Data Processing Policy

Processing roles

Breached may act as an independent business or controller when it operates the public site and receives intake submissions. Breached may also act as a service provider, contractor, or processor when it handles data on behalf of a partner law firm or case team under written instructions.

Processing purposes

• Receive, validate, deduplicate, and store intake submissions.
• Route submissions to attorneys, law firms, vendors, or case teams for evaluation only when the submitter gives separate sharing consent and the intake state identifies an assigned case team or named participating firms selected for future evaluation of the same matter.
• Maintain notification-only submissions when no attorney or law firm is currently investigating through Breached.
• Maintain consent, security, audit, opt-out, and compliance records.
• Operate, secure, debug, and improve breach pages, intake forms, and support workflows.

Instructions and limits

• Breached processes intake data only for the purposes described in the public policies, the intake consent, or written partner instructions.
• Breached does not sell intake data or share it for cross-context behavioral advertising.
• Partner firms and vendors may use intake data only for case evaluation, conflict checks, follow-up, administration, legal compliance, security, and other approved case-workflow purposes.
• If written partner instructions conflict with law, Breached may pause processing until the conflict is resolved.

Sensitive information

Please do not put Social Security numbers, full dates of birth, government IDs, account passwords, payment card numbers, medical details, biometric details, genetic details, reproductive-health details, or raw breach files in a public intake form. If a case team later needs sensitive details, collection will happen through a secure attorney-controlled process.

Service providers and subprocessors

• Breached may use hosting, database, email, analytics, security, AI, document, and support vendors to operate the service.
• Vendors are expected to be bound by written terms that restrict use of personal information, require reasonable safeguards, and support deletion or return when appropriate.
• Partner law firms and downstream case vendors receive only the data needed for the relevant matter.
• Breached reviews material vendor changes for privacy, security, and attorney-advertising impact.

Security measures

• Use access controls, least-privilege permissions, transport encryption, audit logging, rate limiting, and incident-response procedures appropriate for intake data.
• Limit access to people who need the data for operations, security, support, or case-routing workflows.
• Review vendors and partner integrations before sharing intake data with them.
• Keep consent records and policy versions tied to each submission so the processing basis can be proven later.

Privacy requests

Breached supports access, correction, deletion, opt-out, and consent-withdrawal requests where required by law. Some records may be retained when needed for legal obligations, dispute resolution, security, fraud prevention, attorney obligations, or proof of consent.

International transfers

Breached is intended for US-focused breach intake. If Breached knowingly accepts or targets EU, UK, EEA, Swiss, or other international users, Breached will publish the additional privacy terms, transfer information, and request process required for those jurisdictions.

Partner-specific agreements

This public policy is not a substitute for a signed data processing agreement, service-provider agreement, confidentiality agreement, business associate agreement, or law-firm engagement terms when one is required. Partner-specific written terms control if they are stricter and legally valid.