Privacy Policy

1. What we collect

When you use DEINDEX.ME, you voluntarily provide:

• Email address — used to discover accounts, send deletion requests, and deliver your detonation report
• Phone number (optional) — used to expand account discovery and include in deletion requests where relevant

That is everything. We do not collect names, addresses, payment details, IP addresses for identification, or any other personal information.

2. How we use it

• Account discovery — we query the Have I Been Pwned API and our curated service database to identify where your data exists
• Deletion requests — we generate and send GDPR/CCPA deletion requests to services you select
• Detonation report — we generate a PDF summarizing all actions taken and email it to you

3. How long we keep it

For the duration of a single session. All your data exists in your browser and in a short-lived encrypted token (JWT) that expires after one hour. Once your detonation report is emailed, everything is purged immediately. There is no database. There is no “30-day retention.” There is no backup. It is gone.

4. What we share

Your email and phone number are included in the deletion requests sent to third-party services. This is the entire point — for a company to delete your data, they need to know which data is yours.

We do not sell, rent, or share your information with anyone for any other purpose. Ever.

5. Cookies

None. Zero. We do not use cookies. We do not use local storage for tracking. We do not use fingerprinting.

6. Analytics

We use privacy-respecting, cookieless analytics (Plausible or Umami) to understand how people use the site — page views, referral sources, country-level geography. These tools do not track individuals, do not use cookies, and comply with GDPR without requiring consent. We cannot identify you from our analytics data.

7. Third-party services

DEINDEX.ME uses the following third-party services:

• Resend — email delivery (verification emails, deletion requests, reports)
• Stripe — donation processing (we never see or store your payment information)
• Cloudflare — DNS, CDN, and Turnstile bot prevention
• Have I Been Pwned — breach database for account discovery

8. Your rights

Under GDPR (EU/EEA) and CCPA (California), you have the right to access, correct, and delete your personal data. Since we delete everything immediately after your session ends, there is nothing to request deletion of after the fact.

If you have questions about data processing during an active session, contact us at the address below.

9. Contact

For privacy inquiries:

10. Changes to this policy

If we update this policy, we will update this page and the “Last updated” date above. We cannot notify you by email because we do not have your email. The spirit of this policy will not change: we collect the minimum, we keep nothing, and we never sell your data.