Privacy checklist for a personal website before launch

What can leak before your site goes live

A personal website feels simple. You publish a portfolio, blog, or resume, and it seems like you're only sharing your work. In reality, small details pile up fast. Your site can reveal your name, rough location, email address, phone number, and technical leftovers you forgot were there.

Some leaks are obvious. Others sit in places most people never check. Domain registration records can expose contact details when privacy is off. Contact forms can ask for more information than you need, then send it by plain email. Images can keep metadata such as the device used, the date taken, and sometimes location data. Page code can still contain comments, old email addresses, test links, analytics IDs, or file paths from your computer.

That matters because a personal site is usually tied to your real name, social profiles, and work history. Once those pieces connect, strangers can build a fairly complete picture. Sometimes that leads to spam. Sometimes it turns into scam attempts, stalking, doxxing, or data broker listings that keep spreading old details.

Even a small site can leak more than expected:

• public domain records can reveal your contact details
• forms can collect phone numbers, company names, or addresses you do not need
• uploaded files can contain metadata from your phone, camera, or editing software
• source code can include comments, old email addresses, or staging details

Privacy is not only a concern for people with large audiences. It matters just as much for a student with a blog or a freelancer with a five-page portfolio. A site does not need much traffic to be copied, scraped, or indexed.

The goal is simple: publish what people need to see, and nothing else. Before launch, check every place where your personal data can tag along with the content. That small review can save a lot of cleanup later.

Start with your domain settings

Before you worry about design, check what your registrar is publishing about you. A public WHOIS record can show your full name, phone number, street address, or personal email if domain privacy is off.

Most registrars offer privacy protection, sometimes free and sometimes as a paid add-on. Turn it on, then confirm it is active. Plenty of people assume the default is private and only find out later that their details were public for days or weeks.

Then look at your DNS records. The record types themselves are normal, but the values inside them can still leak personal information. An A record might point to a home internet connection. A TXT or MX record can expose a personal mailbox name. Even a subdomain like "john-laptop" says more than you probably intended.

A quick pass usually catches the big issues:

• make sure WHOIS privacy shows proxy details, not yours
• replace personal email addresses in DNS where you can
• avoid pointing the site to a home IP address
• rename hostnames that include your real name or device name

Your email choice matters too. If the site uses your personal inbox everywhere, it becomes much easier to connect your website, social accounts, and other public records. A separate address for the site keeps that line cleaner and makes spam less annoying.

Say Anna registers a portfolio site with her personal Gmail, leaves WHOIS open, and points DNS to a server at home. Before the site even launches, she may have exposed her name, email, and rough location. Fixing that takes a few minutes and closes off a lot of easy searches.

Check what your contact options expose

Contact pages often leak more than the rest of the site. People add a form, an email address, and sometimes a phone number, then wonder why spam and cold calls start.

Start with one question: why do you want people to contact you? A portfolio site may only need project inquiries. A personal blog may only need a basic contact form. The narrower the purpose, the less information you need to collect and the less you expose.

Keep the form narrow

Most contact forms only need three fields: name, email address, and message. Anything beyond that deserves a reason.

Extra fields create extra risk. If you ask for a phone number, company name, budget, or location before you need it, you are collecting personal data you now have to store and protect.

A simple rule works well: remove any field that does not help you answer the first message, make optional fields truly optional, and skip sensitive details like date of birth, postal address, and phone number unless they are necessary.

Phone numbers need extra care. Putting your personal number in the footer or on every page makes it easy for bots to scrape and for strangers to contact you outside the context you wanted. If calls are not part of your work, leave the number off the site.

A separate public contact email is often the safer option. It keeps your personal inbox, old message history, and unrelated accounts out of view.

Check notification and reply settings

The form itself is only half the story. Look at what happens after someone clicks Send.

Many form tools email you the full submission. That can expose a private email address, your full name in the sender line, or extra details in an automatic signature when you reply. Some setups also include IP addresses or other technical data you do not need sitting in your inbox.

Use a reply address made for public contact, and trim your signature. In most cases, your site name and contact email are enough.

This step is easy to miss. It is also where a lot of personal details slip out.

Clean images and files before upload

A page can look clean while the file behind it still carries data you never meant to share.

Photos taken on a phone often keep GPS coordinates, the date, and the device model. If you post a headshot or a photo from home, that data can reveal where you live or where you spend time. Before uploading, check the file details and remove location data, or export a fresh copy from an editor that strips metadata.

Filenames leak more than people expect. A file called "anna-lee-boston-client-acme-resume.pdf" gives away your full name, city, and client in one line. Neutral names like "resume.pdf" or "profile-photo.jpg" are better.

PDFs need the same care. Resumes, case studies, and brochures can keep author names, company details, comments, tracked changes, and old form data even when the document looks finished. If you made the file in Word, Google Docs, or a design tool, open the document properties, remove personal info, and export a clean copy instead of uploading the working file.

One common slip is a resume that looks public-safe on the page but still stores the creator's full computer username in the metadata. Most visitors will never notice. Anyone who downloads the file can inspect it in seconds.

A simple routine helps. Keep the original file offline. Make a second copy for the website, rename it with a neutral filename, remove metadata, and then open the final version and inspect it before upload.

Treat images the same way. If you crop, resize, or compress a photo, do not assume the old data is gone. Save a fresh export and check that new file before it goes live.

It takes a few extra minutes. It is worth it.

Look for hidden details in page code

Some of the worst leaks are invisible on the page itself. The design looks clean, but the source code still gives away personal details.

Before launch, open the live or staging page, view the source, and search for obvious markers such as @, mailto:, your full name, phone number, and old usernames. People often remove contact details from the layout and forget that the raw email address is still sitting in plain text underneath.

Meta tags deserve a quick review too. Check fields like author, generator, social preview tags, and anything your theme or plugin added automatically. Setup notes such as "draft homepage" or a full personal name can stay there long after the page looks finished.

Comments are another easy miss. Search your HTML, CSS, and JavaScript for notes about personal email addresses, staging domains, admin reminders, hidden file paths, or account names. A comment like <!-- replace with personal Gmail before launch --> is enough for scrapers and curious visitors.

Third-party tools can leak more than expected as well. Analytics scripts, booking widgets, maps, chat boxes, video embeds, and newsletter forms can expose account IDs, internal labels, or more visitor tracking than you intended. If a widget is not necessary, remove it. If it stays, use the least public setting available.

Ten quiet minutes in your page code can spare you months of spam and cleanup.

Do a full privacy review step by step

A privacy review works best when you stop looking at the site like its owner and start looking at it like a stranger. Do the review on a copy or staging version before launch so you can fix things without rushing.

Work through the site in order.

1. Go page by page, including the homepage, about page, footer, error pages, and any downloads. Small details often slip into places you barely notice, like image titles, PDF names, or an old author box.

2. Test every form as a visitor. Log out, use a private browser window, submit a test message, and read everything it generates: the confirmation page, auto-reply, and admin notification. This is where many people find their personal email or phone number exposed by accident.

3. Search your site files for your own details. Look for your name, email, phone number, home address, and old usernames in templates, form settings, filenames, document titles, and copied code.

4. Download your own images and documents and inspect them like a visitor would. Photos can keep location data and old filenames. PDFs often keep author names, software details, comments, or tracked changes.

5. Fix every issue before publishing, then retest. Launch only when the list is empty.

This last pass is a little tedious. It also prevents the most avoidable mistakes.

A simple example before publishing

Picture a freelance designer building a small portfolio. She wants the site to feel personal, so she adds a headshot, a resume PDF, and a contact page with her email and phone number.

On the surface, nothing seems wrong. Underneath, the site leaks more than she realizes.

Her domain uses her full legal name. The contact page shows the same personal inbox she uses for school and banking. The resume PDF still includes her full street address because it came from an older job application. The headshot keeps location data from her phone. In the page code, she has a comment that says "temporary test form for Jane's personal email." The contact form still sends messages to that same address. Even the image filename includes her neighborhood.

None of that sounds dramatic on its own. Put together, it gives a stranger a clean trail to follow.

Before launch, she makes a few small changes. She turns on domain privacy, switches to a separate site email, shortens the resume to city and state only, exports the headshot again after removing metadata, removes her public phone number, and deletes the test comments from the source.

The finished site still feels warm and approachable. Visitors can see her work and contact her easily. They just do not get her home address, main inbox, or extra clues buried in files and code.

Mistakes that catch people off guard

Most privacy leaks come from boring defaults and old leftovers, not clever attacks.

Domain registration is a common one. People buy a domain, leave the registrar settings alone, and assume everything is fine. Then their full name, home address, phone number, or personal email ends up in public records because privacy was never enabled or checked.

Photos create the same kind of problem. An image can look harmless and still keep the date, device model, or location data from the phone that took it.

Personal contact details also spread into places people forget to check. You might put your everyday email in the footer, then repeat it in form settings, source code, comments, or structured data. Bots are fast, and they do not miss much.

Forms cause trouble too. Many personal sites ask for full names, phone numbers, company details, and addresses when a short message field would do. If you collect extra data, you now have to store it and protect it.

Then there are the things you planned to delete later: test pages, draft copies, old backups, and files called "final-v2" or "temp-contact." These often stay on the server after launch and can still be indexed or found.

Before publishing, review your registrar settings, strip metadata from images, use a separate public contact email, remove unnecessary form fields, and search the server for drafts and backups. Those few checks catch most of the mistakes people regret later.

Final checks and next steps

A personal site does not need much to leak more than you meant to share. One forgotten setting, one photo with location data, or one test page left online can undo careful work.

Before you publish, do one calm pass with fresh eyes. Check the site on desktop and phone. If you can, ask a friend to look at it too. Other people notice details you stop seeing after hours of editing.

Use this short pre-launch check:

• confirm domain privacy is on and public records do not show your home address, phone number, or personal email
• test each form and make sure auto-replies, error messages, and notifications do not expose extra details
• recheck images, PDFs, and downloads for metadata, filenames, and hidden comments
• view the page source and scan for test content, old scripts, draft text, tracking IDs, or personal notes
• search your own name, email, and site title on the live domain to catch anything visible that you missed

After launch, repeat the same review whenever you change the design, install a plugin, switch themes, add a new form, or upload fresh media. Small updates cause a lot of privacy mistakes. A ten-minute review after each round of changes is usually enough.

Your website is only one part of your exposure online. The site might be clean while data broker pages still list your address, phone number, age, relatives, or past locations. If that has already happened, Remove.dev automates removals from more than 500 data brokers and keeps checking for relistings while you keep your site lean on public details.

A good launch is quiet. Your work is public. Your private details are not.