Privacy Policy

1. What we collect

isitcompromised.com collects minimal data:

• Report submissions: package name, ecosystem, attack type, description, evidence URL, CVE, and optionally your handle. No account or email required.
• IP addresses: temporarily stored for rate limiting and spam prevention. Not linked to reports or shared with third parties.
• Server logs: standard HTTP request logs (URL, status code, timestamp, IP) retained for up to 30 days for operational purposes.

2. What we do not collect

• No cookies (no tracking, no analytics cookies, no session cookies)
• No third-party analytics or tracking scripts
• No user accounts, passwords, or email addresses
• No fingerprinting or cross-site tracking

3. How we use your data

• Report data is displayed publicly on the platform and available through the API
• IP addresses are used solely for rate limiting and are not stored long-term
• Server logs are used for debugging and security monitoring

4. Data storage

Data is stored on servers hosted by DigitalOcean in the United States. We use PostgreSQL with encrypted connections. Backups are retained for disaster recovery only.

5. Third-party services

We use the following infrastructure providers, each with their own privacy policies:

• DigitalOcean (hosting)
• Caddy (TLS termination, no data sent externally)

We do not use Google Analytics, Facebook Pixel, or any advertising network.

6. Your rights

Since we collect minimal personal data and do not maintain user accounts, there is limited personal data to access or delete. If you submitted a report and want it removed, contact us at privacy@isitcompromised.com with details to identify the report.

7. Children

The Service is not directed at children under 13. We do not knowingly collect data from children.

8. Changes

We may update this policy. Changes take effect when posted. Continued use of the Service constitutes acceptance.

9. Contact

Privacy questions? Reach out at privacy@isitcompromised.com.