Sitetals is an independent compliance research project. This page explains how we discover compliance issues, why we contact website operators, and what legal framework governs our outreach — in full transparency.
Sitetals is an independent security and compliance research project, not a law firm and not a service vendor. We conduct systematic technical reviews of publicly accessible websites to identify potential EU regulatory compliance risks (GDPR, TDDDG, TMG) and report our findings to website operators in good faith under the principles of Responsible Disclosure.
We have no commercial relationship with any regulatory authority (CNIL, BfDI, or others) and are not affiliated with them in any way.
All compliance checks are performed exclusively through standard, unauthenticated public HTTP(S) GET requests — the same method used by any ordinary web browser visiting a website. We do not:
Our scanner reads only what any anonymous visitor can see. Technical logs are retained to demonstrate lawful, passive access in the event of a regulatory inquiry.
We locate contact email addresses exclusively from:
Contact: field in a /.well-known/security.txt file (preferred — per RFC 9116 this is the designated channel for responsible disclosure)We prioritise generic business addresses (info@, contact@, datenschutz@, security@). We do not contact personal named addresses unless explicitly listed in a security.txt file.
Legal basis for processing contact email addresses: Art. 6(1)(f) GDPR / Art. 6 Abs. 1 lit. f DSGVO
Purpose: Good-faith notification of potential EU regulatory compliance risks to website operators who may be unaware of their exposure.
Necessity: Email contact is the only viable channel to reach website operators when no other designated disclosure mechanism (such as security.txt) exists.
Balancing test: The minor intrusion of receiving a single informational email is proportionate to and outweighed by the benefit of potentially preventing regulatory sanctions (including GDPR fines) for the recipient's business. The email is strictly informational, sent once only, with no follow-up, no tracking, and an immediate opt-out mechanism.
A full signed LIA document is maintained internally by Sitetals and is available to Data Protection Authorities upon request within 14 days.
We send exactly one notification per domain. We never send reminders, follow-ups, or re-contact operators who do not reply. If they do not act, the matter ends there.
We only contact generic business addresses (info@, contact@, datenschutz@, security@, etc.). We never contact personal named email addresses unless explicitly published in a security.txt file.
Our outreach emails contain no open-tracking pixels, no link-click trackers, and no read receipts. We deliberately do not know whether our emails are opened — this is by design, not an oversight.
Any reply with the subject "Abmelden" / "Désabonner" / "Unsubscribe", or an email to optout@compliance.sitetals.com, results in permanent removal from all outreach lists. No confirmation required. No delay. The address is suppressed immediately and never contacted again.
Outreach emails sent to German (.de) operators contain no commercial content, no pricing information, no calls to action, and no links to paid services. They are purely informational, structured as responsible disclosure notifications under German law (UWG §7).
Sitetals ist ein unabhängiges Sicherheits- und Compliance-Forschungsprojekt. Wir führen systematische technische Überprüfungen öffentlich zugänglicher Webseiten durch und melden potenzielle Datenschutzrisiken im Sinne einer verantwortungsvollen Offenlegung (Responsible Disclosure) an die betroffenen Website-Betreiber.
Alle Prüfungen erfolgen ausschließlich durch den passiven Abruf öffentlich zugänglicher Daten über Standard-HTTP(S)-GET-Anfragen ohne Authentifizierung — identisch mit dem Vorgehen eines normalen Websitebesuchers. Wir führen kein aktives Scannen, kein Directory-Fuzzing und keinen nicht autorisierten Zugriff durch.
Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (Berechtigte Interessen)
Zweck: Gutgläubige Benachrichtigung von Website-Betreibern über potenzielle EU-Compliance-Risiken.
Erforderlichkeit: E-Mail ist der einzig praktikable Benachrichtigungskanal, wenn kein security.txt-Kontakt vorhanden ist.
Interessenabwägung: Der geringfügige Eingriff durch den Erhalt einer einzigen Informations-E-Mail steht in einem angemessenen Verhältnis zum Nutzen — der möglichen Vermeidung von Bußgeldern für den Empfänger. Die Mitteilung erfolgt streng informationell, einmalig, ohne Nachfassaktionen, ohne Tracking und mit sofortigem Abmeldemechanismus.
E-Mail-Richtlinie: Wir versenden genau eine E-Mail pro Domain (kein Follow-up), ausschließlich an generische Geschäftsadressen, ohne Tracking-Pixel oder Link-Tracker, mit sofortiger dauerhafter Opt-out-Möglichkeit. Für deutsche Websites enthält die E-Mail keinerlei kommerzielle Inhalte (keine Preise, kein Kaufangebot).
Eine vollständige unterzeichnete Dokumentation der Legitimitätsabwägung (LIA) sowie unsere technische Verfahrensbeschreibung (SOP) stehen Datenschutzbehörden auf Anfrage innerhalb von 14 Tagen zur Verfügung.
If you received one of our disclosure emails and have questions about our methodology, want to be removed from our lists, or believe our scan results are inaccurate — please contact us directly.
Contact Us →