted for breach validation analysis
  • Usage Data: Log data, IP addresses, browser information, pages visited

2. How We Use Your Information

  • Validate uploaded PII data against multiple breach databases
  • Generate breach validation reports and analysis
  • Send service notifications and account communications
  • Improve our services and develop new features
  • Comply with legal obligations

3. Data Retention

We practice strict data minimization:

  • Uploaded files are encrypted immediately upon upload and deleted within 15 minutes (when processing begins)
  • If an upload expires before processing starts, the file and any imported data are purged automatically
  • PII fields are cleared from processing tables after breach checking completes
  • Breach results are keyed by anonymous identifiers (e.g., ENT-00001), not names or email addresses
  • Only anonymized breach match results (boolean flags) are retained for reporting
  • Account data is retained until you request deletion

4. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of your personal data we hold
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a structured, machine-readable format
  • Opt-out: Unsubscribe from non-essential communications
  • Restriction: Request that we limit processing of your data

To exercise these rights, contact us at privacy@validatepiiclasses.com

5. Data Processing Impact Assessment

We have assessed the privacy impact of our processing activities:

  • Transient PII: Personal data is held only during the validation window (up to 15 minutes) and deleted immediately after processing
  • Boolean-only retention: After processing, only breach match flags (yes/no) are retained — no names, emails, or other identifiers
  • Anonymous identifiers: Results are keyed by system-generated IDs (e.g., ENT-00001), not by personal data
  • No profiling: We do not build profiles, score individuals, or make automated decisions based on personal data
  • Tenant isolation: Each organization's data is stored in a separate database schema with per-project tables and per-tenant encryption keys

6. Security Measures

We employ industry-standard security measures to protect your data:

  • TLS 1.2+ encryption for all data in transit (HTTPS, database connections, API calls)
  • AES-256-GCM authenticated encryption for uploaded files at rest
  • Per-tenant encryption keys for data isolation
  • Multi-factor authentication (TOTP, WebAuthn/Passkeys) available for all accounts; MFA enforced for staff
  • Brute-force login protection with automatic lockout
  • Multi-tenant database isolation (separate schemas per organization)
  • Structured audit trail for sensitive operations
  • Amazon Inspector container scanning with deploy gating
  • HSTS preload for all domains
  • Argon2 password hashing (memory-hard algorithm)

7. Third-Party Data Processors

We use the following third-party sub-processors:

  • Amazon Web Services (AWS): Cloud infrastructure — compute, database, storage, CDN, and caching. All processing in US East regions.
  • Have I Been Pwned (HIBP): Email breach lookup service (Australia).
  • DataBreach Inc. (via RapidAPI): Email breach lookup service (United States).
  • District 4 Labs: Multi-field breach search service (United States).
  • Error monitoring services for platform reliability

For detailed data processing terms, see our Data Processing Agreement.

8. Cookies

We use essential cookies for authentication and session management. We do not currently use advertising or third-party tracking cookies.

9. International Data Transfers

All processing occurs in AWS US East regions (United States). If you access the Service from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes via email or through a notice on our website. The 'Last updated' date at the top of this policy indicates the most recent revision.

12. Contact Us

For privacy-related questions or concerns, contact us at:

Email: privacy@validatepiiclasses.com

Your privacy is important to us. We are committed to protecting your personal information and being transparent about how we collect and use it.