Data transparency

What happens to intake data submitted through Breached.

Short answer: intake data is routed only when a law firm or claim operator is assigned to that specific breach. If no attorney is currently investigating through Breached, the submission is kept as an interest and notification request unless the submitter selected named participating firms for future evaluation. The Breached Claims admin product is limited to newsletter records, when the newsletter is live, plus selected operational telemetry.

Intake routing: Case state based
Admin intake PII: Not exposed
Telemetry: Limited

Intake submissions

What data is shared with the operators of Breached Claims when I submit an intake form?

Assigned claim operators can view and export intake rows for assigned cases only when the submission consent covers that firm. If a case has no assigned attorney or firm, the submission is not routed unless the submitter selected that named participating firm for future evaluation.

Case context: The breach, company, and case identifiers tied to the intake submission.
Contact details: Your name and email, plus phone number and ZIP code when you choose to provide them.
Intake answers: Whether you received a notice, had an account, saw suspicious activity, want attorney follow-up, and any notes you submit.
Consent record: The policy version, policy IDs, consent flag, and acceptance timestamp connected to the intake.
Workflow status: Submission time, intake status, case status, and export timestamp when an assigned operator exports the case CSV.

Admin access

What data do Breached Claims admins have access to?

The admin product does not expose submitted intake form PII. Admin access is intentionally narrow: newsletter records, if the newsletter is live, plus selected operational telemetry.

Newsletter, if live: Subscriber email, subscription status, policy acceptance timestamp, send counts, and send or unsubscribe timestamps.
Select telemetry: Hashed IP values for rate limiting, short user-agent strings, timestamps, aggregate counts, scrape health, analysis job health, and export audit metadata.

Boundaries

The product separates intake PII from general admin operations.

Breached Claims admins do not use the admin product to browse intake form PII like name, email, phone, ZIP, or notes.

Each intake stores the case status at submission, such as interest expression or firm review.

If no attorney or law firm is currently investigating through Breached, the intake is retained as an interest and notification request unless the submitter selected named participating firms for future evaluation of that same matter.

Claim operators receive intake submissions only for breach cases assigned to their firm and only when that firm was identified or selected in the user's sharing consent.

Newsletter subscriber status is not part of the claim operator intake export.

The intake flow stores IP-derived hashes for rate limiting instead of raw IP addresses.

Telemetry

Select telemetry is used for rate limiting, abuse prevention, export auditing, and service health. It is not a marketing profile and it is not included in the assigned operator intake export.

Policies

Formal terms and privacy documents live on the policies page. This page is the plain-English access summary.