Privacy Policy

Privacy Policy — Privacy321

Operated by Goal Prevail LLC (Delaware, USA)

Last updated: 5 June 2026
Effective date: 5 June 2026

1. Who we are

Privacy321 (the “Service“) is a data‑breach monitoring and notification service operated by Goal Prevail LLC, a limited liability company registered in the State of Delaware, United States (“Goal Prevail,” “we,” “us,” or “our“), available at https://privacy321.com and related subdomains (the “Site“).

For any privacy question or request, contact us at [email protected], or by mail at 254 Chapman Rd, Ste 208, Newark, Delaware 19702.

For the purposes of the EU/UK General Data Protection Regulation, Goal Prevail LLC is the data controller for the personal data described in this Policy (except where we act as a service provider/processor, e.g. for payment data handled by Freemius).

2. The one thing to understand first — our role

We are not a data broker, and we did not breach, hack, or take anyone’s data.

Our Service checks whether an email address you have verified you control already appears in data breaches that third parties suffered and that are already circulating publicly on the internet. That breach information exists independently of us, was exposed by the companies that were breached, and is typically already in the hands of bad actors before you ever hear about it. We are an early‑warning system — the messenger, not the source.

We do not:

  • create, compile, own, or sell breach databases;
  • hack, intrude into, or gain unauthorized access to any account or system;
  • offer a public search tool — only a person who has verified ownership of an email address, and holds an active subscription or trial, can view results for that address;
  • store full, unmasked breach contents on our website;
  • use your data for advertising, profiling, or resale.

3. The information we collect

3.1 Information you give us

  • Account & sign‑in. Your email address. We use passwordless “magic‑link” sign‑in, so customers do not create or give us a password. (For technical reasons WordPress stores a randomly‑generated, hashed password you never use; administrator accounts use a normal password.)
  • Monitored email addresses. The email address(es) you ask us to monitor. We require you to verify ownership/control of each address (via a confirmation link we email) before any breach results for it become visible.
  • Profile (optional). First/last name if you choose to provide it.
  • Communications. Messages you send us (support, feedback).
  • Optional notification channels. If you choose to connect a messaging channel (Telegram, Discord, Slack, or Matrix), the identifier needed to send you a notification “ping.” We never send breach details over these channels — only a prompt to log in.

3.2 Payment information (handled by Freemius)

We use Freemius as our Merchant of Record. When you subscribe, your payment details (card/PayPal, billing address, tax ID) are collected and processed by Freemius, not by us. We never receive or store your full card number. From Freemius we receive billing metadata such as subscription status, plan/license quantity, billing cycle, amounts, transaction/subscription IDs, and the country associated with the payment. Freemius’s handling of payment data is governed by its own privacy policy.

3.3 Breach data obtained from third‑party providers

To provide the Service, our scanning system sends the email address you asked us to monitor to one or more third‑party breach‑data providers and receives back any matching records. Depending on the breach, a record may include the email address, a username, a masked password or password hash, and other exposed fields (for example IP address, name, phone, address, or date of birth).

What we keep and how we mask it (please read — this is accurate to our system):

  • Sensitive values are masked (e.g. pass****) before they are written to the website database. The website stores only the masked version.
  • While a breach is active in your account, the masked values remain visible in your dashboard so you can recognize what to fix. (We do not delete them after a single view.)
  • When you mark a breach as “resolved,” we erase the masked values for that record and keep only the labels (e.g. “password, email were exposed — your data has been removed from this record”) plus the source, date, and your resolved status.
  • We do not retain the raw, unmasked provider response on the website; raw data is processed transiently on the scanning system and discarded after masking.

3.4 Free tools (no account required)

  • Password generator. Runs entirely in your browser using your browser’s cryptographic random generator. Generated passwords are never sent to us.
  • Password checker. Uses k‑anonymity: your password is hashed (SHA‑1) in your browser, and only the first 5 characters of that hash are sent to a breach‑password range service to look up matches. Your actual password never leaves your device. We additionally apply a per‑IP rate limit to this tool.
  • Browser fingerprint tool. Runs entirely in your browser and shows you what websites can infer about your device. Nothing is sent to us. Only if you explicitly opt in by toggling “Look up my IP,” your public IP address is sent to a third‑party geolocation API (ipapi.co, with ipwho.is as fallback) to show approximate location/ISP — we don’t receive or store that lookup.

3.5 Free homepage / event email checks

  • Homepage “check your email” tool. If you run a free check, we query a breach‑data provider and store the email address you entered together with the number of breaches found and basic metadata (time, source, truncated IP) as a “lead.” We use this to show you results, to limit abuse, and to invite you to start a trial. We do not store the underlying breach contents for these checks.
  • Event/booth check. If offered, this emails the results to the address entered (via our email provider) and does not store breach data.

3.6 Information we collect automatically

  • Log & security data. IP address, browser/user‑agent, request times, and security events (e.g. login attempts, rate‑limit triggers, verification events). We use truncated/hashed IPs for rate‑limiting where possible.
  • Cookies & similar technologies. See Section 8.

We do not intentionally collect government IDs, financial account numbers, health data, biometric data, or data about children (see Section 14). Sensitive fields that appear inside third‑party breach records are masked and handled as in Section 3.3.

4. How we use information

We use personal data to:

  • create and operate your account and authenticate you via magic link;
  • verify that you control the email addresses you monitor;
  • query breach‑data providers and present masked results, history, reset links, and remediation guidance;
  • send breach alerts, verification emails, and important service/security notices, and (if you opt in) optional channel “pings”;
  • process subscriptions and trials through Freemius and apply your plan’s monitored email allowance;
  • secure the Service: prevent fraud and abuse, rate‑limit, run bot checks (Cloudflare Turnstile, if enabled), and investigate incidents;
  • provide support and respond to your requests;
  • understand aggregate, non‑identifying usage to improve the Service;
  • comply with law and enforce our Terms.

We do not sell your personal data, share it for cross‑context behavioral advertising, or use breach data to build advertising profiles.

5. Legal bases (GDPR/UK GDPR)

Where GDPR/UK GDPR applies, we rely on:

  • Contract (Art. 6(1)(b)) — to create your account, verify your addresses, monitor for breaches, and provide alerts and support.
  • Legitimate interests (Art. 6(1)(f)) — security, fraud/abuse prevention, rate‑limiting, and improving the Service; we balance these against your rights.
  • Consent (Art. 6(1)(a)) — for the optional IP geolocation lookup in the fingerprint tool, optional messaging‑channel notifications, optional marketing, and non‑essential cookies. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — tax, accounting, and lawful requests.

You may object to processing based on legitimate interests (Section 12).

6. How long we keep it (retention)

  • Active customers’ monitoring data (monitored emails and masked breach history) — kept while your subscription/account is active, so your history stays intact. Resolved records keep only labels (values erased on resolve).
  • Cancelled/inactive accounts — your monitoring data (breach records and any additional monitored emails) is automatically purged about 12 months after cancellation. (Your core account email may remain on the WordPress account until the account is deleted.)
  • Free‑check leads / non‑converted abandoned carts — purged about 12 months after they were created.
  • Security/server logs — kept for a limited period for security and troubleshooting, then deleted or anonymized.
  • Payment/tax records — retained by Freemius under its own policies and applicable law.

You can shorten these windows, and you can delete everything immediately by deleting your account (Section 9.4 / 13).

7. International data transfers

We are based in the United States and our providers may process data in the US and other countries. Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) and/or applicable adequacy decisions, together with technical measures (encryption, minimization, masking). You can request information about these safeguards at [email protected].

8. Cookies and similar technologies

We use:

  • Strictly necessary cookies — sign‑in sessions, security/CSRF protection, and remembering your cookie choices. These are required for the Service to work.
  • Preference cookies — to remember settings.
  • Analytics — if used, configured to be privacy‑respecting and, where required, subject to consent. We do not use third‑party advertising/tracking pixels.

Where required, we present a cookie/consent banner so you can manage non‑essential cookies. You can also control cookies in your browser; blocking strictly necessary cookies may break the Service.

9. Who we share information with

We do not sell or rent personal data. We share it only as follows.

9.1 Service providers / sub‑processors

We use vetted providers that process data on our behalf under contracts requiring appropriate protection. Depending on configuration, these include:

Provider Purpose Data involved
Freemius (Merchant of Record) Payments, tax, subscription/billing Email, billing data, subscription metadata
Hosting / infrastructure provider Website & database hosting Account data, masked breach data
Breach‑data API providers Looking up whether your email appears in breaches The monitored email address (and, for the password checker, only a 5‑char hash prefix)
Email delivery (e.g. SendGrid; optionally Mailgun, Brevo, or SMTP) Verification, alerts, and notices Recipient email, message content
Cloudflare CDN, DDoS protection, and Turnstile bot verification IP address, request metadata, challenge token
ipapi.co / ipwho.is Optional IP geolocation in the fingerprint tool only if you opt in Your public IP (sent from your browser; not received by us)
Messaging platforms (Telegram/Discord/Slack/Matrix) Optional notification “pings” only if you connect them The channel identifier you provide

Where a breach‑data provider’s license requires attribution, we display the source name/link next to the relevant record; we never provide your identity to them for attribution.

9.2 Legal and safety

We may disclose information if we believe in good faith it is necessary to comply with law, regulation, legal process, or a lawful government request; to enforce our Terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Goal Prevail, our users, or the public. Where lawful and feasible, we will try to narrow overbroad requests and notify you.

9.3 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. The recipient will be bound by privacy commitments at least as protective as this Policy, and we will notify you of any material change.

9.4 What we never do

We never sell your personal data, share breach results with anyone other than you, provide bulk data access, or operate as a data broker.

10. Security

We use administrative, technical, and physical safeguards appropriate to the data, including: TLS encryption in transit; data minimization and masking (we store masked values only, and erase them on resolve); separation of the public website from the breach‑scanning system; passwordless magic‑link sign‑in with single‑use, expiring, hashed tokens; constant‑time secret comparison and signed‑webhook verification on server‑to‑server endpoints; rate‑limiting and optional bot challenges; and access controls. No system is perfectly secure; if a breach of our systems occurs that is likely to create risk to you, we will notify affected users and authorities as required by law. Because we store only masked data, a compromise of our website would expose minimal sensitive information.

11. Children

The Service is not intended for, and we do not knowingly collect personal data from, anyone under 18 (and in any event under 16 where that is the digital‑consent age). If you believe a minor has provided us data, contact [email protected] and we will delete it.

12. Your rights

Depending on where you live, you may have some or all of the following rights: access, correction/rectification, deletion/erasure, restriction, portability, objection (including to legitimate‑interest processing and to marketing), and withdrawal of consent. You also have the right to lodge a complaint with your supervisory authority.

EEA/UK/Switzerland (GDPR/UK GDPR): the rights above apply. You may complain to your local Data Protection Authority.

California (CCPA/CPRA): you may request to know, delete, and correct your personal information, and you have the right to non‑discrimination. We do not “sell” or “share” personal information for cross‑context behavioral advertising, and we do not use sensitive personal information for purposes that require an opt‑out. We honor Global Privacy Control (GPC) signals where applicable.

Other US states and countries (e.g. Virginia, Colorado, Connecticut, Utah, Texas; Canada PIPEDA; Brazil LGPD; Australia): we honor equivalent rights where they apply.

How to exercise your rights. Email [email protected] or use your account settings. We may need to verify your identity (for example, by confirming control of the account email). We respond within the timeframe required by applicable law (generally within 30 days; up to 45 days under CCPA where permitted). You may use an authorized agent where the law allows.

Deleting your account removes your monitored email addresses from active monitoring, deletes your account’s breach records and additional emails, stops notifications, and (via your account/Freemius) cancels your subscription. Some records may be retained where the law requires (e.g. transaction records held by Freemius).

13. A note about public breach data and your “resolved” status

Deleting your account or marking a breach “resolved” does not remove your data from the public internet or from the third‑party breach sources — that data exists outside our control. “Resolved” is a personal tracking flag that stops us re‑notifying you and causes us to erase the masked values we stored. The effective protection is to change the affected passwords (and enable two‑factor authentication) on the breached services, which our guidance and reset links help you do.

14. Third‑party links

The Service links to third‑party sites (for example, password‑reset pages and security resources). We don’t control and aren’t responsible for their content or privacy practices; review their policies before providing data.

15. Changes to this Policy

We may update this Policy to reflect changes in our practices or the law. We will update the “Last updated” date and, for material changes, provide additional notice (e.g. by email or a site notice). Your continued use after the effective date means you accept the updated Policy.

16. Contact

Goal Prevail LLC — Privacy321
Email: [email protected]
Mail: 254 Chapman Rd, Ste 208, Newark, Delaware 19702

EEA/UK users may also contact their local data protection authority.

17. Definitions

  • Breach data — information exposed in third‑party security incidents that is already circulating publicly and that we look up via breach‑data providers.
  • Masked data — a partially obscured value (e.g. pass****) we display so you can recognize what to change, without us storing the full value.
  • Merchant of Record — Freemius, which processes payments, taxes, and payment‑related support.
  • Personal data / personal information — information that identifies or could reasonably identify a person.
  • Processing — any operation performed on personal data.
  • Service — the Privacy321 breach‑monitoring service operated by Goal Prevail LLC.