Privacy Policy

Overview

Umbrify is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights as a user. We collect the minimum data necessary to deliver our service.

Data We Collect

• —Email addresses you choose to monitor (stored in our database to enable continuous breach monitoring)
• —App usage analytics (anonymized, no personally identifiable information)
• —Subscription and billing information (processed by Stripe — we do not store full card details)
• —Device identifiers for push notifications (breach alerts)

How We Use Your Data

• —To perform breach checks against the Have I Been Pwned database
• —To scan URLs for phishing and malware via Google Safe Browsing and VirusTotal
• —To send real-time breach alerts (Shield and Vault plans)
• —To calculate and display your Safety Score
• —To improve app performance and fix bugs (anonymized analytics only)

k-Anonymity & Password Checks

When you check a password, Umbrify uses the k-anonymity model: only the first 5 characters of a SHA-1 hash are sent to our servers. The full password never leaves your device. This is the same technique used by Have I Been Pwned.

Data Storage

All personal data is stored in Supabase on AWS infrastructure with AES-256 encryption at rest and TLS in transit. Data is stored in the US and subject to US data protection standards.

Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data is permanently deleted within 30 days. Anonymized analytics data may be retained indefinitely.

GDPR Rights

• —Right to access: request a copy of all data we hold about you
• —Right to rectification: correct any inaccurate personal data
• —Right to erasure: request deletion of all your personal data
• —Right to portability: receive your data in a machine-readable format
• —Right to object: opt out of any data processing at any time

No Data Selling

We do not sell, rent, or share your personal information with third parties for marketing purposes. Ever. Our business model is subscription-based, not advertising-based.

Cookies

Our marketing website uses minimal cookies for analytics (page views, referral sources). No cross-site tracking cookies are used. You can disable cookies in your browser settings without affecting the mobile app.

Third-Party Services

• —Have I Been Pwned (haveibeenpwned.com) — breach database lookups for email addresses
• —Google Safe Browsing — URL scanning for phishing and malware
• —VirusTotal — additional URL and threat analysis
• —Stripe — payment processing for Shield and Vault subscriptions
• —Supabase — database and authentication infrastructure (hosted on AWS)
• —Sentry — anonymized crash reporting to improve app stability
• —Expo (push notifications) — delivery of breach alert notifications

Contact

For privacy-related requests or questions, contact us at [email protected]. We respond to all requests within 30 days.