Check your footprint. See what you're tracking in.

A 30-second scan of what this page can see about you right now — IP, browser fingerprint, permissions, and more.

The scan runs in your browser. We store nothing and send nothing to our servers. One external call (ipapi.co) looks up the city and ISP behind your IP — same information any site sees about you.

Ready to see your footprint?

The scan checks nine categories: browser and platform, display and rendering, language and timezone, storage and cookies, hardware hints, privacy signals, active permissions, canvas and WebGL fingerprint, and network (IP, ISP, geolocation). Each signal gets a risk flag. You get an overall exposure grade at the end.

No sign-up, no email, no tracking of the scan itself.

— exposure

Scan results will appear here.

How to Reduce Your Footprint → See how it’s exploited ↓

Permissions

Green rows are off — the site can’t read these. Amber rows are on — the site is actively reading these right now. A granted permission persists across visits; revoke it in your browser’s site settings (see the cleanup steps →). Click any row for what each permission exposes when it’s on, including whether it keeps working after you close the tab.

How your footprint gets exploited

What you just saw isn’t a list of isolated exposures. These signals combine into a persistent profile that outlasts cookies, IPs, and individual accounts. Here’s what attackers, data brokers, and the ad market actually do with it — and where it ends up.

Cross-site fingerprinting

Stack canvas + audio + WebGL + screen + timezone + language + hardware hints together. The combination is often unique enough to identify you in a population of millions. This fingerprint persists across cookie clearing, Incognito, and IP changes. Data brokers buy and sell it; ad networks use it to link your anonymous sessions back to one profile over years.

De-anonymization

IP + city + ISP + browser + timezone + language + habits is often enough to narrow an anonymous account to a specific household. Cross-reference with public posts (a LinkedIn city, a social-media timezone cue) and the profile resolves to a real person. Investigators, stalkers, and harassers use exactly this combination.

Targeted attacks

UA + OS version tells an attacker which software exploits to try. WebRTC public IP leaking through a VPN is how forum, Discord, and social-media doxing happens. Timezone + language tells a phishing scammer when to call and what language to use. GPU model reveals hardware that might be vulnerable to specific known issues. Clipboard-read (if granted) captures any password or verification code copied while the tab is open.

Data-broker aggregation

Brokers stitch fingerprint + IP + behavior into persistent profiles sold to advertisers, insurers, credit-scoring firms, and — in some jurisdictions — employers. Your fingerprint is the primary key that binds otherwise-anonymous data points to one person over years, across devices, and across services.

Behavioral profiling (layered on top)

Everything above is passively readable — before you click anything. Once you interact, sites can capture mouse speed, scroll rhythm, typing cadence, and pause patterns. These are stable per-person signals; they can re-identify you even after scrubbing every technical signal above.

The secondary step

Once a site has your fingerprint, the follow-up work is trivial. They can recognize you on return visits (match hash). Cross-reference with breach corpora (email + IP + location in leaked databases like HIBP). Flag VPN/Tor users (mismatch between IP geo and language/timezone). Tailor phishing to your setup (language, timezone, device). Or sell the profile, which is where most passive collection ends up.

How the ad market actually uses this

The signals above don't sit quietly on one site. They flow through an industry-scale market that runs in real-time every time you load a page. Here's the mechanical path your fingerprint takes from your browser to a data broker's profile.

1

Collection

You visit Site A. A tracker loaded by that page runs JavaScript that generates your fingerprint — canvas hash, audio hash, screen, user agent, timezone, WebGL renderer — all combined. Takes about 50 milliseconds. Invisible.

The trackers doing this aren't small. Google's Analytics and Ads code is embedded on the majority of the world's top commercial sites. Meta's Pixel is on a large fraction of them. TikTok, LinkedIn, Microsoft, Criteo, Taboola, and hundreds of others populate the long tail. One page load routinely triggers 20–50 separate trackers, each computing its own fingerprint.
2

Binding to identity

Your fingerprint alone isn't a name. But the moment you do something identifying on Site A — log in, submit a form, click a link from an email you received, watch a video while signed into Google — the tracker builds a binding: fingerprint abc123 ⇔ this known email / account. That binding goes to a server-side identity database and persists there indefinitely.

You don't have to log in on every site for this to work. You log in somewhere, and every other site using the same tracker inherits that binding from then on.
3

Recognition across sites

Later, you visit Site B. Site B has the same tracker embedded. It re-computes your fingerprint, sees abc123, looks up the binding, and knows you're the same person who was on Site A. Site B itself doesn't know who you are. The tracker does, and that's what matters.

This is why clearing cookies doesn't stop the recognition. The binding lives on the tracker's server, not in your browser. This is also why VPNs don't break it — the fingerprint doesn't come from your IP.
4

Sale and auction

Every ad-enabled page load triggers an auction called real-time bidding (RTB). Tens to hundreds of advertisers receive a bid request in parallel, each containing a slice of your profile. The highest bidder's ad loads. This happens in roughly 100 milliseconds, hundreds of times per hour for a typical web user.

The programmatic ad market runs roughly $150 billion a year on this mechanism. Your profile is its raw material.

Who's actually holding the data

Identity graphs

Google — by far the largest, via Google accounts, Ads, Analytics, and the DoubleClick ecosystem.

Meta — second largest, via Pixel and Facebook login on third-party sites.

LiveRamp — biggest independent identity graph; claims to link 250+ million US adults.

The Trade Desk — biggest independent demand-side platform; operates the UID2 identifier across ad tech.

Ad exchanges (RTB marketplaces)

OpenX, PubMatic, Xandr (Microsoft), Magnite, Index Exchange. They run the auctions. Every ad-enabled page load sends your profile to many of them in parallel, each returning competing bids.

Data brokers

LiveRamp, Acxiom, Experian, Nielsen. They aggregate online fingerprints + offline data (loyalty cards, property records, mortgages, public records) and sell "audience segments" to advertisers — e.g. "high-income parents in Salt Lake County, 35–50, recently searched for private school."

The legal status

GDPR (EU, UK): fingerprints are personal data. Collection requires consent and a lawful basis; use requires disclosure in the privacy policy. Enforcement has been uneven but real — several large ad-tech fines in the last three years.

CCPA and CPRA (California): fingerprints are "personal information." Californians have the right to opt out of sale and request deletion. Most platforms comply nominally; practical enforcement varies.

Most of the rest of the world: no specific regulation. Default behavior is unlimited collection, binding, and sale.

Your visitors leave these footprints on your platform too.

What you just saw is the view from one user's side. As a business, you sit on the other side of that transaction — receiving these signals from every visitor. A SignumCyber assessment looks at how you handle data you collect passively (analytics, session recordings, cookies, fingerprinting scripts, third-party tags) and whether your practices match what your privacy policy says.

Talk to an advisor