How Umbrify protects your data
Security is not a feature — it is the foundation of everything we build.
k-Anonymity for Password Checks
When you check a password, it is never sent to our servers. We use the k-anonymity model: your password is hashed with SHA-1 locally, and only the first 5 characters of that hash are transmitted. Our server returns a list of matching hash suffixes — your device checks the result locally. At no point does Umbrify or Have I Been Pwned receive your actual password.
Have I Been Pwned Integration
Breach data is sourced from Have I Been Pwned (HIBP), the world's largest publicly available breach database maintained by Troy Hunt. HIBP aggregates data from publicly disclosed breaches. Umbrify uses the HIBP API under their terms of service and provides proper attribution on all breach results.
AES-256 Encryption at Rest
All user data stored in our backend (Supabase on AWS) is encrypted at rest using AES-256. Data in transit is protected by TLS 1.2 or higher. Encryption keys are managed by AWS KMS and rotated automatically.
No Data Selling
Our business model is subscriptions, not advertising. We do not sell, license, or share your personal information with data brokers, advertisers, or any third party for commercial purposes. Your data is used only to provide the service to you.
Found a vulnerability?
We take security reports seriously. If you discover a vulnerability in Umbrify, please disclose it responsibly. We will acknowledge reports within 48 hours and work to resolve valid issues promptly.
security@umbrify.app