Privacy Policy

Last updated: 11 June 2026

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, how long we retain it, and the rights available to individuals under applicable laws in the EU/UK (GDPR/UK GDPR), United States (CCPA/CPRA and state laws), MENA (including UAE PDPL), and Asian data protection laws (e.g., Singapore PDPA, Japan APPI, India DPDP, China PIPL).

1. Who we are

Dark Monitor is a breach & leak monitoring service operated by PWN-ALL Auditing, Reviewing & Testing Cyber Risks CO. L.L.C (“PWN-ALL”, “we”, “our”, “us”), the data controller for the processing described in this Policy. Our registered address is: 145, Al Mustaqbal street, Iris Bay Tower 2101-11, Business Bay, Dubai, United Arab Emirates. Website: pwn-all.com.

This version of the service is intended for personal (non-corporate) mailboxes only. For corporate monitoring, contact corp@pwn-all.com.

2. The short version

• The email you check never reaches our servers in readable form. It is blinded in your browser using an Oblivious Pseudorandom Function (OPRF); we only ever receive a blinded value and a derived token.
• Our breach index stores only OPRF-derived tokens — never plaintext emails, passwords or other breach payloads.
• We never store your IP address. Rate limiting uses a keyed, non-reversible hash (HMAC-SHA256) of it.
• We do not sell or share personal data for advertising, and we run no third-party analytics or advertising trackers.

3. Data we collect, and why

3.1 Breach-check emails (not collected)

When you check an email on the home page, your browser normalizes and cryptographically blinds it before anything is sent. Our server applies its secret key to the blinded value without being able to see the address, and your browser derives the final lookup token locally. We receive and match only that token. Checks made while signed in store the token, the result (found / not found) and a timestamp in your check history — never the address itself.

3.2 Account emails

If you join the registration queue or request a sign-in link, we process the email address you provide, together with account creation time, in order to operate the queue, send the activation and one-time sign-in (magic link) messages, and provide account features.

3.3 Technical data

• Rate limiting: a keyed hash (HMAC-SHA256) of your IP address with a daily counter. The raw IP is not stored and the hash cannot be reversed without the server secret.
• Session cookie (lm_session): an HttpOnly, SameSite cookie identifying your signed-in session. Stored server-side only as a keyed hash. Expires after 30 days or on sign-out.
• Consent flag (lm_consent): a value in your browser’s localStorage remembering that you dismissed the consent banner. It never leaves your device.
• Proof-of-work challenges: short-lived random values (10-minute lifetime) used to deter automated abuse; they contain no personal data.

3.4 The breach index

When breach datasets are imported, each email address is converted server-side into an OPRF-derived token and the plaintext is discarded. Rows on corporate domains are not imported into this service at all. The index stores tokens, the breach source name, description, import date and row count — nothing else.

4. Purposes and legal bases

We process the data above to provide the breach-check service, operate accounts and the registration queue, secure the service against abuse, and comply with legal obligations. Where a legal basis is required:

• EU/UK GDPR: performance of a contract or steps prior to entering one (Art. 6(1)(b)) for checks, queue and account features; legitimate interests (Art. 6(1)(f)) for abuse prevention, rate limiting and security; consent (Art. 6(1)(a)) where we ask for it explicitly.
• UAE PDPL: processing necessary for a contract with you, our legitimate interests in securing the service, and consent where required.
• Singapore PDPA / Japan APPI / India DPDP / China PIPL: consent and/or statutory bases equivalent to contractual necessity and legitimate purposes, as recognized by each law. Under PIPL, where separate consent is required (e.g., for any cross-border transfer of personal information of individuals in China), we obtain it before processing.
• US state laws (CCPA/CPRA etc.): we process personal information only for the business purposes described here; we do not “sell” or “share” personal information as those terms are defined by the CPRA.

5. What we never do

• Store or log plaintext emails used for breach checks, lookup tokens tied to your identity beyond your own check history, raw IP addresses, or session tokens.
• Sell, rent, or share personal data for cross-context behavioral advertising.
• Use third-party advertising or cross-site tracking.
• Make automated decisions producing legal or similarly significant effects.

6. Retention

• Account / queue emails: until your account is deleted or you ask us to remove you from the queue.
• Sessions: 30 days, or immediately on sign-out.
• Check history: while your account exists.
• Rate-limit counters: rolled over daily; stale entries are overwritten.
• Proof-of-work challenges: 10 minutes.

7. Sharing and international transfers

Data is processed on infrastructure operated for PWN-ALL by hosting providers acting as processors under data-processing agreements. We disclose data only when required by law or to protect our rights. We do not sell personal data.

As we are established in the United Arab Emirates and may use infrastructure in other regions, personal data may be transferred across borders. Where required, we rely on appropriate safeguards: EU Standard Contractual Clauses and the UK IDTA/Addendum for EU/UK data; transfer mechanisms permitted by the UAE PDPL; and, for personal information of individuals in China, PIPL-compliant mechanisms including separate consent and standard contractual clauses issued by the CAC, where applicable.

8. Security

TLS in transit; OPRF blinding so lookup emails never reach us in readable form; keyed hashing (HMAC-SHA256) for session tokens and IP-derived rate-limit keys; HttpOnly, SameSite cookies; proof-of-work and rate limiting against abuse; server secrets kept in dedicated secret storage with key versioning.

9. Your rights

Depending on where you live, you have some or all of the following rights. To exercise any of them, write to privacy@pwn-all.com. We verify requests before acting on them and respond within the timeframe required by the applicable law (e.g., one month under GDPR, 45 days under CCPA/CPRA). Note that we cannot link breach-check tokens back to email addresses — by design — so requests can only apply to account data and your own check history.

9.1 EU / UK (GDPR / UK GDPR)

Right of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection, withdrawal of consent at any time, and the right to lodge a complaint with your supervisory authority (in the EU) or the ICO (in the UK).

9.2 United States (CCPA/CPRA and other state laws)

Right to know/access the personal information we hold about you, right to delete, right to correct, right to data portability, right to opt out of “sale” or “sharing” of personal information (we do not sell or share), right to limit use of sensitive personal information (we do not use it beyond providing the service), and right to non-discrimination for exercising your rights. You may use an authorized agent to submit requests.

9.3 MENA — UAE PDPL

Right to access your personal data and obtain a copy, right to rectification, erasure and restriction, right to object to processing (including for direct marketing — which we do not perform), right to data portability, and the right to complain to the UAE Data Office.

9.4 Asia

• Singapore (PDPA): right of access and correction, and the right to withdraw consent on reasonable notice.
• Japan (APPI): right to request disclosure, correction, addition or deletion of retained personal data, and cessation of use or third-party provision.
• India (DPDP Act): right to access a summary of your personal data and processing activities, right to correction and erasure, right to grievance redressal, and the right to nominate a person to exercise your rights.
• China (PIPL): right to access and copy your personal information, right to correction and deletion, right to restrict or refuse processing, right to withdraw consent, right to an explanation of processing rules, and rights of next of kin regarding a deceased person’s information.

10. Cookies and local storage

We use one first-party session cookie (lm_session) and one localStorage key (lm_consent), both described in section 3.3. No third-party cookies, no advertising or analytics trackers.

11. Children

The service is not directed at children (under 16 in the EU/UK, under 13 in the US, or the equivalent age of consent in your jurisdiction) and we do not knowingly process their data.

12. Changes

We may update this Policy as the service evolves. The “Last updated” date above always reflects the current version; material changes will be announced on the site.

13. Contact

PWN-ALL Auditing, Reviewing & Testing Cyber Risks CO. L.L.C
145, Al Mustaqbal street, Iris Bay Tower 2101-11, Business Bay, Dubai, United Arab Emirates
https://pwn-all.com
Privacy requests: privacy@pwn-all.com
Corporate inquiries: corp@pwn-all.com