Absolutely not. Our Zero-Trace architecture uses the Web Crypto API to convert your password into a 40-character SHA-1 hash locally on your device. We only send the first 5 characters of that hash to the database (the k-Anonymity protocol).
What is k-Anonymity?
k-Anonymity is a cryptographic privacy model. By sending only a 5-character prefix, the API returns a massive list of hundreds of breached hashes that share those same 5 characters. Your browser then searches that list locally to find the exact match. The API never knows which of the hundreds of hashes you were actually checking.
Where does the breach data come from?
This tool queries the industry-standard Have I Been Pwned (HIBP) API, which tracks billions of compromised passwords from global database leaks, malware drops, and security breaches.