How to Audit Your Digital Footprint: A Step-by-Step Checklist

You cannot fix what you cannot see. Every privacy effort begins with a complete map of your current exposure, which means an audit. A real audit is not a five-minute Google search. It is a structured walk through every layer of the internet that might host your information, captured in a format that you can act on. Done right, it produces a single document that becomes the input for every removal, suppression, and monitoring decision you make from then on.

This is the same checklist NOXRID specialists use as the first artifact of every engagement. Run it on yourself, top to bottom, before deciding what to remediate.

Before you start

Open a fresh spreadsheet with these columns: Source, URL, Type, Sensitivity (low / medium / high), First Seen, Action, Status, Notes. You will live in this document for the next several hours, so make it pleasant.

Set your browser to private mode and clear cookies between searches. Logged-in personalization will skew results.

Step 1 — Search engines

Search Google, Bing, DuckDuckGo, and Yandex separately. They surface different results.

For each engine, run:

• Your full legal name in quotes
• Your full name plus your city
• Your full name plus your employer
• Your full name plus your school or alumni year
• Your phone numbers, including old ones
• Each email address you have used since around 2010
• Your home address
• Old usernames and online handles

Capture every URL on the first ten pages, not just page one. Long-tail data brokers usually live on pages five through ten.

Step 2 — Image search

Search the same name and email queries in Google Images and TinEye. Surprising results often surface here, including photos uploaded to forums, conference websites, and old dating profiles.

Step 3 — Social platforms

Audit each of the major platforms with both your real name and your handles:

• LinkedIn — current and past profiles. Check for partial duplicates created by recruiters.
• Facebook — your profile, plus any Pages or Groups that mention you.
• Instagram, X / Twitter, TikTok, Threads, YouTube — public profile, tagged content, mentions.
• Reddit — search reddit.com for your usernames and your real name.
• Github, Stack Overflow, GitLab — old commits often contain real-name email addresses.
• Discord, Telegram public channels — search public channel archives.
• Mastodon and Bluesky instances.

Step 4 — Data brokers and people-search sites

Search by name and by phone number on at least the following:

• Spokeo
• BeenVerified
• Whitepages
• Radaris
• Intelius
• MyLife
• PeopleFinder
• TruePeopleSearch
• FastPeopleSearch
• ZabaSearch
• That's Them
• USPhoneBook
• Nuwber

For each, capture the exact URL of the listing. You will need it for the opt-out submission.

Step 5 — Breach exposure

Run your email addresses through HaveIBeenPwned. Note every breach by date and the exposed fields. Many tier-2 brokers ingest breach data, so this is a leading indicator of where you will find yourself listed.

Run your phone number through the same service.

Step 6 — Public records

Check the following for direct exposures:

• County assessor and recorder sites for property records
• Court record search portals for the state(s) you have lived in
• Federal court records via PACER if relevant
• Marriage and divorce indexes
• Bankruptcy records
• Voter registration lookups
• Business filings on Secretary of State sites
• Domain registrations on whois lookup tools

Public records are typically the hardest to remove. The audit goal here is to know what is exposed, even if removal is later impossible.

Step 7 — Professional and academic

• Industry directories (e.g., bar association, medical board, real estate license)
• Conference and event websites where you spoke or attended
• Academic publications, ORCID, Google Scholar, ResearchGate
• Patent databases (USPTO, Google Patents)
• Press releases that mention your role

Many of these are easy to update or delist if outdated.

Step 8 — Old accounts and abandoned content

This is the bucket most people forget. Search your old emails for "thank you for signing up" and "verify your account". You will find dozens of accounts you no longer remember. Each is a potential leak surface.

Tools like JustDeleteMe maintain shutdown links for hundreds of services.

Step 9 — The dark web (lightly)

You do not need to set up Tor. Use HaveIBeenPwned and a reputable monitoring service to surface any credentials or PII that have appeared on dark-web markets.

Step 10 — Score and prioritize

For each entry in your spreadsheet, mark a sensitivity score:

• High: exposes home address, phone number, government ID, financial data, family members.
• Medium: exposes employer, accurate job title, neighborhood, age range.
• Low: professional bios, public statements, legitimately public records.

Sort by sensitivity. Now you have a prioritized work list.

What an experienced auditor catches that you will miss

DIY audits are useful but always incomplete. Specialists routinely find:

• Cached pages of removed content still indexed by Google or the Wayback Machine.
• Foreign-language people-search sites that mirror U.S. data.
• Domain registration history that exposes home addresses from years ago.
• Inferred attributes in advertising platforms (e.g., your custom audiences segment in a programmatic platform).
• Re-listings on sites you removed yourself from six months prior.

If your audit finds fewer than thirty entries, you almost certainly missed sources. The average professional adult has between sixty and three hundred touchpoints across the layers above.

What to do with the audit

The audit is the input. The next document is the action plan: which entries to remove, which to suppress, which to leave, and which to monitor. NOXRID treats the audit as an artifact a client owns, which then drives everything our specialists execute on. You should treat it the same way.

A clear audit, run honestly, is the single most useful privacy artifact you will ever produce. Everything that comes after — removals, suppression, monitoring, crisis response — is downstream of how thoroughly you mapped the ground.