Trust

Data retention

Breachtide holds the minimum data needed to detect changes in your breach exposure and deliver one accurate alert when something moves. Every category below has a concrete time-to-live enforced in the database, not a policy promise.

At a glance

Account recorduntil deletion

Your sign-in email and per-account settings (notification email, webhook URL and secret, API key hash). Removed on account deletion.

Monitored email addressesuntil removed

Each verified address you add. Removed when you delete it from your dashboard or close the account.

Per-source scan stateuntil address removed

The hashed sweep result and counts for each of the four feeds. Used to detect changes between sweeps.

Encrypted exposed values90 days

On a confirmed enriched-feed hit (every paid plan), the leaked field values are sealed with AES-GCM under an account-bound key and stored with a hard 90-day expiry. A worker purges expired rows every tick. Free-tier accounts see the field categories without the values themselves.

Alert history30 days

Each delivered email or webhook alert is logged for replay and audit. Older rows roll off automatically.

Webhook delivery audit30 days

Every outbound delivery attempt, with HTTP status and retry count.

Decryption audit loguntil address removed

Every time an exposed value is decrypted for display, the time, source, requesting IP, and user agent are recorded. Visible only to the account owner.

Magic-link tokens15 minutes

One-time sign-in tokens. Single use, deleted after redemption or expiry.

Session cookies30 days sliding

A per-browser session token. Rotated or revoked from your dashboard. Only the SHA-256 hash is stored.

API rate-limit counters1 minute

In-memory fixed-window counters keyed by API key. Never persisted.

How exposed values are protected

Plaintext passwords, hashes, dates of birth, postal addresses, and phone numbers are considered exposed values. They are never stored unencrypted. At rest, every payload is sealed with AES-GCM under a key derived from a master key plus the monitored email's id, so the same plaintext under two different addresses produces different ciphertext and the keys are rotatable per-account. The unwrapped form lives only in the response that renders the dashboard page that requested it.

Each unwrap writes a row to the decryption audit table. You can review who, when, and from where exposed values were viewed on your account.

What deletion actually does

Removing a monitored email deletes the address row, every per-source scan state for it, every encrypted exposed value, and the decryption audit rows that referenced it. Removing the account does the same for every monitored email it owns, then removes the account row, sessions, API key, and webhook secret.

Backups follow standard infrastructure retention. SQLite is replicated to R2 via Litestream; replicated WAL segments roll off on the same TTL as the live database. There is no warm copy of deleted data after the WAL window closes.

What we never store

A password for your Breachtide account. Sign-in is magic-link only.
The plaintext value of any API key you issue from your dashboard. Only its hash is on file; the token is shown once at issue time.
The body of any webhook we deliver. Each delivery attempt is logged with the destination URL, response status, and retry count, and that is it.
The body of any alert email we send. Each delivery is logged with the recipient and timestamp; the rendered message is not retained.
Browser fingerprinting beyond the user-agent string recorded on each session.

Questions

For anything not covered here, including specific deletion requests, write to [email protected].