🇺🇸

Privacy & Data Protection

Privacy Policy

City of Hats is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights under applicable data protection laws.

Effective Date: December 1, 2025

Quick Summary

We only collect emails you submit for monitoring

We never store passwords or sensitive credentials

We do not sell your data to third parties

You can delete your data at any time

PDPA Thailand

GDPR

PIPEDA

Information We Collect

When you use City of Hats services, we collect only the minimum information necessary to provide dark web monitoring and breach detection services.

Data We Collect

Email addresses you submit for breach monitoring
Domain names for enterprise/organization monitoring
LINE User ID (for LINE integration features only)
Account registration information (name, contact email)
Alert preferences and notification settings
Usage logs for service improvement (anonymized)

Information We Do NOT Collect

City of Hats is designed with privacy-first principles. We explicitly do NOT collect, store, or have access to the following sensitive information:

Data We Do NOT Collect or Store

Your passwords (we never ask for or store passwords)
Credit card or payment card numbers
National ID numbers or Social Security numbers
Bank account information
Health or medical records
Biometric data
The actual content of breached data (we only report that a breach exists)

How We Use Your Information

We use the information you provide solely for the following purposes:

To monitor dark web sources for breaches involving your email addresses or domains
To send you alerts when your information is found in a data breach
To provide security recommendations and remediation guidance
To communicate important service updates and security advisories
To improve our services based on anonymized usage patterns

We do NOT use your information for advertising, marketing to third parties, or any purpose unrelated to providing our security services.

How Dark Web Monitoring Works

Our dark web monitoring service searches publicly available leak databases and dark-web intelligence services for evidence of compromised credentials. Here's how it works:

What we search: We query trusted breach databases and dark-web intelligence services using only the email addresses or domains you provide. We search publicly available leak data that has already been exposed in known breaches.

What we report: When we find a match, we alert you that your email was found in a specific breach. We report the breach name, date, and types of data exposed (e.g., "passwords," "phone numbers"). We do NOT retrieve, store, or display the actual leaked passwords or sensitive data.

Legal compliance: Our monitoring uses only legitimate, legal data sources. We do not access, purchase, or interact with illegal dark web marketplaces. All data sources we use comply with applicable data protection laws.

Data Retention

We retain your data only for as long as necessary to provide our services:

Data Type	Retention Period
Monitored email addresses	Until you remove them or close your account
Alert history	12 months (for your reference)
Account information	Until account deletion + 30 days
Usage logs	90 days (anonymized after 30 days)

When you delete your account, all personal data is permanently removed within 30 days. Anonymized statistical data may be retained for service improvement.

Your Rights

Under PDPA, GDPR, PIPEDA, and other applicable data protection laws, you have the following rights:

Your Data Rights

Right to Access: Request a copy of all data we hold about you
Right to Rectification: Correct any inaccurate information
Right to Erasure: Delete your account and all associated data
Right to Portability: Export your data in a machine-readable format
Right to Withdraw Consent: Stop monitoring at any time
Right to Lodge Complaint: Contact your local data protection authority

To exercise any of these rights, contact us at admin@cityofhats.com. We will respond within 30 days as required by law.

International Compliance

City of Hats is committed to complying with international data protection regulations:

PDPA (Thailand): We comply with Thailand's Personal Data Protection Act, including lawful basis for processing, data subject rights, and cross-border data transfer requirements. Thai users can exercise all rights under PDPA Section 30-36.

GDPR (European Union): For EU residents, we process data under legitimate interest (Article 6(1)(f)) for providing security services. We ensure appropriate safeguards for any data transfers outside the EU.

PIPEDA (Canada): We comply with Canada's Personal Information Protection and Electronic Documents Act, including consent requirements, purpose limitation, and accountability principles.

Third-Party Services

We use the following third-party services to provide our platform:

LINE Messaging API: For LINE notification features (LINE Corporation Privacy Policy applies)
Cloud Infrastructure: Secure cloud hosting with encrypted data storage
Breach Intelligence Providers: Legitimate data breach databases and security intelligence feeds
Payment Processors: For paid subscriptions (we never see or store your card details)

All third-party providers are vetted for compliance with applicable data protection laws and are bound by data processing agreements.

Data Security

We implement industry-standard security measures to protect your data:

AES-256 encryption for data at rest
TLS 1.3 encryption for data in transit
Regular security audits and penetration testing
Access controls and role-based permissions
24/7 monitoring for security incidents
Incident response procedures and breach notification protocols

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Data Protection Officer

City of Hats

admin@cityofhats.com

Website

cityofhats.com

Response Time

Within 30 days