SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

SchoolBreach.org

Privacy Policy

Your privacy matters. Here's how we protect your data.

Last updated: May 1, 2026

PDPA Aligned
Data Protected
Data Encrypted

SchoolBreach.org, an initiative by OceanEd Inc. ("we," "us," or "our"), is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use:

  • the SchoolBreach.org breach tracker at schoolbreach.org;
  • SchoolBreach Sonar, our security scanning service for Philippine schools, at sonar.schoolbreach.org; and
  • any related tools, content, and communications we provide.

We are committed to aligning with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations, as enforced by the National Privacy Commission (NPC), and with Republic Act No. 10175 (Cybercrime Prevention Act of 2012) for authorized security testing.

For Sonar users, a service-specific Privacy Policy is published at sonar.schoolbreach.org/privacy. Where the two policies differ in detail, the Sonar policy controls for matters specific to the Sonar service.

1. Information We Collect

A. Information You Provide

Breach tracker:

  • Contact information (name, email, organization) when you submit breach reports or inquiries.
  • Breach report details, including school names, incident descriptions, and supporting evidence.
  • Feedback, comments, suggestions, and questions you send to us.

SchoolBreach Sonar:

  • Account information: full name, email, role at the school (e.g., IT officer, principal), school name, target domain or URL, and a hashed password.
  • Verification information: school email, phone or video verification session notes recorded by our team during onboarding.
  • Scan and consent data captured for every scan you initiate:
    • Target URL and selected scan mode.
    • Consent records, including the name, role, IP address, and timestamp of each checkbox confirmation.
    • Principal authorization, including the name, email, and authorization timestamp of the approving school principal.
    • For authenticated scans: credentials, session cookies, and tokens you provide solely to enable login replay during the scan. These are encrypted at rest and used only for the duration of the scan.
  • Scan results:security grade (A–F), vulnerability findings, severity ratings, AI-generated summary, and PDF reports.

B. Information Collected Automatically

  • Device information (browser type, operating system, device identifiers).
  • Usage data (pages visited, features used, time spent).
  • IP address and general location data.
  • Cookies and similar tracking technologies.

2. How We Use Your Information

We use collected information for the following purposes:

  • To maintain and improve our breach tracker and security tools.
  • To verify and publish breach reports for public awareness.
  • To run, monitor, and report on Sonar scans you authorize, including generating AI-assisted reports and remediation recommendations.
  • To verify your identity and your school's authorization before any Sonar scan runs.
  • To maintain consent and authorization records required under RA 10175 for authorized security testing.
  • To respond to inquiries and provide support.
  • To send administrative notices and updates.
  • To generate aggregate statistics about school data breaches and security posture in the Philippines (anonymized).
  • To comply with legal obligations and regulatory requirements.
  • To protect against fraudulent or unauthorized activity.

3. Data Protection Measures

We implement robust security measures to protect your data:

Encryption

All sensitive data is encrypted at rest and in transit using industry-standard protocols. Authentication credentials provided for Sonar scans are stored using AES-256-GCM and accessed only by the scan worker for the duration of the scan.

Access Control

Strict access controls ensure only authorized team members can manage breach data and scanner records.

Responsible Disclosure

Some school names may be withheld in the public tracker to protect affected institutions and students. Sonar scan reports are private to the school that requested them and are never published.

Source Verification

Social media monitoring may help identify potential incidents, but breach reports are verified using corroborating public records, media coverage, official disclosures, and NPC filings.

Authorization Controls for Scanning

Sonar will not run a scan without verified school registration, principal authorization, and recorded consent. Active scans are restricted to schedules consented to by the school.

4. Your Rights Under the Data Privacy Act

As a data subject, you have the following rights:

  • Right to be Informed— know how your personal data is being processed.
  • Right to Access— obtain a copy of your personal data we hold.
  • Right to Rectification— request correction of inaccurate or incomplete data.
  • Right to Erasure— request deletion of your personal data under certain conditions, subject to legal retention requirements (see §6).
  • Right to Object— object to processing of your personal data.
  • Right to Data Portability— receive your data in a commonly used format.
  • Right to Lodge a Complaint— file a complaint with the National Privacy Commission.

To exercise any of these rights, contact us using the details in §10. We will respond within 15 business days. Deletion requests will be processed within 30 days, subject to legal retention requirements.

5. Data Sharing and Disclosure

We do not sell, rent, or trade personal information. We may share data in the following circumstances:

  • Public breach data: Verified breach information is published on our tracker for public awareness. Personal details of reporters are never disclosed.
  • Private Sonar scan reports:Scan reports, findings, and authentication material provided for scanning are never published or shared with third parties except as needed to run the service (see "Service providers" below) or as required by law.
  • Service providers: Trusted third parties who assist in operating our website and Sonar (Google Cloud Platform for hosting and storage, Firebase for authentication and database, AI model providers for report generation, email delivery providers). These providers process data on our behalf under data processing agreements and are not permitted to use your data for their own purposes or to train AI models.
  • Legal requirements: When required by Philippine law, court order, or government regulation.
  • NPC coordination: We may share breach information with the National Privacy Commission to support their enforcement efforts.
  • Business transfer: If OceanEd is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

Breach tracker:

  • Breach records are retained indefinitely as part of our public tracker for historical reference.
  • Contact information from inquiries is retained for up to 2 years unless you request earlier deletion.

SchoolBreach Sonar:

  • Account data is retained while your account is active and for 30 days after deletion.
  • Scan reports are retained while your account is active or as needed to provide the service.
  • Consent and authorization records are retained for a minimum of 5 years as required to demonstrate compliance with RA 10175.
  • Authentication credentials provided for authenticated scans are deleted after the scan completes, typically within 24 hours.

Both:

  • Analytics data is retained in aggregate form and cannot be used to identify individuals.

When retention periods expire, data is securely deleted or anonymized.

7. Cookies and Tracking

Our websites use cookies and similar technologies to enhance your experience. These include:

  • Essential cookies: Required for basic website functionality and Sonar authentication.
  • Analytics cookies: Help us understand how visitors interact with our website.
  • Preference cookies: Remember your settings and preferences.

You can control cookie preferences through your browser settings.

8. Children's Privacy

SchoolBreach.org and SchoolBreach Sonar are not directed at children. The breach tracker is a public awareness resource for educators, administrators, and parents. Sonar accounts are issued only to verified school staff. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.

9. AI-Generated Content

Sonar scan results are processed by third-party AI models to generate security summaries, severity ratings, and remediation recommendations. When scan data is submitted for AI processing, it is handled under the AI provider's data processing terms. We do not permit AI providers to use your scan data to train their models.

AI-generated content may contain inaccuracies. Reports should be reviewed by qualified IT personnel. OceanEd is not liable for decisions made based on AI-generated report content.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data privacy rights, please contact our Data Protection Officer:

Email: contact@schoolbreach.org

General inquiries: hello@theoceaned.com

Organization:OceanEd Inc. — Data Protection Officer

Address:Las Piñas City, Philippines

You may also file a complaint with the National Privacy Commission at www.privacy.gov.ph.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date, and — for Sonar account holders — by email. We encourage you to review this policy periodically.