Personal Data Exposure Analyst

What This Is · I need a specialist to complete a personal OSINT exposure assessment and execute data removal across multiple jurisdictions. A Phase 1 foundation already exists (dark web sweep, search engine baseline, platform inventory) — you will be building on existing structur ...

Job description

What This Is
I need a specialist to complete a personal OSINT exposure assessment and execute data removal across multiple jurisdictions.

A Phase 1 foundation already exists (dark web sweep, search engine baseline, platform inventory) — you will be building on existing structured work, not starting from zero.

This is a privacy and data removal engagement. Not marketing. Not SEO. Not reputation management.

Why "Purple Team"
I am not looking for someone who can Google my name and list what comes up.

I need someone who thinks like an adversary — someone who can answer the question:
"What could a motivated investigator, due-diligence firm, or hostile actor reconstruct about my personal life, family, history, and associations using only publicly available sources?"

That means you approach this from an offensive mindset (red team: what can I find and how) combined with a defensive execution (blue team: how do I shut it down and prevent re-aggregation).

If you only know how to submit opt-out forms, this is not the right job.

If you only know how to run OSINT but have never executed removals, this is also not the right job.

I need both.

Scope of Work
What Already Exists (You Will Receive)

A structured Master Exposure Inventory (Excel) with ~50 entries covering social media profiles, portfolio platforms, and some data brokers — tagged with seed/aggregator/mirror/archive classification, jurisdiction, removal path, and priority
A completed Breach & Dark Web Summary (12 search vectors, passive-only, all clean)
A Search Baseline Snapshot (24 entries across Google, Bing, DuckDuckGo — 8 queries x 3 engines)

What Needs to Be Done

Layer 1:
Data Broker Deep Sweep (Priority)

Run my identifiers (name, 4 email addresses, 4 phone numbers, known addresses) through a minimum of 20 people-search and data broker platforms including: Spokeo, BeenVerified, Whitepages Premium, Intelius, Radaris, USPhonebook, Pipl, ThatsThem, ClustrMaps, Nuwber, FastPeopleSearch, TruePeopleSearch, MyLife, ZabaSearch, PeopleFinder, USSearch, PublicRecordsNow, , plus EU equivalents (InfoBel, , PagineBianche, DasOertliche, and Swiss/Spanish equivalents)

For each platform that returns results:
document exact PII exposed, screenshot the listing, provide the opt-out/removal URL and process
Not a list of tools. Actual findings per platform.

Layer 2:
Personal Life Exposure Mapping

Family & associates:
Who is publicly linked to me via people-search "associated persons" fields, property co-ownership, social media tagging, genealogy databases? Can a third party identify my family members?

Romantic relationships / partners:
Any public linkage through social media, property records, people-search associates, or tagged content?

Education history:
Alumni directories, , university archives, cached LinkedIn education sections, professional certification databases

Full address & residence history:
Historical address lookups across all 5 jurisdictions (Panama, Switzerland, Spain, UAE, Italy) via people-search brokers, property records, voter registrations, utility databases

Past employment:
Beyond data broker listings — check archived employer websites (Wayback Machine), professional registration bodies, industry directories, press releases, conference speaker bios that may still list old roles

Travel patterns & locations:
Geotagged social media, conference attendance lists, event registrations, hotel/restaurant review accounts

Layer 3:
Social Media Deep Scrape

Content-level analysis of all active profiles (Instagram x3, Facebook x2, LinkedIn, TikTok, YouTube x2, Pinterest, Medium, Rumble, Vimeo)

Extract and catalogue:
geotagged posts/photos, tagged persons, check-in history, friend/follower list exposure, comment threads with personal details, story highlights, video backgrounds revealing locations
Per-platform recommendation: what to delete, what to restrict, what privacy settings to change

Layer 4:
Technical & Archival Checks

Historical WHOIS records for all domains , , any others found) — check if personal address/phone was ever exposed before privacy protection
Wayback Machine review for all key URLs — identify archived pages containing removed information
Google Cache and Bing Cache for current high-priority pages
EXIF/metadata analysis on publicly accessible images for GPS coordinates, device info, timestamps
Email alias enumeration on company domain

Layer 5:
Multi-Jurisdiction Registry & Legal

Jurisdictions are prioritized by exposure risk:
Panama (primary): Active company registered. Full Registro Publico deep dive required — entity names, listed roles, registered addresses, co-directors/shareholders, registration dates.

Switzerland (secondary — high priority): No active company, but historical residency, active +41 phone number, and a family address that could create linkage risk (someone searching for me finds the address, searches the address, finds family members).

Check Zefix, cantonal commercial registers, cantonal resident registration (Einwohnerkontrolle) for historical records, and Swiss phone directories , ) for number listings.

Even though I left years ago, Swiss records are thorough and may persist.
Spain (secondary): Professional networking presence (BNI Madrid Centro). Check Registro Mercantil for any entity filings. Light pass unless something surfaces.
UAE (light pass): Business directory listing exists. Check DED/DMCC/free zone registries only if leads emerge from broker sweep.
Italy (light pass): Check Registro Imprese only if leads emerge. Lowest priority.

Court records:
PACER (US federal), relevant US state courts, and equivalent systems in Panama and Switzerland. Spain/UAE/Italy only if other layers surface a reason to check.

For all:
document entity names, listed roles, registered addresses, co-directors/shareholders, registration dates. "No information found" must include evidence of what was actually searched.


Layer 6:
Breach Analysis Completion

For two email addresses already flagged (19 breaches and 15 breaches via HIBP): list each breach by name, date, and specific data types compromised
Assess whether any breached credentials are reused
Provide remediation steps per breach

Layer 7:
Removal Execution (Phase 2)

GDPR / Right to Erasure requests where applicable
Data broker opt-outs with follow-up at 30/60/90 days
Search engine delisting requests (Google, Bing)
Wayback Machine removal requests for sensitive cached content
Re-aggregation monitoring and re-removal as needed
Jurisdiction escalation for non-compliance (DPA complaints, cross-border GDPR leverage)

Deliverable Format
Everything must be structured and spreadsheet-based. Not narrative reports.

All findings added to the existing Master Exposure Inventory (Excel) with consistent columns: URL, Platform, Data Type, Jurisdiction, Source Type (seed/aggregator/mirror/archive), Removal Path, Priority, Notes
Every row must have all fields completed — no blanks, no "already documented" without a specific row reference

Standardized priority labels only:
Critical, High, Medium, Low
Screenshots/evidence archived separately and referenced in the spreadsheet
All work must be reusable by another specialist if needed later

What I Do NOT Want

Tool lists presented as findings.

If you list 25 reverse phone lookup tools but don't tell me which ones returned results, that is not work product.

"No information found" without evidence of access. Show me you actually searched.
Surface-level platform checks that only confirm an account exists. I need content-level analysis.
Scope surprises. If you look at this and think it's 10 hours of work, do not apply. Be honest about timeline and cost upfront.

Requirements

Must have:
Demonstrated experience with offensive OSINT (red team / penetration testing mindset) — you should be able to think like someone trying to build a dossier, not just someone filling out a checklist
Proven data broker removal execution — not just knowing they exist, but actually submitting and tracking opt-outs across 20+ platforms
Multi-jurisdiction experience — you will be working across US, EU (GDPR), Switzerland, Panama, UAE, and Italy. If you have only worked in one country, this is not the right fit.
GDPR / privacy law removal experience — actual Article 17 requests, DPA escalation, not just familiarity with the concept
Social media OSINT at a content level — geotag extraction, metadata analysis, social graph mapping, not just "profile exists, no controversial content"
WHOIS history and archived content retrieval experience
Corporate registry research across multiple jurisdictions
Ability to work with an existing structured inventory and maintain its format
Absolute discretion and confidentiality. NDA required.


Nice to have:
PimEyes or facial recognition tool experience
Experience with UHNW or executive-level privacy work
Familiarity with re-aggregation prevention (not just responding to re-listing, but proactively disrupting the data supply chain)
Dark web monitoring tool access (though this layer is already complete)

Budget & Proposal
A previous specialist completed approximately 35% of the Phase 1 assessment (dark web sweep, search baseline, platform inventory). That foundation work was done well and you will build on it — not redo it.
What remains is the deep investigation layer (Layers 1–6) and the removal execution (Layer 7).


The project has three phases:
PhaseScopePhase 1 (remaining assessment)

Layers 1–6:
broker sweep, personal life mapping, social media scrape, technical checks, registries, breach analysisPhase 2 (removal execution)Layer 7:
opt-outs, GDPR requests, delisting, DPA escalation, 30/60/90 day follow-upsOngoing monitoring (quarterly)Re-aggregation checks, re-removal, periodic re-scans

Payment structure:
Milestone-based. Phase 1 payment upon verified delivery of the complete assessment. Phase 2 payment upon confirmed removal submissions with documentation. Monitoring billed quarterly.

Your proposal must include:
Your hourly rate
Your estimated hours per phase (Phase 1, Phase 2, and quarterly monitoring separately)
Total estimated cost
Realistic timeline for Phase 1 delivery

Be honest about the scope.

I previously had a specialist underquote at 10 hours, deliver surface-level work, and leave the majority of the job incomplete.

I would much rather see a realistic estimate — even if it is high — than an optimistic one that leads to incomplete delivery.

If you think this is a large engagement, say so and explain why.

Logistics

Existing foundation:
You will receive the current inventory file to build on. ~35% of the assessment is already done (dark web sweep, search baseline, platform inventory). This work was completed by a previous specialist and is structured, reusable, and verified.

Estimated scope:
To be proposed by you. See Budget & Proposal section.

Work style:
Solo operator preferred. If you work with a team, I need to know exactly who touches my data.

Communication:
Status updates with each deliverable. No black-box processes.

To Apply

Describe your experience with offensive OSINT specifically — not marketing analytics, not SEO audits. What adversary-mindset work have you done?
Give me an example of a data broker removal campaign you have executed — how many platforms, what was the re-aggregation rate, how did you handle it?

Which of the 5 jurisdictions in this project (US, Switzerland, Panama, UAE, Italy/EU) have you worked in before? Be specific.

What tools do you use for: people-search broker sweeps, WHOIS history, reverse image search, social media OSINT, and archived content retrieval?
Look at the scope above and give me an honest hour estimate and timeline.

I will respect an honest "this is 50 hours" far more than an optimistic "I can do it in 10.

"


Do not apply if:
Your experience is primarily in SEO, reputation marketing, or content suppression
You have not personally executed data broker opt-outs at scale
You cannot demonstrate multi-jurisdiction privacy law experience
You plan to subcontract any of this work without disclosing it

Contract duration of 1 to 3 months.


Mandatory skills:
Data Entry, OSINT