Welcome to Have I Been Ransomed? (“HIBR”, “we”, “us”). This service collects and processes information originating from data security breaches, particularly those resulting from ransomware incidents, that have been made public. Our goal is to enable individuals and organizations to verify if their data (such as email addresses) has been exposed in such breaches so they can take appropriate mitigation measures.
We operate under the legal basis of "legitimate interest" (Article 6(1)(f) of the GDPR) for our European operations and in compliance with applicable U.S. state data privacy laws, including the Delaware Personal Data Privacy Act (DPDPA) and the California Consumer Privacy Act (CCPA). We fully respect data subject and consumer rights under all applicable data protection laws.
For the purposes of the GDPR, the data controller is Darkeye Industries LLC. For the purposes of U.S. privacy laws, the business responsible for processing your personal data is Darkeye Industries LLC, located in Delaware (US). The contact email for privacy matters is: [email protected].
We obtain information from publicly accessible sources where data breach information is disclosed, including forums, leak sites, and specialized cybersecurity repositories that publish information about ransomware incidents.
Ransomware breaches can expose a wide variety of data. However, our service focuses primarily on indexing and making searchable **identifiers** (such as email addresses, usernames) that allow users to verify potential exposure.
We do not store or make searchable passwords in clear text or in an easily reversible format. If passwords are present in the original breach (e.g., hashed), we do not index them for direct search in this service.
The underlying information collected from breaches is stored securely using encryption and strict access controls.
For data processed under the scope of the GDPR, we rely on **legitimate interest** (Article 6(1)(f)). Our legitimate interest consists of:
We have conducted a balancing test and believe our legitimate interest does not unduly override the rights of individuals, given that we process data already in the public domain, minimize the data exposed, apply robust security, and offer clear opt-out mechanisms.
For data processed under the scope of U.S. state privacy laws, our processing is for the purpose of providing the service as described and is subject to the consumer rights outlined in this policy. Processing is carried out respecting the principles of lawfulness, fairness, transparency, data minimization, and security.
We are aware that data breaches may incidentally contain special categories of personal data (as defined by GDPR) or "sensitive personal information" (as defined by U.S. state laws), which may include racial or ethnic origin, religious beliefs, health data, etc.
Our policy is to **actively avoid the indexed processing and public display** of such sensitive data through our search service. We implement filters and processes to minimize its inclusion in search results.
If you believe your sensitive data is being incorrectly displayed, please contact us immediately at [email protected] for its priority removal. We do not use or disclose sensitive personal information for purposes other than those specified in the law, such as ensuring the security and integrity of our service.
Depending on your jurisdiction, you have the following rights regarding your personal data:
To exercise these rights, please contact us at:
[email protected]
You also have the right to lodge a complaint with the competent data protection supervisory authority if you believe that our processing of your data infringes applicable regulations.
We implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction. These measures include:
We retain indexed breach data only for as long as necessary to fulfill the purpose of informing users about potential exposures. We periodically review stored breaches and de-index those that are no longer relevant or whose retention is no longer justified. Data will be deleted sooner if you exercise your right to erasure.
Do Not Sell or Share My Personal Information: We do not "sell" or "share" personal information as those terms are defined under applicable U.S. state privacy laws. Our service is designed for security awareness and does not involve selling data to third parties or engaging in cross-context behavioral advertising.
This service provides information based on data found in third-party security breaches that have been made public. We do not guarantee the accuracy, completeness, or timeliness of the underlying data from the original breach.
HIBR is not responsible for the original security breaches or the actions of the actors who caused them. Our service is a notification and information tool. Use of this service is at your own risk.
We may update this Privacy Policy periodically. We will notify you of any significant changes by posting the new policy on our website. We encourage you to review this page regularly.
Last updated: September 29, 2025
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
Contact Email: [email protected]