Privacy tips when signing up for online services

Signup forms are the front door of personal-data exposure. Most of what gets harvested by data brokers comes from a small handful of forms, filled out without much thought, sometimes a decade ago. The good news: the cost of doing this well is roughly the same as the cost of doing it badly, if you build a few habits.

This is the practical checklist. We'll walk through what each field on a typical signup form is actually used for, what you can safely fudge, and which privacy tools save you the most time per minute spent learning them.

The honest model of a signup form

Most companies asking for your information are trying to do four things at once:

1. Authenticate you the next time you come back.
2. Communicate with you (transactional, marketing, or both).
3. Reduce fraud and bot signups.
4. Build a marketing data set to sell, share, or use for retargeting.

The first two are legitimate. The third is grudgingly understandable. The fourth is what your privacy hygiene should be defending against.

The fields, one by one

Email address

Where you should spend the most thought. Three options:

• Disposable for one-shot interactions. Use a service like PocketInbox. The address evaporates; you owe no further attention.
• Alias for relationships you want to keep on your terms. addy.io, SimpleLogin, DuckDuckGo Email Protection, Apple "Hide My Email," or Firefox Relay. Per-service aliases reveal which company leaked your address if you start receiving spam.
• Real address only for accounts where the email matters — banks, healthcare, registrars, important employers, anything where a password reset would matter.

A reasonable default: alias for new accounts, disposable for "I'll click this verification link and never come back."

Name

Always supply a real-sounding name. Don't lie if there's a chance the service legally requires KYC (banks, brokerages, online ID checks). For shopping or content sites, your first name is sufficient and often a stylised last name ("Smith," "Jones," "Lee") is more than the site needs.

Phone number

The single most-leaked piece of contact information in 2026. Privacy hygiene:

• Buy a separate prepaid SIM, in cash, with a separate number you only give to "transactional but not personal" relationships (marketplaces, app rideshares).
• For cases that demand a number but don't legally require yours (some marketing forms), services like Google Voice, MySudo, JMP.chat, or Numero offer second numbers with SMS routing.
• If the form is optional, leave it blank.

Date of birth

Required by some services for age verification. If the platform isn't actually age-gating you, the field is decorative; consider entering January 1 of an age-correct year. Don't lie about being older or younger than your real legal age category, because that breaks a few laws.

Postal address

Only needed for shipping. For non-shipping purposes (e.g. "billing address" on free services), use a known PO Box or a courier service that gives you a forwarding address. For shipping, accept that the courier will see your real address. Use a workplace, gym, or parcel-locker address where possible.

Username

Don't reuse usernames across sensitive accounts. Doxx-friendly correlation between a Reddit username, a Steam username, and a LinkedIn URL is one of the most common deanonymisation patterns.

Password

Use a password manager. Generate a unique random password per site. The single highest-impact privacy upgrade for most people, by miles.

"Optional" marketing fields

Skip them. "How did you hear about us?" "What's your job role?" "What size company do you work for?" — these are pure data harvesting. Filling them in adds nothing to your account; not filling them in adds nothing to your friction.

Cookies and tracking on the signup page itself

The form posts to the company's server, but the page renders dozens of trackers (Meta Pixel, LinkedIn Insight Tag, Google Ads, TikTok Pixel, sometimes a session-replay tool like Hotjar). To minimise:

• Sign up in a private/incognito window. Your existing third-party cookies don't follow you in.
• Use Firefox with strict tracking protection or Brave. Both block known trackers.
• uBlock Origin handles the rest.
• A privacy-respecting DNS resolver (1.1.1.2, NextDNS, AdGuard DNS) catches what your browser misses.

Email-handle hygiene

Once you've decided to use an alias or disposable, follow these patterns:

• Per-service aliases. If addy.io lets you generate as many as you want, generate one per service. Naming convention: servicename.alias-domain.
• Tag everything. If your provider supports plus-addressing (you+forsite@gmail.com), use it for any service that doesn't deserve a dedicated alias. Many sites strip the plus when pasting; if so, fall back to alias.
• Watch for breach signals. Check Have I Been Pwned periodically. If store-x@yourdomain appears in a breach, you know exactly which service leaked.

Two-factor authentication

Email-based 2FA is convenient but weak. Prefer:

1. A hardware key (YubiKey, Solo, Token2) for the highest-stakes accounts.
2. A TOTP authenticator app (Aegis on Android, Raivo on iOS, 1Password's built-in).
3. SMS as a fallback only — or, ideally, not at all. SIM-swap attacks are alive and well.

The "reading the privacy policy" myth

Nobody reads privacy policies. They're written for lawyers, are typically 3,000–10,000 words, and would take an estimated 76 days a year if you read them all. Don't pretend you'll read every one. Instead:

• Skim for "Do you sell personal information?" If yes, your CCPA opt-out is somewhere in the document.
• Look at Terms of Service Didn't Read, which scores major sites' policies on a 5-point scale.
• Look for a "Data Subject Request" link. Its presence is a positive signal; its absence on an EU-facing service is a negative one.

Browser-level practices

• Container tabs (Firefox Multi-Account Containers) isolate cookies per category. Logging into LinkedIn from your "Work" container means LinkedIn's tracking pixel can't see what you do in your "Personal" container.
• Brave or Vivaldi on Chromium-based devices for similar isolation.
• Browser fingerprinting is harder to defeat than cookies. Tor Browser is the gold standard if your threat model warrants it.

Mobile app signups

Apps have access to more about you (advertising ID, device sensors, sometimes contacts). When the same service is available on web and app, prefer web for low-stakes interactions. If you must install an app:

• Reset your advertising ID monthly (iOS and Android both expose this).
• Don't grant Contacts permission unless the core feature requires it.
• Review app permissions quarterly; rescind anything that doesn't pass the smell test.

What about "Sign in with Google / Apple / Facebook"?

Apple's "Sign in with Apple" is the privacy-best default — it offers per-app Hide My Email aliases. Google's option leaks your real email but reduces password reuse. Facebook's option is a privacy-loss event you should almost always decline.

The "data minimisation" mindset

The single most powerful privacy practice is "give the smallest amount of true information that the service legally needs to function." Everything else flows from that. Disposable email, aliases, password managers, and per-service usernames are all just tools that make data minimisation easy. The goal isn't to deceive; the goal is not to volunteer.

The five-minute setup

If you're starting from scratch, this is the order of operations that pays off fastest:

1. Install a password manager. Move every account into it as you log into them. Generate new passwords as you go.
2. Sign up for an alias service. Make a per-service alias next time you create an account.
3. Bookmark a temp-mail aggregator. Use it for one-shot signups.
4. Add hardware-key 2FA to your email and your password manager.
5. Install uBlock Origin and a tracking-resistant DNS.

That's it. Total setup: an hour. Total ongoing time-cost: ~30 seconds per signup, less than the time it takes to dismiss the cookie banner.

Ready to fold disposable email into your routine? Generate an inbox.