gdpr
How to fix: Contact email — role addresses only
GDPR Art. 14
Why this matters
A bare mailto: address on a public page is harvested by spammers within hours. Use a contact form or obfuscate the address to keep the inbox usable.
Background
Publishing a personal email (firstname.lastname@) on a public page exposes a person's data to scrapers; under GDPR Art. 14 you generally need a lawful basis to do so. Role addresses (security@, dpo@, abuse@, privacy@) are different — they're tied to the organisation, not a person, and several RFCs actually require them to be reachable.
References
GDPR Art. 14 (publishing personal data) · Recital 30 (online identifiers)
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
Not nginx-side — content responsibility.
apache
Same.
cloudflare
Cloudflare 'Email Address Obfuscation' (Scrape Shield) is a partial defence — but modern scrapers run JS.
wordpress
Replace personal addresses with role addresses + a contact form; use webauditfix.com/tools/email-privacy to verify.
flask
Use role addresses (contact@, security@) and a Flask-WTF contact form for direct enquiries.
express
Same.
rails
Same.
Verify it's working
Run webauditfix.com/tools/email-privacy against your public pages — verdict should be 'role addresses only' or 'none exposed'.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →