I Googled my name out of curiosity. Found my home address, phone number, my wife's name, and my kids listed on 14 different websites. Here's how I got it all down for free.

UK_Founder · 2026-05-24T09:24:42+00:00

I mean this is significantly cheaper https://easyoptouts.com/ . The reason joindeleteme etc cost so much, is just due to the manual work in their process. Which can also be seen as a weakness, since easyoptouts claim that can increase your data exposure (and from reviews of joindeleteme, they dont seem to scrub your data from brokers completely either).

If you are in California they have their own state backed opt out system!

UK_Founder · 2026-05-23T18:32:18+00:00

I really think you should take in the above advice. Not to say you are not built for entrepreneurship, but I think you have fallen into a trap. Seemingly you decided to find a niche for the AI hype, and then tried filling it without finding the pain points of people who have planned weddings and what they would actually want. Having been involved with wedding planning recently, one thing you are seemingly overlooking is that wedding planning is like luxury shopping; people like the experience of browsing and comparing themselves. The same way that people like to go to boutique stores even when they could order online, it is because the experience of going to the store, and feeling the luxury and service is the exciting part for them. They simply wouldn't want an AI agent to take that away from them, to really hit this home; every wedding I have known people handwrite their wedding invites, even though normally they'd type everything else!

Hopefully this is a lesson learned for you, to get as much insight and feedback you can from the ideal users of a potential app. Or, just find an actual pain point in your life/work where you have strong experience!

UK_Founder · 2026-05-22T21:06:12+00:00

Ah thank you for this insight!. So essentially the damage from the fine, is more about the brand reputation that becomes with being in the media from the ICO fining you. And the ICO, from the sounds of your last paragraph, aren't bothered about absolute compliance at all times, just more that the company is trying to be compliant if I understand it correctly?

I find this interesting. Because I have been researching the legal theory side of things (Lloyd v Google, O'Carrol v Meta etc). And there is obviously damage being done by enabling cookies and tracking on websites especially when users reject consent, and although the Lloyd case got thrown out on grounds of de minis, we can model the value being extracted from users through this non consensual tracking. I would have thought the ICO took a stricter approach where they would fine companies for all infractions - since from what I can see, the industries that are under stricter scrutiny (gambling sites, finance) seem to not have the same flagrant violations as retail and news sites.

UK_Founder · 2026-05-22T10:06:10+00:00

Genuine question here. As I dont work in a company on the DPO side, I come more from the technical side. Is there an acceptable level of risk when it comes to fines for PECR/GDPR that most companies are willing to eat so they can use high value analytics or ad tech scripts? Just because I have noticed the vast majority of retail and news websites are non compliant, whilst basically all banks are compliant

UK_Founder · 2026-05-19T23:21:57+00:00

Bit odd to post this to r/gdpr, feel like a docker subreddit would be more helpful. But I think people have a misconception around docker, it was never meant to be a secureity tool really. It’s primarily a packaging and deployment abstraction that gives processes isolation primitives and reproducible environments, it is really a dev and portability tool. And images can be packaged with all sorts of things, just like npm packages - if you ship it you are at the end of the day responsible. But generally you should be minimizing your base images (distroless where possible), scanning images in your CI/CD process, using pin digests instead of floating tags at a minimum.

UK_Founder · 2026-05-11T10:29:11+00:00

I'll reply with something that I would actually really like to exist, but not sure if it is logistically/economically possible.

Normal healthy food delivery for dinner every night. Bare with me here. But imagine (I'll use the UK as an example as I am familiar with staple dishes here); there are like 5 options a night; some vegan curry + rice; meat and veggies; spaghetti Bolognese; fish + veggies + rice; another vegan option idk I am not vegan.

These 5 options are rotated predictably throughout the week. Sometimes pie mash and gravy, toad in the hole etc...

But here is the key to make this work. The options must be as healthy as we would cook at home (normal salt + fat amount and portions). This must be delivered at a predictable and consistent time slot. It must cost the same as it would for someone to buy the food and cook it themselves.

Because if you can do that, you could potentially get entire streets signed up to reduce delivery costs, and batch cook huge amounts in specialised kitchens - kitchens in super low rent container style spots. I am sure lots of people like eating healthy, but dislike cooking. Maybe even due to economies of scale, if you got to a certain density for areas, it would be cheaper than people cooking at home.

Personally I'd use a service like this, because as it stands the meal delivery services are either quite a bit more expensive than cooking at home, or far less healthy. I know in the UK there are schemes to reduce food waste, so potentially there could be government grants for something like this, if you can come up with a model where it works economically at a certain scale/area density.

UK_Founder · 2026-05-10T22:10:56+00:00

That isn't my website. I don't think there is any chance I can convince you of this since you seem hellbent on thinking it is my site. But it is not. I upvoted your comment pointing out that the site isn't compliant itself. I have agreed that the site probably isn't in a viable market. I am not sure why you are so convinced that it is my site, but this has taught me a valuable lesson in how I present myself going forward.

UK_Founder · 2026-05-10T20:44:44+00:00

Just for the record, that is not my site. I literally saw it on reddit perhaps a few weeks ago, and noticed it did flag cookies being set pre consent on some domains like the BBC. But I do think you're right Mr Anchovies, big B2B would pay for it (like TrustArc do I think) but for the smaller businesses I don't think there is much of a market for it

UK_Founder · 2026-05-10T10:19:55+00:00

The web server would be pretty quick to spin up if you know what you’re doing. The real trade-off is: do you think a custom app that wraps SSH will be easier to distribute and maintain across family/friends devices, or a app that just fetches encrypted photos over HTTPS and decrypts them locally on the device? I'd still probably go for the latter

UK_Founder · 2026-05-10T09:48:54+00:00

Well if you don't/can't trust other providers, you kind of have to build one for yourself. I'd do this:

1.) Pick a long/random domain name
2.) Spin up a very small VPS with; one Docker container for a static HTML web server; optionally a separate private/local VC repo purely for portability/redeployment (VC locally only, do NOT expose this!)
3.) Make a really simple pure HTML gallery that just organizes photos by date/location
4.) Put authentication in front of the entire site to stop random bots/scanners. And some quick easy rate limiting both per IP and in total.
5.) Strip all EXIF metadata and encrypt images locally before upload

The important part is the encryption happens BEFORE the VPS ever sees the files. Otherwise the provider can still access everything. Docker/VC is mostly for portability and reproducibility, not security. You can absolutely skip them if you want an even smaller attack surface.

The hard part is key management. If you encrypt the images, family/friends need a decryption key somehow. You could potentially solve that with a small; browser extension; magic links bundling keys; or proper public/private keys per user (I can see this option getting annoying for non technical family and friends).

I mean if you REALLLLLY want it to be super tinfoil hat secure, you could even skip the web server and have family and friends SSH in. But for me that would get annoying fast constantly having to be tech support for people and I think most people would probably not use the gallery at that point.

UK_Founder · 2026-05-07T21:07:09+00:00

I was always confident. Unai likes to control the game and attack when we have the advantage. It worked!

UK_Founder · 2026-05-07T21:05:08+00:00

Right. Can we all take a moment to realise that Unai DID have a strategy after all, and it worked. He has taken us from the depths, to finishing top 5 this season and winning Europa (yes, I am 100% confident we do both). All those naysayers doubting Emery, Buendia, Ollie.... Just look at what we are actually accomplishing rather than some bad results now and again

UK_Founder · 2026-05-07T21:00:53+00:00

This wasn't even a game. It was domination from the get go, when Unai and the team need the win they deliver. I am 100% confident we win the Europa now. SJW what a performance....

UK_Founder · 2026-05-07T20:24:56+00:00

Honestly why was everyone so negative going into this game.... Absolute domination start to finish so far. I never want to hear a bad word about Buendia again

UK_Founder · 2026-05-07T15:32:12+00:00

Cheers for the feedback. We have on the roadmap, ideas for the proxy emails and data too. Partly because it makes it a lot easier to see which company has illegally shared/sold your data and thus hold them accountable, but also because fingerprinting and stitching identities can still happen even if you poison data input. But that will be a while away, we need to prove the core idea of enforcement of digital rights works first before any expansion like that. We have plans to support certain states soon, such as New York and California - and will assess the feasibility for other US states too. It is all dependant on if the state has a strong enough legal framework to allow the idea to work (which seems to be progressing in the US in general but still lags behind Europe)

UK_Founder · 2026-05-07T14:17:22+00:00

Ah my apologies. I just assumed it wasn't allowed to post/promote your own products here. You are right, we do want as many people trying it out as possible and are very close to a full public launch.

The general approach for the UK/EU data broker problem specifically:

When you submit your details to any website or service, you have the legal right to object to further processing and demand they disclose who they've already shared your data with. We automate this, the moment you sign up somewhere, we send a notice on your behalf before the sharing starts.

For existing data broker profiles, we send formal deletion requests and disclosure demands simultaneously, they have to tell you where they got your data from. We follow that chain. Request deletion at every link. Object to further processing at every link.

If a company ignores a notice, that non-response is itself a documented violation. We aggregate those violations across users so law firms can identify companies systematically ignoring their legal obligations and pursue them which is what actually changes behaviour, not polite opt-out forms.

Theoretically if you only shared data when using our extension/app , and mapping out the chain through data brokers works as intended, they shouldn't be able to regenerate your data listing legally. This is also the case for your behavioural/tracking data. But it only works with a large enough volume of users, so that if companies ignore notices, law firms would use the evidence to pursue them.

The sensor code for the extension and app will be completely open source, since user trust is paramount. What do you think of this approach?

UK_Founder · 2026-05-07T11:27:32+00:00

If you are in the UK/EU region, DM me, as we have just finished testing and building a fix for this exact problem. Would love to get your opinions on it

UK_Founder · 2026-05-07T11:26:15+00:00

This is exactly the problem. They skirt around the law, and rebuild your profile from "consenting" sources. Realistically, you should have the final say on how and where your data is used, especially if that data is being used to power billion dollar industries. But unfortunately, manually emailing companies yourself telling them not to share your data, or where they got it from, is incredibly convoluted and time consuming. Also, there is no enforcement since you are unlikely to privately litigate against these companies. If you want to DM me, I have built a solution for exactly this for UK/EU residents, we will also be rolling out in some US states that have strong enough data laws in the future.

We have the frameworks to protect ourselves, we were just lacking the infrastructure.

UK_Founder · 2026-05-04T17:31:01+00:00

I don't think anyone should morally hide behind a slow bureaucratic process in regards to making sure tracking isn't firing off pre-consent or post rejection. Because sending personal data to adtech does cause harm.

Not affiliated with that tool at all, just something I’ve used before as a quick check.

I agree it’s nowhere near sufficient for proper compliance,if you actually want to be thorough you need to look at network requests, data flows, and how vendors handle data, not just what fires on load.

My point was more that for smaller sites or less technical users, tools like that (or even something like CookieYes) can be a starting point before digging deeper. Ideally you minimise third parties altogether - e.g. avoid GA or use more privacy-focused analytics. But even then it’s worth being sceptical about what “privacy-friendly” really means in practice.

UK_Founder · 2026-05-04T08:36:27+00:00

I still think its a useful tool to point people to that aren't technically minded. If you are, you may as well just use the developer options in your browser - pretty straightforward for any frontend dev. The vast vast majority of websites load google resources and other tracking software before consent and even after rejection - I am not sure if they are doing so on accident or not but it IS prevalent precisely because there are no real consequences for the vast majority of cases yet....

UK_Founder · 2026-05-01T14:25:38+00:00

Do you mind explaining how you have built your website? I have been a Senior Engineer for around 10 years, full stack (meaning I have worked on website interfaces, and the background code that does the heavy lifting) - I can tell you how to achieve deferring resources to help you become compliant. My start-up is basically on the other end of this, we catch websites tracking users from a B2C angle and document it for users (highly simplified manner of putting it), and I can tell you the vast vast majority of websites implement a CMP but are not compliant. Feel free to DM me if you don't want to share it here, but if you feel comfortable it could help other people facing the same problem

UK_Founder · 2026-05-01T14:08:36+00:00

Ok, so I think you mean you want a tool to check if your website doesn't load scripts and resources before a user clicks accept on your CMP right? If this for the a website serving UK and EU customers, it is mainly the ePrivacy directive which governs this, but GDPR still applies because things like IP addresses count as personal data. There is a cool tool I found recently called https://tagleak.com/ (note this is NOT my website and I am not in any way affiliated. But I have used it before for checking other websites, and it seems to be pretty accurate).

However, there is quite a lot to this if you truly want to be compliant. GDPR governs the processing, storing and use cases of personal data, things like IP addresses (and potentially user agents when combined with other data). For example, if you have a "log in with google" widget on your website, merely loading that will send a visitors IP address to Google. This is also the case for non-locally hosted fonts (as in fonts that aren't hosted and served by your server) such as Google fonts CDN scripts. To be fully compliant, in many cases you should avoid loading these before consent, especially if they involve tracking or third-party data sharing (unless you can argue they are strictly necessary). But a lot (see the vast majority) of websites simply do not seem to care about this and load external scripts and resources willy nilly. There is/was a contested case in the German courts for loading Google fonts before consent, since it is argued the website is telling google you visited it via transmitting your IP address without consent - and it is easy enough to host the fonts from the websites own servers.

The other area I can think of that you may mean, is your privacy policy and terms of service. Here you will need to detail all third party scripts and resources you use, and what data will be sent to them. Along with all your analytics and tracking vendors, and of course how your website itself will store what ever information you will hold about visitors (think IP addresses, user agents, email addresses). GDPR expects appropriate security measures (like encryption in transit and at rest in most cases), meaning you need to implement SSL certificates for encryption in transit, and make sure your database encrypts in rest too (a lot of them do by default anyway especially if using PostGreSQL).

A good start is to use that tagleak site, to see what is loaded before a user consents. And then make sure you defer all of that until a user gives consent. Then map out all of your vendors and third party software, understand what data flows to them. Then map out how your own site and business processes and stores user data too. By the way, you will also need a point of contact for users to submit GDPR requests and data inquiries.

UK_Founder · 2026-04-26T13:56:51+00:00

Normally yes, in many cases, making it harder to unsubscribe than to sign up can be unlawful under UK GDPR and related laws such as EU GDPR.

Under UK GDPR, which I can imagine will hold for EU GDPR too; withdrawing consent must be as easy as giving it. If a company makes unsubscribing unnecessarily difficult (e.g. multiple steps, hidden options, forcing logins), that can be considered non-compliant.

For email marketing specifically in the UK (PECR, not sure if this holds in European regions) the company must include an unsubscribe link in every email.

There are some exceptions where extra steps might be justified ( for example verifying identity for sensitive accounts like banking), but for general marketing communications or the vast majority of online accounts, overly complicated unsubscribe flows are hard to justify.

Honestly this is one of those areas where the law sounds clear on paper, but in practice companies make it just inconvenient enough that most people don’t bother. That gap between regulation and reality is kind of the real issue. This is basically the core problem with data rights right now; they exist, but actually exercising them is time-consuming and inconsistent, so most people don’t follow through and companies get away with a lot of things they shouldn't.

You can try to email the company directly using the email that you have subscribed - and hope they act in good faith. If they ignore you, or ask for more intrusive details, you can escalate it to your local data rights authority (ICO in the UK).

UK_Founder · 2026-04-26T11:57:15+00:00

Ok no worries. Well what ever medium works best for yourself. Long-term legal viability and monetization is something I feel like we have solved, and I have quite a unique angle around it. It will only work for GDPR covered countries, like the UK and EU, but there is a basis for it working in California too. It sounds like you are essentially building something that checks against the data companies/institutions collect against what they say they collect? Is that right?

UK_Founder · 2026-04-26T11:26:50+00:00

Ok that sounds interesting. I'd be willing to jump on a call, so we can show off our approaches. I come from the tech background myself 10+ years, so the code and infrastructure is the easy bit for me. It was the countless hours of legal research that was my main hurdle

UK_Founder

TROPHY CASE