Privacy Policy

Last updated: 06 May 2026

OnlineHashCrack ("we", "us", "our") is the data controller responsible for personal data processed through the Service at onlinehashcrack.com. This Privacy Policy explains what personal data we collect, how and why we use it, the legal bases we rely on, how long we keep it, and your rights. It applies to all users of the Service, including API users, and should be read alongside our Terms and Conditions.

Account data: email address, hashed account password, registration timestamp, email verification status, and Tier level. This is required to create and manage your account.

Submission data: when you use the Service, we process the following categories:

• Submitted hashes and task parameters;
• Source files (encrypted Office documents, PDF files, WPA/WiFi captures) - deleted immediately and automatically upon hash extraction; we do not retain source files beyond the extraction operation;
• Recovered passwords (Outputs) - retained only for the submitting User and accessible via the dashboard;
• Custom wordlists - retained for the duration of the account;

Usage and technical data: IP addresses, session tokens, timestamps, and API usage logs. This data is used to operate and secure the Service, detect abuse, and maintain audit records.

Payment data: we do not store or have access to payment card data. All payments are processed by Stripe. We receive only a payment confirmation and metadata.

Terms acceptance records: when you submit a task, we record the version of the Terms and Conditions you accepted, your IP address, and timestamp. This is maintained as an audit trail for legal compliance.

Communications: if you contact us via our contact form, we retain your message and contact details for as long as necessary to respond and for legitimate record-keeping purposes.

Analytics: we use Google Analytics to collect aggregated usage statistics and understand how visitors use the Service. Where required by law, Google Analytics is used only with your prior consent.

We process your personal data on the following legal bases:

• Contractual necessity (Art. 6(1)(b)): account creation and management, processing Submissions, delivering Outputs, and handling payments. This processing is required to provide the Service and cannot be opted out of while using it.
• Legitimate interests (Art. 6(1)(f)): securing the platform, preventing fraud and abuse, maintaining audit trails for legal defense, improving the Service, and preserving records where reasonably necessary to prevent abuse, investigate security incidents, respond to lawful requests from competent authorities, or establish, exercise, or defend legal claims. We have assessed that these interests are not overridden by your privacy rights.
• Legal obligation (Art. 6(1)(c)): where we are required to retain or disclose data under applicable law or a lawful order from a competent authority.
• Consent (Art. 6(1)(a)): for optional communications (service updates, newsletters). You may withdraw consent at any time via your dashboard or by contacting us.

We retain personal data only for as long as necessary for the purpose for which it was collected:

• Active account data: for the duration of the account and for up to 12 months following account deletion or last activity;
• Submitted hashes and task data: up to 12 months from the date of submission;
• Recovered passwords (Outputs): up to 12 months from the date of recovery, accessible only to the submitting User;
• Source files (encrypted documents, WPA captures): deleted immediately upon hash extraction - not retained beyond the extraction operation;
• Custom wordlists: deleted upon account deletion;
• Terms acceptance records: retained for the applicable legal limitation period;
• Non-activated accounts: permanently deleted 15 days after registration;
• Inactive accounts (no login for 12 consecutive months): permanently and automatically deleted, including all associated data.

Notwithstanding the periods above, we may retain logs, Submissions, Outputs, account information, payment identifiers, IP addresses, and related metadata for as long as reasonably necessary for abuse prevention, security investigations, legal defense, enforcement of our Terms, or compliance with lawful requests from competent authorities.

We implement commercially reasonable technical and organisational measures to protect your personal data, including HTTPS/TLS encryption in transit, access controls, logging and monitoring, data minimisation.
No transmission or storage method is 100% secure and we cannot guarantee absolute security. In the event of a personal data breach affecting your rights and freedoms, we will notify you. Full details at Trust Center.

We use cookies and similar technologies for the following purposes:

• Essential cookies: required for the Service to function (session management, CSRF protection, authentication) - these cannot be disabled;
• Analytics: Google Analytics with anonymised IP addresses to understand how visitors use the Service;
• Advertising: Google Ads for campaign measurement.

You can manage or refuse non-essential cookies via your browser settings or the cookie-consent banner displayed on first visit. For details on how Google processes data, see Google's Privacy & Terms.

We may share data with third-party processors who assist us in delivering the Service, and only to the extent necessary. All processors are bound by data processing agreements and appropriate security obligations. Current processors include:

• Stripe - payment processing (PCI DSS compliant; Stripe's own privacy policy applies to payment data);
• Google - analytics and advertising (data may be transferred to the US under Standard Contractual Clauses);

We do not sell, rent, or share personal data with third parties for their own marketing or commercial purposes.

We may disclose personal data to law enforcement or competent authorities when required by law, court order, or to protect the rights of OnlineHashCrack or third parties from illegal activity.

Some of our processors, including Google, may transfer personal data outside the European Economic Area. Such transfers are carried out under appropriate safeguards, including Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR), or on the basis of an adequacy decision. Where transfers occur, we take reasonable steps to ensure your data receives a level of protection equivalent to that within the EEA.

If you reside in the EU/EEA, you have the following rights under the GDPR:

• Right of access - obtain a copy of your personal data;
• Right to rectification - correct inaccurate or incomplete data;
• Right to erasure - request deletion of your data where it is no longer necessary, subject to our legitimate interests and legal obligations;
• Right to restriction - request limited processing while a concern is being addressed;
• Right to data portability - receive your data in a structured, machine-readable format;
• Right to object - object to processing based on legitimate interests or for direct marketing;
• Right to lodge a complaint - with the data protection supervisory authority competent for your country of residence.

If you are a California resident, the California Consumer Privacy Act (CCPA/CPRA) grants you the following rights:

• Right to know - request details on personal information collected, used, or disclosed in the last 12 months;
• Right to delete - request deletion of personal information, subject to legal retention obligations;
• Right to correct - request correction of inaccurate personal information;
• Right to opt-out of sale/sharing - we do not sell or share personal information for cross-context behavioural advertising;
• Right to non-discrimination - we will not discriminate against you for exercising any CCPA right.

We will respond to verified requests within 45 days.

To exercise any right under the GDPR or CCPA, withdraw consent, or raise a privacy concern, contact us via: contact form.

We will acknowledge receipt within 10 business days and respond within the applicable statutory period (30 days for GDPR; 45 days for CCPA). We may verify your identity before processing your request to prevent unauthorised disclosure.

OnlineHashCrack may update this Privacy Policy from time to time. The revised Policy will be published at this URL with an updated "Last updated" date. Your continued use of the Service following any update constitutes acceptance of the revised Policy. Where required by applicable law, we will provide advance notice of material changes.