{"meta":{"version":"breached-public-policies-2026-05-07","versionLabel":"2026-05-07","lastUpdated":"May 7, 2026","totalDocuments":13,"footerDocuments":9,"intakeDocuments":8,"notice":"Public policy documents for Breached."},"documents":[{"slug":"terms-of-service","title":"Terms of Service","shortTitle":"Terms","kicker":"User agreement","summary":"The baseline agreement between you and Bloc Claims LLC for using Breached, including informational-use limits, no legal advice, no attorney-client relationship, acceptable behavior, disclaimers, indemnification, Texas governing law, and a mandatory individual arbitration agreement with a class-action waiver venued in Harris County, Texas.","requiredInFooter":true,"requiredForIntake":true,"lastUpdated":"May 7, 2026","sections":[{"heading":"What Breached does","body":"These Terms form a binding legal agreement between you and Bloc Claims LLC, a Texas limited liability company headquartered in Harris County, Texas, doing business as 'Breached' (referred to in these Terms as 'Bloc Claims,' 'Breached,' 'we,' 'our,' or 'us'). Breached publishes summaries of reported data breaches and may offer an intake workflow that lets affected people ask to be contacted about potential class-action evaluation. Breached is an information and intake service, not a law firm. Some intake pages have no attorney or law firm currently investigating through Breached; in that state, your submission is an interest and notification request. If an attorney or law firm is currently listed for a case, the intake page and policy review identify that case team before you submit. By accessing the site, submitting an intake form, or otherwise using any Breached service, you accept these Terms in full and agree that they are enforceable against you to the fullest extent permitted by applicable law."},{"heading":"No legal advice","body":"The site is for general information only. Breached does not provide legal advice, does not evaluate your specific rights, and does not tell you whether you should bring or join a claim. You should speak with licensed counsel before relying on any information from the site."},{"heading":"Agreement to linked policies","body":"These Terms incorporate the Privacy Policy, State Privacy Rights Notice, Consumer Health Data Notice, Data Processing Policy, Intake Consent Terms, Communications Policy, Attorney Advertising Disclaimer, and any other policy presented to you before submission. If you submit an intake form, you agree to the then-current intake policy bundle shown in that flow."},{"heading":"No attorney-client relationship","body":"Using the site, reading a breach page, or submitting an intake form does not create an attorney-client relationship. An attorney-client relationship forms only if a licensed attorney or law firm agrees to represent you in a written engagement agreement."},{"heading":"Breach information","bullets":["Breach pages are based on public reports, company notices, regulator postings, court records, security research, and other cited sources.","Breached may summarize, classify, or explain those sources in plain English.","Breached does not guarantee that a source is complete, current, or error-free.","If a source changes or a correction is needed, use the corrections process in the Source and Corrections Policy."]},{"heading":"Class-action intake limits","bullets":["Submitting an intake form expresses interest in follow-up. It does not mean you are eligible for compensation.","If no attorney or law firm using Breached is currently investigating the matter, your submission asks Breached to notify you if that changes.","If an attorney or law firm is listed on the intake page, that case team may receive your submission for evaluation when you consent.","Breached does not promise that a case will be filed, certified as a class action, settled, or won.","Any case evaluation is performed by licensed counsel, not by Breached.","A court, settlement administrator, or retained counsel may later determine eligibility."]},{"heading":"Your responsibilities","bullets":["Provide accurate information if you submit a form.","Do not submit another person's personal information unless you are authorized to do so.","Do not use Breached to harass breach victims, companies, attorneys, or other users.","Do not attempt to bypass rate limits, scrape at abusive volume, probe systems, or upload malicious content."]},{"heading":"Intellectual property","body":"Breached owns or licenses the site design, summaries, source organization, and original content. You may link to public pages and quote short portions with attribution, but you may not copy the service wholesale or imply sponsorship by Breached."},{"heading":"Disclaimers and liability limits","body":"Breached is provided as-is and as available. To the fullest extent allowed by law, Breached disclaims warranties and limits liability for indirect, incidental, consequential, special, exemplary, or punitive damages. Some jurisdictions do not allow certain limits, so those limits apply only where permitted."},{"heading":"Indemnification","body":"You will defend, indemnify, and hold harmless Bloc Claims LLC, its officers, directors, members, managers, employees, agents, contractors, partner law firms, vendors, and affiliates from and against any and all claims, demands, losses, damages, liabilities, judgments, settlements, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or related in any way to your access to or use of the service, your violation of these Terms, your violation of any law, regulation, or third-party right, or your submission of inaccurate, unauthorized, or misleading information. Bloc Claims may, at its sole election and at your expense, assume the exclusive defense and control of any matter for which you owe indemnification, and you will cooperate fully in connection with that defense. You will not settle any matter without Bloc Claims' prior written consent."},{"heading":"Governing law and venue","body":"These Terms and any dispute, claim, or controversy arising out of or relating in any way to these Terms, the service, the data on the service, your use of the service, or your relationship with Bloc Claims (each a 'Dispute') are governed exclusively by the substantive laws of the State of Texas, without regard to its conflict-of-laws principles and without application of the United Nations Convention on Contracts for the International Sale of Goods. Subject to the binding arbitration provision below, you and Bloc Claims irrevocably and unconditionally submit to the exclusive personal jurisdiction and venue of the state and federal courts located in Harris County, Texas, and you absolutely waive any objection based on inconvenient forum, lack of personal jurisdiction, or improper venue."},{"heading":"Mandatory binding arbitration","body":"PLEASE READ THIS SECTION CAREFULLY. IT REQUIRES YOU TO RESOLVE DISPUTES WITH BLOC CLAIMS THROUGH FINAL AND BINDING INDIVIDUAL ARBITRATION INSTEAD OF IN COURT, AND IT LIMITS THE WAYS YOU MAY SEEK RELIEF FROM US.","bullets":["You and Bloc Claims agree that any and all Disputes will be resolved exclusively by final and binding individual arbitration, and not in court, regardless of legal theory and regardless of whether the Dispute arises in contract, tort, statute, regulation, common law, fraud, misrepresentation, equity, or any other doctrine, and regardless of the relief sought.","The arbitration will be administered by the American Arbitration Association ('AAA') under its Consumer Arbitration Rules then in effect, modified as necessary by these Terms. The seat and exclusive venue of the arbitration is Harris County, Texas, and any in-person hearing will take place in Harris County, Texas, unless the arbitrator orders a recorded telephonic or video hearing.","The Federal Arbitration Act, 9 U.S.C. § 1 et seq., governs the interpretation, validity, and enforcement of this arbitration agreement. The arbitrator, and not any court or agency, has exclusive authority to resolve any threshold issues of arbitrability, including all questions concerning the formation, scope, validity, enforceability, conscionability, severability, and interpretation of this arbitration agreement, and any claim that all or part of this arbitration agreement is void or voidable.","You and Bloc Claims each knowingly, voluntarily, and intentionally waive any right to a trial by jury and any right to have a Dispute decided by a judge. Each party will bear its own attorneys' fees and costs except where shifting is required by the AAA rules or non-waivable applicable statute.","The arbitrator's award is final, binding, and enforceable in any court of competent jurisdiction. Information about an arbitration, including the existence of any award and the contents of any submission, is confidential between the parties and may not be disclosed except as necessary to enforce the award or as required by law.","This arbitration agreement survives termination of these Terms, deletion of your account, and the end of your use of the service."]},{"heading":"Class action and representative action waiver","body":"TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, YOU AND BLOC CLAIMS EACH KNOWINGLY, VOLUNTARILY, AND INTENTIONALLY WAIVE ANY RIGHT TO PARTICIPATE IN ANY CLASS, COLLECTIVE, CONSOLIDATED, COORDINATED, MASS, REPRESENTATIVE, OR PRIVATE-ATTORNEY-GENERAL ACTION AGAINST THE OTHER PARTY, WHETHER IN COURT, IN ARBITRATION, OR IN ANY OTHER FORUM.","bullets":["You may bring a Dispute against Bloc Claims only in your individual capacity, and only for relief sought on your own behalf. You may not act, and will not act, as a class representative, class member, named plaintiff, lead plaintiff, putative class member, or private attorney general in any proceeding against Bloc Claims.","The arbitrator has no authority to consolidate or join the claims of more than one person, to preside over any form of class, collective, mass, multi-claimant, or representative proceeding, or to award class-wide, collective, multi-claimant, or representative relief. The arbitrator may award individual relief only to you, and only to the extent necessary to remedy your own individual claim.","This waiver applies regardless of the legal theory advanced and regardless of the relief sought, including damages, restitution, statutory penalties, declaratory relief, and injunctive relief, except that public injunctive relief may be sought only to the limited extent (if any) it cannot lawfully be waived.","If, despite this provision, a court or arbitrator finds the class, collective, mass, or representative-action waiver in this section unenforceable or invalid as to a particular Dispute, then the entire arbitration provision is null and void as to that Dispute only, and that Dispute must be resolved exclusively in the state or federal courts located in Harris County, Texas, on an individual basis only — never on a class, collective, mass, or representative basis. The class action and representative action waiver in this section is non-severable from the arbitration agreement above for that purpose."]},{"heading":"Severability","body":"If any provision of these Terms is held invalid, illegal, or unenforceable by a court or arbitrator of competent jurisdiction, the remaining provisions remain in full force and effect, and the invalid provision will be modified to the minimum extent necessary to make it enforceable while preserving its original intent. The class action and representative action waiver above is expressly non-severable from the arbitration agreement to the extent and for the purpose set forth in that section."},{"heading":"Changes","body":"Breached may update these terms when the service, legal requirements, or partner workflows change. The effective version is the version posted in this policy center at the time you use the service or submit an intake form."}]},{"slug":"privacy-policy","title":"Privacy Policy","shortTitle":"Privacy","kicker":"Personal information","summary":"Explains what Breached collects, why it is collected, when it is shared with attorneys, retention expectations, state privacy rights, Global Privacy Control, privacy choices, and the no-sale/no-sharing commitment.","requiredInFooter":true,"requiredForIntake":true,"lastUpdated":"May 7, 2026","sections":[{"heading":"Information we collect","bullets":["Information you provide in intake forms, such as name, email, phone, ZIP code, case-fit answers, and notes.","Technical information such as IP-derived security data, user agent, timestamps, pages requested, and abuse-prevention signals.","Breach-page interaction data needed to operate the service, diagnose errors, and understand aggregate usage.","Public breach-source information about companies and incidents, not victim lists."]},{"heading":"CCPA personal information categories","bullets":["Identifiers, such as name, email, phone number, IP-derived security data, and similar contact or device information.","California Customer Records information, such as contact details submitted through an intake form.","Internet or network activity, such as requested pages, timestamps, user agent, security logs, and abuse-prevention signals.","Geolocation approximations, such as ZIP code you provide or coarse location inferred from request metadata for security and legal workflow purposes.","Professional, preference, or inference information only if you provide it in notes or case-fit answers and only as needed for the intake workflow.","Please do not submit sensitive personal information through public intake forms. If a case team later needs sensitive details, they will collect them through a secure attorney-controlled process."]},{"heading":"Sources of personal information","bullets":["You, when you submit an intake form, newsletter signup, privacy request, correction, or other message.","Your browser or device, through request headers, server logs, security signals, and opt-out preference signals such as Global Privacy Control.","Public sources, regulators, courts, companies, security researchers, and news sources for company breach information, not victim lists.","Partner law firms, service providers, or authorized case-support providers when they help operate the specific case process."]},{"heading":"Information we avoid collecting","bullets":["Do not submit Social Security numbers, full dates of birth, government ID numbers, account passwords, or payment card numbers through public intake forms.","Breached does not publish lists of individual breach victims by name.","Sensitive follow-up questions belong with the responsible attorney or a secure partner process, not the public site."]},{"heading":"How we use information","bullets":["Operate breach search, breach pages, intake forms, abuse prevention, and support workflows.","Route an intake submission to attorneys or staff evaluating the specific case when you separately consent to sharing and a case team is identified in the intake workflow or selected by name for future evaluation of that same matter.","Keep an interest or notification submission when no attorney is currently investigating the case through Breached.","Send transactional messages about your submission or a case you asked about.","Improve source quality, security, accessibility, and reliability.","Maintain compliance records, consent records, opt-out records, and audit logs."]},{"heading":"Business and commercial purposes","bullets":["Provide breach search, breach pages, intake forms, newsletter features, privacy request handling, and support workflows.","Perform security, fraud prevention, debugging, rate limiting, auditing, deduplication, and compliance recordkeeping.","Evaluate and route intake submissions for the specific breach matter when you consent, a signed service-provider or equivalent agreement is in place with the receiving partner law firm, and the firm was identified or selected by name in the intake workflow.","Maintain proof of consent, opt-out signals, policy versions, request verification, and legal compliance records.","Improve source quality, site reliability, accessibility, and aggregate product operations without selling personal information."]},{"heading":"Sharing","bullets":["With attorneys, law firms, or case teams evaluating a breach matter when you ask for follow-up, separately consent to sharing, and that case team is identified in the intake workflow or selected by name for future evaluation of that same matter.","If no attorney is currently investigating through Breached, Breached does not route your intake details to a law firm unless you selected that named participating firm before submitting, or that status changes and you give fresh sharing consent after a different case team is identified.","With partner law firms only after Breached has a signed Service Provider Agreement or equivalent written restriction that limits use to the disclosed case workflow.","With service providers that host, secure, email, analyze, or maintain the service under written restrictions that limit use, require reasonable safeguards, and support deletion or return where appropriate.","With regulators, courts, or other parties when required by law or to protect rights, safety, and security.","Breached does not sell personal information and does not share it for cross-context behavioral advertising."]},{"heading":"CCPA/CPRA rights","bullets":["California residents may request to know, access, correct, delete, or receive a portable copy of personal information, subject to legal exceptions.","California residents may opt out of sale or sharing for cross-context behavioral advertising. Breached does not sell personal information or share it for cross-context behavioral advertising.","California residents may limit use or disclosure of sensitive personal information where applicable, although Breached does not use sensitive personal information to infer characteristics.","Breached will not discriminate against you for exercising privacy rights, but some data may be necessary to provide a requested intake or case-notification workflow.","Use the verified privacy request form at /privacy/request to submit a request. Breached may ask you to verify control of the email address tied to the request before acting on it."]},{"heading":"Other state privacy rights","body":"Residents of states with comprehensive privacy laws may have additional rights depending on residence, legal thresholds, exemptions, and Breached's role for the processing. The State Privacy Rights Notice explains the current multi-state rights workflow, appeal process, and opt-out handling."},{"heading":"Consumer health data","body":"Some breach matters involve health, medical, biometric, reproductive, gender-affirming care, or similar sensitive information. Breached's public intake forms are designed to avoid collecting those details unless a secure attorney-controlled process specifically asks for them. The Consumer Health Data Notice explains the extra rules for Washington, Nevada, and similar health-data regimes."},{"heading":"GDPR and EU/EEA/UK notices","bullets":["Breached is a US-focused service operated by Bloc Claims LLC and does not intentionally target EU, EEA, or UK residents unless Breached expressly says otherwise.","When GDPR or UK GDPR applies, Breached treats Bloc Claims LLC as the controller for the public site, intake storage, newsletter, security, and privacy request workflows, unless a signed partner agreement states that Breached acts as a processor for a law firm.","Potential legal bases include consent for intake sharing and newsletters, legitimate interests for security, abuse prevention, source quality, and service operations, legal obligation for compliance records, and establishment or defense of legal claims where applicable.","EU/EEA/UK residents may request access, correction, deletion, restriction, objection, portability, or consent withdrawal through /privacy/request. They may also complain to their local data protection authority.","Breached does not use intake submissions for solely automated decisions with legal or similarly significant effects."]},{"heading":"International transfers","body":"Breached and its core vendors are primarily US-based. If GDPR, UK GDPR, or Swiss data-transfer rules apply to a Breached interaction, Breached relies on an adequacy decision, Standard Contractual Clauses, a UK International Data Transfer Addendum or equivalent safeguard, or another lawful transfer basis where appropriate."},{"heading":"EU representative and DPO","body":"Breached is not currently an EU-targeted service. If Breached later offers EU-targeted activity that requires an Article 27 representative or Data Protection Officer, Breached will publish the required contact information."},{"heading":"Global Privacy Control","body":"Breached treats a recognized Global Privacy Control signal, including the HTTP header Sec-GPC: 1, as an automatic opt-out of sale or sharing for cross-context behavioral advertising. Intake records created with that signal are tagged with the opt-out at write time."},{"heading":"Retention","body":"Breached retains intake and consent records long enough to operate the case workflow, prove consent, comply with legal obligations, resolve disputes, and maintain security. Records are deleted or de-identified when they are no longer needed for those purposes, subject to legal exceptions."},{"heading":"Security","body":"Breached uses administrative, technical, and organizational safeguards intended to protect personal information. No online service can guarantee perfect security, so Breached limits collection to information needed for the stated purposes."},{"heading":"Your choices","bullets":["You can ask Breached to stop marketing or case-update messages.","You can request access, correction, deletion, or a copy of personal information at /privacy/request, subject to legal limits.","You can withdraw consent for future sharing, though prior case-routing actions may already have occurred.","State privacy rights may vary based on your residence and Breached's legal thresholds."]},{"heading":"Contact","body":"Use /privacy/request for privacy requests, corrections, deletion requests, opt-outs, and consent-withdrawal requests. Include the email address you used for intake and enough detail for Breached to identify the relevant submission. For security concerns, use the privacy contact published by Breached."}]},{"slug":"state-privacy-rights-notice","title":"State Privacy Rights Notice","shortTitle":"State rights","kicker":"State privacy","summary":"A multi-state privacy notice covering current US state privacy rights, universal opt-out signals, request appeals, sensitive-data handling, and state-threshold tracking for Breached intake data.","requiredInFooter":true,"requiredForIntake":true,"lastUpdated":"May 7, 2026","sections":[{"heading":"When this notice applies","body":"This notice applies when a state privacy law applies to Breached based on your residence, Breached's role as a controller, business, processor, service provider, or contractor, statutory thresholds, exemptions, and the type of data or processing involved."},{"heading":"Rights you may have","bullets":["Confirm whether Breached processes personal information about you.","Access a copy or summary of personal information, subject to legal exceptions and trade-secret limits.","Correct inaccurate personal information where the applicable state law grants correction rights.","Delete personal information when legally required, subject to exceptions for consent records, security, fraud prevention, legal obligations, dispute resolution, and attorney workflows.","Receive a portable copy where required and technically feasible.","Opt out of sale, sharing, targeted advertising, and certain profiling where those rights apply."]},{"heading":"How to make a request","body":"Use /privacy/request and provide the email address tied to your intake, newsletter, correction, or other message. Breached may verify control of that email address and may ask for additional information only when needed to authenticate the request or understand its scope."},{"heading":"Appeals","body":"If Breached denies a request and applicable law gives you appeal rights, the denial will explain why, describe how to appeal, and identify any regulator complaint path required by that state."},{"heading":"Opt-out preference signals","body":"Breached treats recognized opt-out preference signals, including Sec-GPC: 1 where legally required, as an opt-out of sale or sharing for cross-context behavioral advertising. Breached does not use intake data for sale, cross-context behavioral advertising, or targeted advertising."},{"heading":"Sensitive data","body":"Sensitive data may include health information, biometric data, precise geolocation, racial or ethnic origin, religious beliefs, citizenship or immigration status, sexual orientation, genetic data, data about known children, and similar categories depending on state law. Please do not put sensitive data in a public intake form unless a secure attorney-controlled process specifically asks for it."},{"heading":"State coverage","body":"State privacy rights vary by residence, legal thresholds, exemptions, and the type of processing involved. Breached applies the rights workflow that matches the state law that applies to your request."},{"heading":"No victim-list resale","body":"Breached does not buy, import, or resell victim lists. Breached also does not sell intake submissions."}]},{"slug":"consumer-health-data-notice","title":"Consumer Health Data Notice","shortTitle":"Health data","kicker":"Sensitive data","summary":"Explains how Breached avoids, limits, consent-gates, secures, and deletes consumer health data when breach intake could involve health, medical, biometric, reproductive, or similar sensitive information.","requiredInFooter":true,"requiredForIntake":true,"lastUpdated":"May 7, 2026","sections":[{"heading":"Health data Breached avoids","bullets":["Do not submit diagnosis, treatment, medication, surgical, reproductive health, gender-affirming care, genetic, biometric, or similar details in public intake notes.","Do not upload medical records, insurance cards, lab results, screenshots, raw breach files, or identity documents through a public intake form.","Do not include Social Security numbers, full dates of birth, payment card numbers, account passwords, or government IDs in health-breach intake notes."]},{"heading":"When health data may be inferred","body":"A breach involving a hospital, clinic, pharmacy, health app, insurer, genetic-testing provider, biometric service, reproductive-health service, or similar company can reveal health-related information even if you provide only contact details. Breached treats those matters as sensitive and minimizes the public intake fields."},{"heading":"Consent and sharing","body":"If Breached needs consumer health data beyond what is necessary to provide the requested intake or notification service, Breached will disclose the categories, purposes, recipients, withdrawal path, and obtain any required separate consent before collection or sharing."},{"heading":"Attorney-controlled follow-up","body":"If a case team needs medical, biometric, genetic, reproductive-health, or similarly sensitive details, that follow-up will happen through a secure attorney-controlled process, not through the general public intake notes field."},{"heading":"Rights and deletion","body":"Where Washington, Nevada, or another consumer health data law applies, Breached supports access, withdrawal, deletion, appeal, and downstream deletion notifications as required, subject to legal exceptions and attorney workflow obligations."},{"heading":"No sale or geofencing","body":"Breached does not sell consumer health data, use health-breach interest for retargeting, or use geofencing around healthcare facilities or sensitive locations for case advertising."},{"heading":"Security","body":"Consumer health data receives stricter access controls, logging, retention limits, vendor review, and deletion handling than ordinary site analytics or breach-source metadata."}]},{"slug":"data-processing-policy","title":"Data Processing Policy","shortTitle":"Data processing","kicker":"Processing terms","summary":"Explains how Breached processes intake data, defines controller/service-provider roles, limits downstream use, manages vendors, supports privacy requests, and handles deletion or return of data.","requiredInFooter":true,"requiredForIntake":true,"lastUpdated":"May 7, 2026","sections":[{"heading":"Processing roles","body":"Breached may act as an independent business or controller when it operates the public site and receives intake submissions. Breached may also act as a service provider, contractor, or processor when it handles data on behalf of a partner law firm or case team under written instructions."},{"heading":"Processing purposes","bullets":["Receive, validate, deduplicate, and store intake submissions.","Route submissions to attorneys, law firms, vendors, or case teams for evaluation only when the submitter gives separate sharing consent and the intake state identifies an assigned case team or named participating firms selected for future evaluation of the same matter.","Maintain notification-only submissions when no attorney or law firm is currently investigating through Breached.","Maintain consent, security, audit, opt-out, and compliance records.","Operate, secure, debug, and improve breach pages, intake forms, and support workflows."]},{"heading":"Instructions and limits","bullets":["Breached processes intake data only for the purposes described in the public policies, the intake consent, or written partner instructions.","Breached does not sell intake data or share it for cross-context behavioral advertising.","Partner firms and vendors may use intake data only for case evaluation, conflict checks, follow-up, administration, legal compliance, security, and other approved case-workflow purposes.","If written partner instructions conflict with law, Breached may pause processing until the conflict is resolved."]},{"heading":"Sensitive information","body":"Please do not put Social Security numbers, full dates of birth, government IDs, account passwords, payment card numbers, medical details, biometric details, genetic details, reproductive-health details, or raw breach files in a public intake form. If a case team later needs sensitive details, collection will happen through a secure attorney-controlled process."},{"heading":"Service providers and subprocessors","bullets":["Breached may use hosting, database, email, analytics, security, AI, document, and support vendors to operate the service.","Vendors are expected to be bound by written terms that restrict use of personal information, require reasonable safeguards, and support deletion or return when appropriate.","Partner law firms and downstream case vendors receive only the data needed for the relevant matter.","Breached reviews material vendor changes for privacy, security, and attorney-advertising impact."]},{"heading":"Security measures","bullets":["Use access controls, least-privilege permissions, transport encryption, audit logging, rate limiting, and incident-response procedures appropriate for intake data.","Limit access to people who need the data for operations, security, support, or case-routing workflows.","Review vendors and partner integrations before sharing intake data with them.","Keep consent records and policy versions tied to each submission so the processing basis can be proven later."]},{"heading":"Privacy requests","body":"Breached supports access, correction, deletion, opt-out, and consent-withdrawal requests where required by law. Some records may be retained when needed for legal obligations, dispute resolution, security, fraud prevention, attorney obligations, or proof of consent."},{"heading":"International transfers","body":"Breached is intended for US-focused breach intake. If Breached knowingly accepts or targets EU, UK, EEA, Swiss, or other international users, Breached will publish the additional privacy terms, transfer information, and request process required for those jurisdictions."},{"heading":"Partner-specific agreements","body":"This public policy is not a substitute for a signed data processing agreement, service-provider agreement, confidentiality agreement, business associate agreement, or law-firm engagement terms when one is required. Partner-specific written terms control if they are stricter and legally valid."}]},{"slug":"cookie-and-tracking-policy","title":"Cookie and Tracking Policy","shortTitle":"Cookies","kicker":"Site technologies","summary":"Explains Breached's use of cookies, local storage, logs, analytics, security signals, preference controls, and the current no tracking-pixel commitment.","requiredInFooter":true,"requiredForIntake":false,"lastUpdated":"May 7, 2026","sections":[{"heading":"Current approach","body":"Breached uses the minimum site technologies needed to provide search, intake, security, abuse prevention, performance monitoring, and preference storage. The public site does not use advertising pixels or sell/share cookie-derived data for cross-context behavioral advertising."},{"heading":"Technologies we may use","bullets":["Strictly necessary cookies or local storage for session, preference, security, rate-limit, or form-state features.","Server logs and technical metadata such as IP-derived security data, user agent, timestamps, requested URLs, and error details.","Privacy-preserving analytics or performance tools when configured to avoid unnecessary personal information and activated only after any required consent.","Third-party company logo or favicon services only when the privacy notice discloses the provider.","Consent or opt-out preference storage when a banner, privacy choice, or jurisdiction-specific workflow is enabled."]},{"heading":"Technologies we avoid","bullets":["No advertising pixels on intake pages.","No retargeting based on breach interest or intake behavior.","No sale or sharing of cookie-derived personal information for cross-context behavioral advertising.","No third-party scripts that collect raw intake form content."]},{"heading":"Choices","body":"You can control cookies through your browser settings. If Breached adds optional analytics or advertising technologies, Breached will provide any required notice, opt-out, or consent control before those technologies are active."},{"heading":"Global Privacy Control","body":"Where applicable law requires it, Breached treats recognized opt-out preference signals such as Global Privacy Control as an opt-out of sale or sharing for targeted advertising."},{"heading":"Changes to tracking","body":"If Breached changes its analytics, attribution, advertising, session-replay, or third-party script practices, Breached will update this policy where required."}]},{"slug":"intake-consent","title":"Intake Consent Terms","shortTitle":"Intake consent","kicker":"Submission terms","summary":"The concise consent bundle users see before submitting a breach-related intake form.","requiredInFooter":false,"requiredForIntake":true,"lastUpdated":"May 7, 2026","sections":[{"heading":"What you are asking Breached to do","body":"By submitting an intake form, you ask Breached to receive your information, keep a consent record, and use your submission for the specific breach matter. If no attorney or law firm is currently investigating through Breached, you are asking to be notified if that changes and may separately select named participating firms that may receive the submission only if they later evaluate this same matter through Breached. If an attorney or law firm is already listed for the case, you ask Breached to share your submission with that case team for evaluation when you consent."},{"heading":"No attorney-client relationship","body":"Submitting a form does not make Breached your lawyer and does not create an attorney-client relationship with any attorney or firm. Representation starts only if a law firm accepts you as a client in writing."},{"heading":"Permission to contact you","bullets":["You authorize Breached, and any attorney, law firm, or staff member disclosed in the intake workflow, to contact you about the matter you submitted.","If no attorney is currently investigating through Breached, attorney follow-up will wait unless a law firm you selected later begins evaluating the matter through Breached, or you give fresh sharing consent after a different case team is identified.","Contact may happen by email, phone, or text if you provide those details and applicable law allows it.","You can opt out of marketing or automated messages. Transactional messages about your submission may still be sent where allowed."]},{"heading":"Permission to share","body":"You consent to Breached sharing your submitted details with attorneys, law firms, intake vendors, and case teams for evaluation, conflict checks, follow-up, and related administration only when the intake form identifies the current case team or lets you select named participating firms for future evaluation of the same matter. If no attorney is currently investigating through Breached and you do not select a participating firm, Breached may store your interest request but will ask for fresh consent before sharing your details with a later-identified case team."},{"heading":"Information accuracy","body":"You confirm that the information you provide is accurate to the best of your knowledge and that you are submitting your own information or are authorized to submit it."},{"heading":"Sensitive information","body":"Do not include Social Security numbers, passwords, payment card numbers, full dates of birth, government IDs, medical details, biometric details, genetic details, reproductive-health details, or raw breach files in the public intake notes unless a secure attorney workflow specifically asks for them later."}]},{"slug":"attorney-advertising-disclaimer","title":"Attorney Advertising Disclaimer","shortTitle":"Attorney ads","kicker":"Legal services notices","summary":"Plain-language disclosures for pages, forms, and emails that may be treated as attorney advertising or lead-generation communications.","requiredInFooter":true,"requiredForIntake":true,"lastUpdated":"May 7, 2026","sections":[{"heading":"Attorney advertising","body":"Some Breached pages, intake prompts, emails, or partner placements may be attorney advertising. Prior results, settlement examples, or case descriptions do not guarantee a similar outcome."},{"heading":"Responsible firm","body":"When a specific law firm sponsors, reviews, investigates, or receives leads from a page or campaign, Breached identifies that responsible firm and any required office address where required. When no attorney or law firm using Breached is currently investigating the case, the page says so and does not imply that an attorney is already handling the matter."},{"heading":"No guarantees","bullets":["No statement on Breached guarantees compensation, recovery, eligibility, settlement amount, case filing, class certification, or legal outcome.","Case status, deadlines, and eligibility can change based on facts, law, court orders, and counsel review.","Past results do not guarantee future results."]},{"heading":"No live solicitation","body":"Breached relies on user-initiated intake and written follow-up. Breached does not use cold live calls or real-time solicitation of people who have not requested contact for attorney lead generation."},{"heading":"State-specific notices","body":"Some states require extra labels, responsible-attorney details, filing, retention, or review for attorney advertising. Breached shows state-specific notices in the intake flow when they apply."}]},{"slug":"communications-policy","title":"Email, Phone, and SMS Policy","shortTitle":"Communications","kicker":"Contact rules","summary":"How Breached handles transactional messages, attorney follow-up, marketing email, SMS consent, opt-outs, and do-not-contact requests.","requiredInFooter":false,"requiredForIntake":true,"lastUpdated":"May 7, 2026","sections":[{"heading":"Transactional messages","body":"Breached may send non-marketing messages needed to confirm a submission, respond to a request, deliver case updates you asked for, process opt-outs, or maintain security."},{"heading":"Marketing and attorney follow-up","bullets":["Marketing emails must use accurate sender information, non-deceptive subjects, a valid physical mailing address, and a clear opt-out method.","Automated or marketing texts and calls require the consent required by applicable law before sending.","Attorney solicitation rules may add state-specific labels, waiting periods, or content restrictions."]},{"heading":"Opt-outs","body":"Breached honors unsubscribe, STOP, quit, end, cancel, revoke, opt-out, do-not-call, and do-not-contact requests promptly and propagates them to relevant vendors or partner firms where the request applies."},{"heading":"Consent records","body":"Breached keeps consent records for outreach, including the consent language shown, timestamp, source page, submission identifiers, and technical metadata needed to prove the consent that supported the message."}]},{"slug":"acceptable-use-policy","title":"Acceptable Use Policy","shortTitle":"Acceptable use","kicker":"Misuse controls","summary":"Rules that keep a breach-information service from being used for harassment, identity theft, scraping abuse, security probing, or victim targeting.","requiredInFooter":false,"requiredForIntake":false,"lastUpdated":"May 7, 2026","sections":[{"heading":"Do not target victims","bullets":["Do not use Breached to identify, harass, threaten, shame, or contact individual breach victims.","Do not submit another person's personal data without authorization.","Do not combine Breached content with other data to build victim lists or identity-theft tooling."]},{"heading":"Do not attack systems","bullets":["Do not probe, scan, overload, exploit, reverse engineer, or bypass rate limits on Breached systems.","Do not upload malware, credential dumps, stolen secrets, or instructions for abusing exposed data.","Do not interfere with security, logging, abuse prevention, or access controls."]},{"heading":"Do not mislead","bullets":["Do not impersonate Breached, a law firm, a company, a regulator, or another person.","Do not submit false intake information or manufactured claims.","Do not remove source attribution when republishing short excerpts."]},{"heading":"Enforcement","body":"Breached may block requests, remove submissions, preserve evidence, suspend access, or report misuse when needed to protect users, victims, partners, or the service."}]},{"slug":"source-corrections-policy","title":"Source and Corrections Policy","shortTitle":"Sources","kicker":"Editorial accuracy","summary":"Explains how Breached sources breach records, attributes claims, corrects errors, and handles takedown or dispute requests.","requiredInFooter":true,"requiredForIntake":false,"lastUpdated":"May 7, 2026","sections":[{"heading":"Source hierarchy","bullets":["Prefer official company notices, regulator postings, SEC filings, court records, state attorney general notices, and primary security-research publications.","Use news, social posts, and third-party databases as supporting sources when primary sources are unavailable or delayed.","Attribute material claims to the source that supports them."]},{"heading":"What Breached summarizes","body":"Breached may summarize the company name, report date, source URL, affected-count estimates, exposed-data categories, severity, and plain-English impact. Breached does not republish stolen datasets or victim lists."},{"heading":"Corrections","bullets":["Correct factual errors when reliable evidence shows that a breach page is wrong or materially incomplete.","Use qualifying language such as reportedly or according to when a claim depends on a source that is not final.","Keep enough notes to explain what changed and why."]},{"heading":"Disputes","body":"A company or source owner may request correction, clarification, attribution changes, or removal review. Breached evaluates the request against the cited sources, public-interest value, legal risk, and user safety."}]},{"slug":"accessibility-statement","title":"Accessibility Statement","shortTitle":"Accessibility","kicker":"Equal access","summary":"A public accessibility commitment for Breached, including expected conformance target, feedback path, and remediation process.","requiredInFooter":true,"requiredForIntake":false,"lastUpdated":"May 7, 2026","sections":[{"heading":"Commitment","body":"Breached aims to make breach information and intake forms usable by people with disabilities, including people using screen readers, keyboard navigation, voice control, zoom, and high-contrast settings."},{"heading":"Target","body":"Breached uses WCAG 2.1 Level AA as its practical accessibility target."},{"heading":"Feedback","body":"If a page, form, or document is difficult to use, contact Breached with the URL, the issue, your browser or assistive technology if relevant, and your preferred contact method."},{"heading":"Remediation","body":"Breached prioritizes high-impact accessibility barriers in intake, search, breach detail pages, and policy pages."}]},{"slug":"copyright-and-dmca-policy","title":"Copyright and DMCA Policy","shortTitle":"Copyright","kicker":"Content rights","summary":"How Breached handles source attribution, copyright complaints, fair-use summaries, and DMCA-style takedown requests.","requiredInFooter":false,"requiredForIntake":false,"lastUpdated":"May 7, 2026","sections":[{"heading":"Original summaries","body":"Breached writes original summaries and links to source materials instead of republishing full copyrighted reports. Short quotations are limited, attributed, and used only when needed to explain the public breach record."},{"heading":"Takedown requests","bullets":["A copyright owner may send a written notice identifying the copyrighted work, the allegedly infringing Breached URL, contact information, and a good-faith statement.","Breached maintains a public copyright contact and, if eligible for DMCA safe-harbor treatment, a designated agent listing.","Breached may remove, disable, edit, or preserve content while evaluating the request."]},{"heading":"Counter-notices and disputes","body":"If content is removed based on a copyright complaint, Breached may accept counter-notices or supporting evidence where legally appropriate."},{"heading":"No stolen datasets","body":"Breached does not host credential dumps, stolen databases, victim lists, or raw exfiltrated files. The service describes public breach facts without distributing the compromised data."}]}]}