Transparency Report
How we protect your privacy and handle data breaches responsibly
Our Mission
XposedOrNot exists to help people understand when their personal information has been exposed in a data breach. Our approach is rooted in responsibility: we provide this service without republishing or spreading stolen data that could cause further harm to affected individuals.
Our goal is to strike a careful balance between transparency and responsibility. We aim to:
- Provide you with actionable security insights that help you protect yourself, while respecting your privacy and never storing unnecessary personal information
- Operate in full compliance with applicable laws and regulations, while respecting the legitimate rights of both organizations and the individuals affected by breaches
- Maintain complete transparency about our practices, policies, and the limitations of our service
For complete details on how you can use our service and what we expect from users, please see our Terms and Conditions.
How We Handle Breach Data
We never republish or distribute complete breach dumps or stolen data.
Here's what we actually store and how we process breach data:
- We extract only email addresses from breach datasets and store them in our database. This allows us to provide search functionality without retaining the full scope of compromised information.
- We maintain public breach metadata including the breach name, date of occurrence, affected organization, and general categories of data that were exposed. This contextual information helps you understand the severity and scope of each incident.
- We do NOT store passwords, credit card numbers, social security numbers, personal identification documents, or any other sensitive personal data that may have been part of the original breach. These data types are intentionally excluded from our systems.
- This selective approach allows you to check whether your email appears in known breaches while ensuring that other sensitive information remains completely outside of our infrastructure and cannot be accessed by anyone through our service.
Data Minimization and Security
We follow industry best practices for data security and minimization:
- We maintain only the minimum information absolutely necessary to perform breach lookups and provide our core service. Any data that doesn't serve a direct purpose for our users is not collected or retained.
- All operations are conducted within isolated cloud environments that employ encryption both at rest (when data is stored) and in transit (when data moves between systems). This protects information from unauthorized access at every stage.
- We never share, sell, or provide raw personal data to third parties for any purpose, including marketing, analytics, or research. Your privacy is not a commodity we trade.
Legal and Takedown Requests
We take our legal obligations seriously and work to balance transparency with legal compliance:
- We respond promptly and appropriately to valid legal orders, law enforcement requests, and directions from regulatory authorities. Each request is reviewed to ensure it meets legal standards before action is taken.
- When a breach dataset becomes subject to a court injunction, legal restriction, or valid takedown request, we may suppress that information entirely or limit access based on geographic location to comply with regional laws and regulations.
- We believe in transparency about these requests. Statistics on takedown and legal requests are published in the metrics table below, updated regularly to keep the community informed about the legal demands we receive.
Public-Interest Standard
We decide whether to include a breach based on:
- Reliable source verification: Is the breach authentic and verified?
- Substantial impact on individuals: Does it affect a significant number of people?
- No ongoing risk: Will disclosure cause harm or create safety issues?
If disclosing a breach could cause harm or violates a legal restriction, we exclude or limit that dataset.
User Query Privacy
Your privacy is paramount when you use our search features. We've designed our system to protect your anonymity:
- Search queries are processed in memory and are not logged in any identifiable form. Once your search is complete, the query information is not retained in a way that could be linked back to you.
- We do not store the email addresses you search for, nor do we sell this information to third parties or use it for marketing purposes. Your searches remain private.
- We do not associate queries with IP addresses beyond transient security logs that are maintained solely for system protection and are automatically purged on a regular schedule.
Transparency Metrics
Below are statistics on takedown and legal requests we've received:
Period |
Takedown Requests |
Complied |
Denied |
Notes |
2025 Q1 |
0 |
0 |
0 |
No requests received |
2025 Q2 |
0 |
0 |
0 |
No requests received |