Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.
HIBP provides a record of which breaches an email address has appeared in regardless of whether the password has consequently been changed or not. The fact the email address was in the breach is an immutable historic fact; it cannot later be changed. If you don’t want any breach to publicly appear against the address, use the opt-out feature.
What email address are notifications sent from?
All emails sent by HIBP come from If you’re expecting an email (for example, the verification email sent when signing up for notifications) and it doesn’t arrive, try white-listing that address. 99.x% of the time email doesn’t arrive in someone’s inbox, it’s due to the destination mail server bouncing it.
How do I know the site isn’t just harvesting searched email addresses?
You don’t, but it’s not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach.