Trust, verified.
No cherry-picked testimonials. No "Featured in" banners we bought. Instead: what DoxxScan actually does, what it sees, and what it keeps — in full, inspectable detail. Last updated 2026-04-24.
How DoxxScan actually works
When you enter an email, username, phone, or name, DoxxScan queries four independent breach-intelligence datasets — Have I Been Pwned, DeHashed (V2 API), and two internal indexes aggregated from public paste dumps and disclosed breach corpora. Every match is hashed client-side before the lookup key is sent. The result is progressive: an email match can reveal usernames, a username match can reveal passwords, a password can reveal linked accounts. We call this the DoxxScan Chain; our /compare page walks through how it differs from yes/no breach checkers.
By the numbers
These are the numbers we publish on marketing pages, here in one audit-ready place:
What we store, what we do not
We store, for your account:
Your email (verified), scan history (which credentials you chose to scan — not the credentials themselves), risk scores, and remediation progress. That is enough to keep your dashboard working across sessions.
We do not store — ever:
Plaintext passwords from any breach. Social Security numbers, IDs, or financial account numbers. Your scan queries after the report is rendered. We show you passwords that appeared in public breach corpora so you can remediate them, then drop them from our result cache.
- Encryption: TLS 1.3 in transit, AES-256 at rest for user records, bcrypt for account credentials.
- Zero-knowledge architecture: breach lookups hash credentials before server transit; your queries are never plaintext-logged.
- Data subject rights: export your data via /account/export, or delete your account and all associated records via /account/delete.
- No third-party sale: we do not sell, rent, or license your data. Full privacy policy at /privacy.
Security disclosure
If you find a vulnerability, we want to hear from you. Full disclosure policy, scope, out-of-scope list, and hall of fame: /security. Machine-readable contact: /security.txt (RFC 9116). Reach us directly at support@galaxywarden.com. Researchers acting in good faith will not be pursued under the CFAA for actions covered by our disclosure scope. Our official-domain verification page is at /doxxscan/trust.
Names you will see
Anti-doxxing products have a naming problem because security is full of jargon. Our conventions:
- GalaxyWarden — the company and the platform (subscription + monitoring). What you sign into.
- DoxxScan™ — the product engine. What runs when you search an email, username, phone, or name. Every scan, report, and chain map comes out of DoxxScan.
- Warden / Warden Plus / Enterprise — the three subscription tiers (from $4.17/mo annual / $9.99/mo / custom).
- Security Galaxy — the 3D orb visualization of your personal risk profile.
- BATech LLC — the legal entity that operates GalaxyWarden.
Who is behind this
BATech LLC, operating since 2018 — first as a penetration-testing consultancy, now building DoxxScan and GalaxyWarden. Registered domain galaxywarden.com. Contact: support@galaxywarden.com. Mailing address on request; we do not publish it here because, as an anti-doxxing company, we practice what we preach.
Read more about the team at /about.
