HomeFix guides → Contact email — role addresses only

gdpr

How to fix: Contact email — role addresses only

GDPR Art. 14

Why this matters

A bare mailto: address on a public page is harvested by spammers within hours. Use a contact form or obfuscate the address to keep the inbox usable.

Background

Publishing a personal email (firstname.lastname@) on a public page exposes a person's data to scrapers; under GDPR Art. 14 you generally need a lawful basis to do so. Role addresses (security@, dpo@, abuse@, privacy@) are different — they're tied to the organisation, not a person, and several RFCs actually require them to be reachable.

References

GDPR Art. 14 (publishing personal data) · Recital 30 (online identifiers)

How to fix

Code snippet for each stack we cover. Pick the one matching your server / framework.

nginx
Not nginx-side — content responsibility.
apache
Same.
cloudflare
Cloudflare 'Email Address Obfuscation' (Scrape Shield) is a partial defence — but modern scrapers run JS.
wordpress
Replace personal addresses with role addresses + a contact form; use webauditfix.com/tools/email-privacy to verify.
flask
Use role addresses (contact@, security@) and a Flask-WTF contact form for direct enquiries.
express
Same.
rails
Same.

Verify it's working

Run webauditfix.com/tools/email-privacy against your public pages — verdict should be 'role addresses only' or 'none exposed'.

Want to know if your site has this issue?

Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.

Audit my site →