Privacy policy

Short version: we don't collect any personal data, and the site isn't built to.

What we don't do

• ❌ We don't store the passwords you type.
• ❌ We don't set cookies or write password data to localStorage.
• ❌ We don't create accounts, collect email, or run a newsletter.
• ❌ We don't use Google Analytics, Facebook Pixel, or any cookie-based tracker.
• ❌ We don't sell passwords, hashes, or browsing history to anyone.

What we actually do

• ✅ When you press Check, your browser sends the first 5 characters of the SHA-1 hash of your password to HIBP, using k-anonymity, to look up breach data.
• ✅ We may use a cookie-less analytics service (such as Cloudflare Web Analytics) to count page views — no personal data, no cross-site tracking.

Third parties

• HIBP (api.pwnedpasswords.com): receives only the 5-character hash prefix. See their privacy policy.
• Cloudflare: hosts the static site and keeps standard HTTP access logs.

How to verify this yourself

Open DevTools → Network → press Check. You'll see exactly one request to api.pwnedpasswords.com/range/XXXXX, containing only the 5-character hash prefix.