If you’re here, you probably want some control over your digital footprint. Different people land there for different reasons. Mine was specific: I confirmed that data I’d handed to companies I’d trusted was already on sale.
Two things happen to data after a company collects it. One is visible: the company gets breached, the news appears years later, regulators issue fines. The other is invisible: the data is quietly sold to brokers, advertisers, and adjacent buyers, under contracts you will never see. The first is disclosed under regulatory pressure. The second is legal and rarely discussed. Both happen continuously.
Trusting a company’s brand doesn’t address either. Trusting a stated security policy doesn’t either — the companies that built their marketing around protecting your data have been losing it on a steady rhythm for fourteen years.
The visible failure
The first failure mode — breach — is the one most readers have heard about. It is also the one companies are eventually forced to disclose, under regulatory pressure. Three recent examples illustrate the pattern.
In 2020, SolarWinds — a company that sold IT security management software — had its build system compromised. The password on the update server was “solarwinds123.” Eighteen thousand customers received the resulting weaponized update, including the U.S. Treasury, the State Department, and the National Nuclear Security Administration. The SEC later sued the company’s chief information security officer personally for fraud.
In 2022, LastPass — marketed for years as “zero-knowledge,” meaning the company itself could not read your data — lost customer vault backups. That breach is, in a meaningful sense, ongoing: by 2025, U.S. investigators had linked at least $150 million in cryptocurrency theft to it — and the thefts were still unfolding, years after the breach itself.
In 2025, IDMerit — a KYC and AML vendor operating in 26 countries — left a database of more than one billion identity records reachable on the public internet with no authentication — anyone with the URL could read or copy the lot. The company secured it the day after researchers notified it, and disputes that any exposure occurred; how long the records sat open before anyone happened to look isn’t known, which is its own kind of answer.
These are three among many. The full chronology — RSA Security 2011, Okta’s three breaches, Au10tix, Fractal ID, Microsoft’s signing key, and the rest — runs to fourteen years and will be published as a separate essay.
What these incidents share is structural. The failure is not anomalous. It is not a matter of which company you choose. It is what happens when identity data is collected at scale — across every category of company that does so.
The other failure mode is quieter, less covered, and probably more common.
The invisible failure
Some companies don’t lose data so much as they sell it. Occasionally this gets prosecuted — Avast, the antivirus company, was fined $16.5 million in 2024 for selling its users’ browsing histories through a subsidiary, because its “we protect you from tracking” marketing was specific enough to violate. Most data sales aren’t prosecuted, because they aren’t marketed against: U.S. telecom carriers sold real-time location data to data brokers for years, and were fined roughly $200 million combined when the practice finally caught regulatory attention. Hospital websites embedded advertising trackers that quietly relayed patient search queries to advertising platforms. Mobile apps routinely integrate SDKs that pass location, usage, and identifier data to dozens of downstream buyers, priced and contracted at scale.
The structural defense against the first problem is not feeding the database in the first place. That isn’t always possible — you have a bank, you file taxes, you have an employer. But when you do have a choice, the choice is the defense.
When you don’t have a choice, there’s a second layer: controlling what else gets collected about you while you’re using the service. The data already in the breach databases is a starting point. What turns a starting point into actual damage is the layer of identification collected about you in real time:
- Your IP address, which links a session to a location and an ISP
- Your browser fingerprint, which links sessions across what you thought were separate accounts
- Your traffic patterns and timing, which link activity across services
- Your custodial relationships, which determine what an attacker — or a regulator, or the company itself — can freeze, seize, or compel
- Your future identity submissions, which expand the dataset further every time you sign up for something new
Each of those mechanisms has countermeasures. Most of this site is about those countermeasures, what they do, and what they don’t.
Where this site fits
This isn’t the first site to take privacy seriously, and it owes a debt to the ones that came before it. Privacy Guides, Techlore, and The New Oil have spent years building careful, well-sourced guidance: which password manager, which email provider, how to think about a threat model as a general user or an activist. If that describes what you need, those sites are excellent, and this one doesn’t try to replace them.
What they share is a reader — someone protecting themselves from broad data collection and the consumer-tracking economy. That reader sits at the first two levels of the threat-model spectrum: the general privacy- conscious user, and the journalist or activist with a sharper adversary.
This site is built for that reader too, but it keeps going. It covers the operational layer — the tools people reach for when privacy stops being a preference and becomes a working requirement. Which residential proxy has clean IPs rather than malware-sourced ones. Which no-KYC exchange has held up under sustained use. Which fingerprint browser handles which case. Which hardware wallet vendor has a clean ownership history, and which has a record of breaches. These are the questions that matter to affiliate marketers, to traders running multi-account operations, to people who self-custody, and to anyone operating where the adversary is more than an advertiser.
The existing sites don’t cover that layer, and it isn’t an oversight. Their readers — privacy purists and general consumers — mostly don’t need it, and operational-risk framing sits awkwardly next to a purist one. The same threat-model thinking applies. The answers are just different, and so are the people asking.
That’s the gap this site is built to fill.
Who this is for — and where the line is
A reader will think this within the first minute, so let’s address it directly: the tools on this site — residential proxies, fingerprint browsers, no-KYC exchanges — are the same tools associated with fraud, bot farms, and scams. Who needs operational anonymity in business, other than people doing something wrong?
These are dual-use tools, the way cash is, the way a VPN is, the way encryption itself is. The legitimate uses are real and ordinary:
- A digital agency managing dozens of client social and ad accounts, keeping each client’s logins and sessions cleanly separated
- A market-intelligence or ad-verification team checking prices, ad placement, or availability across regions — an established B2B practice that datacenter servers get blocked from and residential ones don’t
- Someone in a country with capital controls or an unstable currency, holding value without routing it through a bank that will freeze or report the account
- A journalist or researcher working in or against a hostile jurisdiction
- Anyone who’s been debanked — a crypto business whose bank closed its account with no reason given, or a lawful seller a payment processor dropped overnight
That last category is larger and more arbitrary than most people realize.
Operating in a gray zone — breaking a platform’s terms of service, say — is not the same as breaking the law. Most people who need these tools are in the first category, not the second.
This site serves operational privacy and helps you weigh operational risk. It does not help with fraud, money laundering, sanctions evasion, or defeating identity checks for financial crime. That line is written into our editorial policy, and we hold it.
What this site offers
This site is a navigator, not a store. It won’t tell you there’s a single best tool. It will tell you what your stack should look like, given who you are and what you’re up against.
Everything here serves one goal: reducing what can be linked back to you. There are two ways to do that, and the site is built around both.
The first is to not hand the data over. Where you have a choice, choose the service that doesn’t collect your identity in the first place — a no-KYC exchange instead of one that files a report, a hardware wallet instead of a custodian, an email alias instead of your real address.
The second is to control what gets collected while you operate — your IP, your browser fingerprint, your traffic patterns, the identifiers gathered in real time whether or not you handed anything over. A VPN, a residential proxy, a managed browser profile each close one of those channels.
You won’t need all of it. A general reader avoiding data-broker tracking needs a different stack than a journalist in a hostile country, who needs a different stack than someone running several businesses across regions. So the site is organized by threat model: find the one that fits, and you’ll see the stack built for it — not the whole catalog.
For every tool, we tell you what it does and what it doesn’t. A VPN hides your IP; it doesn’t hide your identity once you log in. A no-KYC exchange doesn’t collect your name; it still sees your trades, and the blockchain remembers them. Knowing the limits is the difference between a stack that works and one you only think works.
How we’re funded: affiliate commissions — but only from operators that pay in crypto without asking us for identity documents, the same exposure this site helps you avoid. It costs us reach, and we take the trade. Where the best tool pays us nothing, we recommend it anyway and say so. The mechanics are in our affiliate disclosure and editorial policy.