Privacy Policy

Breach Guardian by SecurityIndeed

Effective Date: March 22, 2026

SecurityIndeed ("we," "us," or "our") operates the Breach Guardian mobile application and the Breach Guardian web dashboard (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

By downloading, installing, accessing, or using any part of the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this policy, please do not use the Service.

Our Core Promise: The Breach Guardian mobile app performs all message scanning and threat detection entirely on your device. Your messages, SMS content, and email text are never transmitted to any server. We cannot read, access, decrypt, or store your message content. This is not a policy choice — it is a technical architecture decision. The app simply has no code path to transmit your messages anywhere.

1. Information We Collect

Breach Guardian operates as two distinct components with fundamentally different data models:

1.1 Mobile Application (Breach Guardian App)

We collect nothing. The mobile app is designed to operate with zero data transmission to our servers or any third party. There is no telemetry, no analytics, no crash reporting, no usage tracking, and no network calls of any kind during message scanning or any other app operation.

Specifically, the mobile app:

  • Does not transmit SMS, MMS, or email content to any server
  • Does not send device identifiers, advertising IDs, or hardware fingerprints
  • Does not collect or transmit usage statistics, diagnostics, or behavioral data
  • Does not include any third-party analytics SDKs
  • Does not include any advertising frameworks, ad networks, or trackers
  • Does not perform crash reporting to external services
  • Does not upload your contacts, call logs, or address book
  • Does not access your location, camera, or microphone
  • Stores all scan results, detection history, and user preferences in local on-device storage only
  • Uses on-device machine learning models that run entirely within the app process with no network dependency

The app requires SMS read permission (Android) solely to scan messages locally on your device for spam and phishing threats. This permission is never used to transmit message content off-device. You can revoke this permission at any time through your device settings.

1.2 Web Dashboard (Breach Guardian Web)

The web dashboard provides breach monitoring and data broker removal services. To deliver these features, we collect and process: your email address (account creation, breach monitoring via Have I Been Pwned API), your password (stored only as a one-way Argon2 hash; plaintext never stored), breach results (encrypted at rest in our PostgreSQL database), data broker removal requests (processed via a vendor-agnostic scrubbing provider), and session tokens (temporary; expire automatically). All data stored in our database is encrypted at rest. All communication between your browser and our servers is encrypted in transit via TLS 1.2 or higher.

2. Information We Do NOT Collect

To be absolutely clear, the following data is never collected, transmitted, stored, or accessed by SecurityIndeed from either the mobile app or web dashboard:

  • Message content: SMS, MMS, email body text, or any communication content
  • Call recordings or audio: We do not record, intercept, or transmit any voice calls
  • Contact lists or address books: We never upload or access your contacts
  • Location data: We do not access GPS, Wi-Fi, or cell tower location information
  • Browsing history: We do not track websites you visit
  • Photos, videos, or files: We do not access your media library or file system
  • Biometric data: We do not collect fingerprints, face data, or voice prints
  • Financial information: We do not collect bank account numbers, credit card numbers, or financial data (except via third-party payment processors if you purchase a paid plan)
  • Social Security numbers or government IDs: We never collect government identification numbers
  • Device advertising identifiers: We do not read or transmit your IDFA, GAID, or similar
  • Keystroke data: We do not log keystrokes or input patterns
  • Installed applications: We do not scan or report what other apps are on your device

3. How We Use Your Information

We use the information collected through the web dashboard exclusively to:

  • Check your email address against known data breaches via the HIBP API
  • Display breach results and notify you of new exposures
  • Process and track data broker removal requests through our scrubbing provider
  • Authenticate your identity and secure your account
  • Respond to your support requests
  • Comply with applicable legal obligations

4. How We Do NOT Use Your Information

We Do Not Sell Your Data. SecurityIndeed does not sell, rent, lease, trade, or otherwise disclose your personal information to third parties for monetary or other valuable consideration. We have never sold personal information. We will never sell personal information. This applies to all users, regardless of location.

Additionally, we do not:

  • Use your data for advertising, ad targeting, or marketing profiling
  • Share your data with advertisers or data brokers
  • Use your email address for unsolicited marketing without your explicit opt-in consent
  • Mine, analyze, or aggregate your data for purposes unrelated to providing the Service
  • Train machine learning models on your personal data on our servers
  • Create behavioral profiles or track you across services
  • Share your data with law enforcement or government agencies unless required by valid legal process

5. Third-Party Services

The web dashboard integrates with the following third-party services: Have I Been Pwned (HIBP) for checking if your email appears in known data breaches (privacy policy), and a vendor-agnostic data scrubbing provider for automated removal of your personal data from data broker websites. We do not integrate any advertising networks, social media trackers, social login providers, behavioral analytics services, or similar third-party tracking technologies in any part of the Service.

6. Data Retention

6.1 Mobile App

Scan history and detection results stored on your device are automatically deleted after 90 days by the app. You may also manually clear all data at any time from Settings. Since this data never leaves your device, deletion is immediate, permanent, and irreversible.

6.2 Web Dashboard

Your account data, breach results, and removal request history are retained for as long as your account is active. Upon receiving a deletion request, we will remove all personal data from active systems within 30 days; backup copies will be purged within 90 days.

7. Data Security

We implement administrative, technical, and physical security measures including:

  • Encryption at rest: AES-256 via Google Cloud KMS envelope encryption for PII columns
  • Encryption in transit: TLS 1.2 or higher for all web traffic
  • Password security: Argon2id hashing, never plaintext
  • On-device processing: Message content never reaches any server
  • Minimal data collection: Only what is strictly necessary to provide the Service
  • Access controls: Principal of least privilege on all service accounts; audit logging on Secret Manager access

8. Your Rights

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under GDPR including access, rectification, erasure, portability, and the right to lodge a complaint with your local supervisory authority. California residents have rights under CCPA/CPRA including the right to know, delete, correct, and non-discrimination. We do not sell or share personal information as defined by any U.S. state privacy law. To exercise any of these rights, contact support@securityindeed.org.

9. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA/UK/Switzerland). We do not knowingly collect personal information from children under these ages.

10. Data Breach Notification

In the unlikely event that a security breach affects your personal data, we commit to notifying affected users by email within 72 hours of becoming aware of the breach, and to the relevant supervisory authority where required by law. Because the mobile app stores all data exclusively on your device and never transmits data to our servers, a breach of our infrastructure cannot expose your mobile app data.

11. Do Not Track

The Service does not track you. We do not use cookies, web beacons, pixel tags, or similar tracking technologies in the mobile app. The web dashboard uses only essential session cookies required for authentication.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email (if you have a web dashboard account) and by prominent notice within the Service, at least 30 days before the changes take effect.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise any of your data rights, or have concerns about how your information is handled, please contact us at support@securityindeed.org. SecurityIndeed is operated by Reddy LLC, a limited liability company registered in the State of Minnesota, United States.