Frequently Asked Questions About Digital Privacy & OSINT
Answers to common questions about digital footprints, data brokers, credential leaks, GDPR rights, and how professional OSINT investigations protect individuals and organisations.
Digital Privacy & OSINT Basics
What is a digital footprint and why does it matter?
A digital footprint is the trail of data you leave online — social media profiles, forum posts, public records, people-search profiles, and breached credentials. It matters because attackers use this information to build target profiles for phishing, identity theft, and social engineering. Most people significantly underestimate how much of their personal data is publicly accessible. Our guide on what a digital footprint actually contains breaks down the categories in detail.
What is OSINT and how is it used in privacy investigations?
OSINT (Open Source Intelligence) is the practice of collecting and analysing information from publicly available sources — search engines, social media, public records, breach databases, and the dark web. In privacy investigations, OSINT techniques reveal what an attacker, data broker, or stalker could learn about you without breaking any laws. See what investigators actually find when they search a name.
What are data brokers and how do they collect personal information?
Data brokers are companies that aggregate personal information from public records, social media, loyalty programmes, app SDKs, and purchased datasets, then sell or license that data to advertisers, employers, and anyone willing to pay. In Europe alone, over 100 data brokers operate across advertising, financial scoring, and people-search categories. Our EU data broker directory lists 75 brokers with opt-out instructions.
What is the mosaic effect in digital privacy?
The mosaic effect describes how individually harmless pieces of information — a LinkedIn job title, a running app route, a property record — combine into a detailed personal profile. No single data point is dangerous on its own, but together they reveal home addresses, daily routines, financial status, and family connections. We explain how the mosaic effect works in practice with real examples.
How do attackers use publicly available information?
Attackers combine data broker records, social media profiles, breached credentials, and public records to craft targeted phishing emails, bypass security questions, conduct vishing (voice phishing) attacks, or impersonate their targets. The 2025 Verizon DBIR found that over 60% of breaches involve some form of social engineering that starts with publicly available information.
What is the difference between data privacy and data security?
Data security protects information from unauthorised access through encryption, firewalls, and access controls. Data privacy governs who is allowed to collect, use, and share your personal information and under what conditions. You can have strong security but poor privacy — a company may protect your data from hackers while freely selling it to data brokers. Both are necessary; neither is sufficient alone.
Data Broker Removal & GDPR Rights
How do I remove my personal data from data broker websites?
You need to identify which brokers hold your data, then submit individual opt-out requests to each one. In the EU, you can invoke GDPR Article 17 (Right to Erasure) for a legal basis. The process is time-consuming — most people have profiles on 30–80 brokers, each with different opt-out procedures. Brokers often re-acquire data within months, requiring repeated removal cycles. Start with our step-by-step opt-out guide or learn what a professional removal engagement looks like.
What is a GDPR data subject access request?
A Data Subject Access Request (DSAR) under GDPR Article 15 requires any organisation to disclose what personal data they hold about you, how they obtained it, who they shared it with, and how long they plan to retain it. Organisations must respond within one calendar month. A DSAR is often the first step before requesting deletion. We provide a complete DSAR template with instructions.
How long does professional data broker removal take?
Initial removal from major brokers typically takes 6–8 weeks. Some brokers process opt-outs within days; others take the full 30-day GDPR deadline or longer. The Eraser includes a 90-day re-scrub to catch brokers that re-list your data from upstream sources. Ongoing suppression is the only way to keep your data off these sites permanently.
What is the right to erasure under GDPR?
The right to erasure (Article 17 GDPR) gives EU residents the right to request deletion of their personal data when it is no longer necessary for the original purpose, when consent is withdrawn, or when data was processed unlawfully. It is not absolute — exceptions exist for legal obligations, public interest, and freedom of expression. Data brokers rarely qualify for these exceptions. Our data broker ecosystem guide covers the legal framework in depth.
Why doesn’t automated data broker removal work reliably?
Automated removal tools submit opt-out requests using templates, but many brokers require identity verification, CAPTCHA completion, or specific legal language that templates cannot handle. A 2025 PoPETs study found significant gaps in automated tool coverage. Brokers also change their opt-out interfaces regularly, breaking automated workflows. We explain the specific limitations of automated removal and where manual follow-up is necessary.
How many data brokers have my personal information?
The average European adult appears on 30–80 data broker sites, though the number varies by online activity and how long you have used the internet. People who have lived in multiple countries, used loyalty programmes, or maintained active social media profiles tend to appear on more. The Mirror audit maps your exposure across advertising, people-search, financial, and B2B broker categories.
Credential Leaks & Dark Web Monitoring
How do I check if my email or passwords have been leaked?
Public tools like Have I Been Pwned check your email against known breach datasets. However, these tools only cover a fraction of leaked data. Stealer logs, dark web paste sites, and private Telegram channels contain billions of credentials that public tools do not index. The Lockdown searches both public and restricted sources for a complete picture of your credential exposure.
What happens after corporate credentials appear in a data breach?
Breached corporate credentials follow a predictable supply chain: initial theft, aggregation by data brokers, sale on dark web marketplaces, and finally exploitation by attackers. Within hours of a breach, credentials may appear in stealer logs and be tested against corporate VPNs, email systems, and cloud platforms using automated credential-stuffing tools. Read our analysis of what happens after a corporate credential leak.
What is the dark web and how does it relate to personal data?
The dark web refers to encrypted networks (primarily Tor) hosting marketplaces, forums, and paste sites where stolen data is traded. Personal data — including credentials, identity documents, financial records, and medical files — is a primary commodity. Prices range from a few euros for email/password pairs to hundreds for complete identity packages. Our credential leaks guide explains how this ecosystem works.
What are stealer logs and why should I be concerned?
Stealer logs are files harvested by info-stealing malware (like Redline or Raccoon) from infected devices. They contain saved passwords, browser cookies, autofill data, and session tokens — often for dozens of accounts per victim. Unlike traditional breaches that affect one service, a single stealer log can compromise every account the victim accessed on that device. We cover the full stealer log supply chain in our credential leak assessment.
How do attackers use stolen credentials to compromise accounts?
Attackers use credential stuffing — automated testing of stolen username/password pairs against thousands of services — because most people reuse passwords. They also use stolen session tokens from stealer logs to bypass multi-factor authentication entirely. Once inside one account, they pivot to connected services using password reset flows and trusted-device status. Forgotten accounts are particularly vulnerable because they often have weaker security and no monitoring.
Executive & Corporate Privacy
How do executives get doxxed and what are the risks?
Executive doxxing typically starts with corporate filings, property records, LinkedIn profiles, and people-search profiles that reveal home addresses, family members, and personal contact details. The risks include targeted phishing, physical threats, protest actions at private residences, and business email compromise. In the Netherlands, Article 285d of the Criminal Code now specifically criminalises the publication of personal data with intent to intimidate. Our executive doxxing prevention guide covers protective measures.
What is a corporate digital footprint audit?
A corporate digital footprint audit maps the publicly accessible attack surface of an organisation and its leadership team. It covers exposed employee credentials, executive personal data, leaked internal documents, misconfigured cloud assets, and people-search exposure. The result is an aggregate risk assessment that identifies structural vulnerabilities before attackers exploit them. See Corporate Audit for how this works in practice, or read what attackers see when they scan your organisation.
How does an OSINT investigation differ from surveillance or stalking?
Legitimate OSINT investigations operate on a first-party consent model — the subject authorises the investigation and receives the findings. The purpose is protective, not coercive. Stalkerware and unauthorised surveillance target people without their knowledge or consent for control or harassment. The distinction is legal (GDPR Article 6), ethical (intent and consent), and functional (who receives the results). We explore where investigation ends and surveillance begins in detail.
What should an organisation do after a data breach?
Immediately contain the breach and preserve evidence. Under GDPR Article 33, notify your supervisory authority within 72 hours if the breach poses a risk to individuals. Assess which credentials, personal data, and internal systems were exposed. Force password resets, revoke active sessions, and monitor for credential-stuffing attempts. A Corporate Audit identifies what attackers can now access using the leaked data.
Our Services & Process
How long does a typical OSINT audit take?
A Mirror audit (digital exposure scan) delivers results within 48 hours. The Lockdown (credential and leak investigation) takes 48–72 hours. Full data broker removal through The Eraser involves a 6–8 week execution phase to process opt-outs across all identified brokers, followed by a 90-day re-scrub verification. See how the process works step by step.
What makes professional OSINT services different from free tools?
Free tools scan surface-level public records and known breach databases. Professional investigations access restricted breach datasets, dark web forums, stealer log repositories, and private intelligence feeds. Manual analysis by trained investigators catches context and connections that automated tools miss — such as correlating an old username across platforms or identifying a people-search listing under a misspelled name.
Do you remove data or just identify what is exposed?
Both, depending on the service tier. The Mirror identifies your exposure and provides a prioritised remediation guide. The Lockdown investigates credential leaks and dark web exposure. The Eraser is a hands-on removal service where our analysts submit opt-out requests to data brokers, coordinate search engine suppression, and verify removal over a 90-day period. Compare all tiers on our services page.
What is included in the delivered audit report?
Every report includes an executive summary, findings organised by risk level, a visual data exposure map, specific leaked records discovered, and prioritised remediation steps. Corporate audits additionally include individual reports for each team member and an aggregate organisational risk assessment. View a sample report to see the format.
What information do you need from me to start an investigation?
We require minimal identifiers: full name, known email addresses, and general locations you have lived. We never ask for passwords, government ID numbers, or financial account access. All findings are derived from publicly available sources or legally obtained breach data. You can use an alias for initial enquiries — see our investigation methodology for details.
Can you monitor the dark web for my data on an ongoing basis?
Yes. Services from The Lockdown tier and above include dark web monitoring configuration. We set up alerts for your identifiers across monitored forums, marketplaces, and paste sites, notifying you when new leaks containing your data surface. For ongoing protection, a Guardian retainer (€2,400/year) provides quarterly re-scrubs, dark web re-scans, and an annual re-audit.
How does the Corporate Audit work?
After a master agreement is signed, each team member provides individual consent. We conduct OSINT audits on each person, covering personal exposure, credential leaks, and the people-search surface. Each participant receives a private report. The organisation receives an aggregate risk assessment identifying structural vulnerabilities — such as multiple executives exposed through the same broker or shared credential patterns. Learn more on the Corporate Audit page.
Privacy, Pricing & Getting Started
How do you protect my information during the investigation?
All data is transmitted via encrypted channels. We use zero-knowledge communication tools and never store sensitive findings beyond 48 hours after delivery. Case data is cryptographically shredded once your engagement is complete. Our full data handling practices are documented in our Data Purge Policy.
Do you keep records of what you find about me?
No. All case-specific data is destroyed 48 hours after final delivery, per our Data Purge Policy. We retain only the minimal transaction records required for accounting — invoice date and service tier. We never keep personal information, exposure findings, or credentials in our permanent records.
Are your services GDPR compliant?
Yes. We process data lawfully under GDPR Article 6 (legitimate interest and explicit consent), store it minimally, and respect the Right to Erasure for all clients. EU residents have full rights to data access and immediate deletion at any time. Our Ethics Code and Privacy Policy document our compliance framework.
Can I upgrade from one service tier to another?
Yes. If you start with The Mirror and decide you want full removal, we credit your Mirror fee (€595) in full toward The Eraser within 30 days of your audit. This lets you assess your exposure first without committing to a larger engagement upfront.
Can I remain anonymous when contacting you?
Yes. We accept initial enquiries using aliases or encrypted email. While we eventually need accurate identifiers to find your actual exposure, we respect your privacy from the first point of contact. You can request a free Snapshot Scan without providing any information beyond an email address.
How do I get started with a privacy audit?
Request a free Snapshot Scan — a one-page summary of your exposure across public sources, data brokers, and breach datasets, delivered within 48 hours. No payment is required. Based on the results, we recommend the appropriate service tier. Most individuals start with The Mirror (€595) for a full audit.
Still have questions?
Request a free Snapshot Scan and we will show you exactly what your digital footprint looks like — no payment, no commitment.
Request a Snapshot ScanNo payment required · Delivered in 48 hours · Aliases accepted