Trust, verified.

No cherry-picked testimonials. No "Featured in" banners we bought. Instead: what GalaxyWarden actually does, what it sees, and what it keeps — in full, inspectable detail. Last updated June 2026.

How it actually works

When you enter an email, username, phone, or name, our DoxxScan™ engine queries independent breach-intelligence datasets — Have I Been Pwned, DeHashed (V2 API), and internal indexes aggregated from public paste dumps and disclosed breach corpora. Every match is hashed before the lookup key is sent. The result is progressive: an email match can reveal usernames, a username match can reveal passwords, a password can reveal linked accounts. We call this the credential chain; our /compare page walks through how it differs from yes/no breach checkers. For removals, we file authorized-agent opt-out requests to data-broker sites on your behalf.

By the numbers

The numbers we publish on marketing pages, here in one audit-ready place:

15.4B+
Breach records indexed across HIBP + DeHashed + internal corpora
800+
Data-broker sites we file removals to on your behalf
95+
Platforms our chain discovery covers
<5s
Median scan time for an email + username entry
7
Average exposed accounts our users do not know about before scanning
Day 30
We re-verify every removal and re-file anything that reappears

What we store, what we do not

We store, for your account:

Your email (verified), scan history (which credentials you chose to scan — not the credentials themselves), risk scores, and removal/remediation progress. That is enough to keep your dashboard working across sessions.

We do not store — ever:

Plaintext passwords from any breach. Social Security numbers, IDs, or financial account numbers. Your scan queries after the report is rendered. We show you passwords that appeared in public breach corpora so you can remediate them, then drop them from our result cache.

  • Encryption: TLS 1.3 in transit, AES-256 at rest for user records, bcrypt/pbkdf2 for account credentials.
  • Privacy-first lookups: breach lookups hash credentials before server transit; your queries are never plaintext-logged.
  • Data subject rights: export your data via /account/export, or delete your account and all associated records via /account/delete.
  • No third-party sale: we do not sell, rent, or license your data, and we never direct you to a third party's site. Full privacy policy at /privacy.

Security disclosure

If you find a vulnerability, we want to hear from you. Full disclosure policy, scope, out-of-scope list, and hall of fame: /security. Machine-readable contact: /security.txt (RFC 9116). Reach us directly at support@galaxywarden.com. Researchers acting in good faith will not be pursued under the CFAA for actions covered by our disclosure scope.

Responsible-disclosure friendly No-CFAA-against-researchers pledge security.txt published

Names you will see

Privacy products have a naming problem because security is full of jargon. Our conventions:

  • GalaxyWarden — the company and the platform. What you sign into.
  • DoxxScan™ — the exposure-scanning engine. What runs when you search an email, username, phone, or name. Every scan, report, and chain map comes out of DoxxScan.
  • OneShot — the one-time $19 cleanup: full scan + broker removals filed on your behalf, with 30 days of Warden Plus included.
  • Warden Plus — the subscription ($9.99/mo, or $99/yr at $8.25/mo effective): ongoing monitoring, alerts, and auto-refiling.
  • BATECH LLC — the legal entity that operates GalaxyWarden.

Who is behind this

BATECH LLC — built out of a red-team and OSINT background, now building GalaxyWarden and the DoxxScan™ engine. Registered domain galaxywarden.com. Contact: support@galaxywarden.com. Mailing address on request; we do not publish it here because, as a data-privacy company, we practice what we preach.

Read more about the team at /about.

See what we surface — free scan →

This page is updated whenever something on it changes. See our deploy rhythm for release cadence.