Your Email Address Is a Tracking Number — Here's How to Take It Back
Your email is the primary key marketers use to stitch together your digital life. Here's how to cut the thread without abandoning the inbox you've had for a decade.
Updated 2026-04-19
A fifteen-year paper trail
You've probably used the same email address for ten or fifteen years. Maybe longer. You signed up for a gym membership back in 2013, a newsletter in 2015, an online shop in 2017, and a free trial of some software you've since completely forgotten about. Every one of those companies still has your email in their database. Some have been breached. A few have quietly sold it to marketing partners. Several have been acquired by bigger companies who inherited your data along with the office furniture. Your email address isn't just a way to send messages. It's the primary key that ties together nearly every account you've ever made. Marketers, data brokers, and identity-verification services use it to stitch fragments of your life into one big profile — one that follows you across devices, across sites, and across years.
They profit. They won't answer.
Here's where it gets properly frustrating. Try asking any one of those companies what they've got on you. Seriously, try it. A government agency is generally required by law to produce your records when you ask. A private data broker? They operate behind a contact form that goes to a shared inbox nobody reads. No phone number. No accountable person. Your request, if they bother to acknowledge it at all, gets a canned reply weeks later. Meanwhile they've been making money off your address the whole time — selling it, trading it, feeding it into profile-building engines that no individual request will ever claw back. For privacy-minded people, that asymmetry is the fight. They profited. You can't audit them. So the play isn't to beg for transparency from companies structured to avoid giving it. The play is to stop handing them ammunition.
What your email actually tells people
When you hand over your address, you're not just handing over a string of characters. You're handing over a lot more than that. An identifier that persists across sites, for one. The same address at two different companies links the two profiles. Every breach is a jigsaw piece and your email is the corner. Your name, most of the time. "mary.jackson@gmail.com" is basically a signed confession. Even "mjackson1987" gives away a probable birth year. Your rough age and era. Hotmail addresses skew older. ProtonMail addresses skew privacy-aware. iCloud addresses signal someone in the Apple ecosystem. Marketers read every one of those signals. And finally, a foothold for phishing. Once someone has your email, every account recovery flow they can trigger is one step closer to actually compromising you.
Use aliases for anything that isn't a human
An email alias is a disposable address that forwards to your real inbox. You make a new one for each site you sign up to — "netflix.asdf12@yourdomain" goes to Netflix, "bunnings.xkcd99@yourdomain" goes to Bunnings — and if any single site leaks, spams, or sells your address, you disable that alias and move on. Your real inbox never sees daylight. Two services worth looking at: SimpleLogin and addy.io (formerly AnonAddy). Both have free tiers. Both let you use your own domain if you've got one. Both have browser extensions that generate a new alias at signup with a single click, which is honestly the thing that makes the habit stick. A new alias per site does a few things at once. It tells you who leaked — if "target.alias47@yourdomain" starts getting spam, you know exactly which company lost control of its database. No need to ask them, no need to chase a data request that'll never be answered — the evidence shows up in your inbox. It also breaks cross-site tracking, because data brokers can't merge your Netflix profile with your Bunnings profile if they can't see they belong to the same person. And it gives you a kill switch.
Move the sensitive stuff somewhere private
Aliases solve the signup problem. They don't solve the scanning problem. If your actual mailbox lives at Gmail, Outlook, or Yahoo, every message you send and receive gets processed by the provider. Indexed, analysed, fed into whatever their current use case is. The reason changes every few years — ads, then "product improvement," now AI training — but the scanning doesn't. And if you email them asking exactly what's been extracted from your messages and where it's gone, you'll get a link to a generic privacy page and a polite nothing. They're not going to itemise it for you. For email you actually care about (legal, medical, financial, anything personal), use a provider that can't read your messages. End-to-end encrypted, based somewhere outside the Five Eyes, stored on servers the provider itself can't decrypt. Switzerland is the obvious home for this. Long-standing privacy laws, outside the EU's data-sharing arrangements, legal frameworks that have been tested in court more than once. We compare the handful of providers that actually meet that bar over at NoSpyEmail — worth a look when you're ready to pick one.
Clean up what's already out there
Aliases and a private provider protect your future. Your past needs a different approach, and a bit of stubbornness. Run your primary email through Have I Been Pwned. It'll tell you which breaches your address has turned up in, and honestly, the first time you do this it's a bit sobering. For every breach it flags, change the password on that account if you haven't already — and assume anything you reused elsewhere is compromised too. Then unsubscribe, ruthlessly. Sort your inbox by sender. Every newsletter, every promotional email, every service you stopped using in 2019, hit unsubscribe. Don't use tools like Unroll.me for this — they make their money by selling the list of your subscriptions, which is exactly the trick you're trying to stop falling for. Do it by hand. It takes an hour, and the payoff runs for years. While you're at it, actually exercise the rights you do have. Under GDPR (if you're in the EU or UK) or the Privacy Act in Australia, you can submit a data subject access request to any company holding your information. Most won't reply usefully. Some will send you a PDF full of raw database dumps that's barely readable. A few will just ignore you. But each request is a small administrative cost to them, and when enough requests pile up, it's what eventually attracts regulator attention. The OAIC in Australia, the ICO in the UK, and the EU's various DPAs all act on complaints. Last one: delete old accounts. JustDeleteMe has a directory of account-deletion processes for hundreds of services, ranked by how obnoxious each company makes it. Start with the easy ones to build momentum, then tackle the harder ones once you've got a rhythm going.
What changes
Once your new signups run through aliases, your real correspondence lives somewhere encrypted, and your old breaches are contained, your email stops being a tracking number. It goes back to being what it was supposed to be — a way for people who actually want to talk to you to get a message through. It's not instant. Six months in, your spam volume will be noticeably down. Twelve months in, you'll know exactly which companies respect your data and which don't, because you watched which of your aliases started attracting rubbish. That knowledge, weirdly, is the thing that ends up being most useful. You can't force a faceless marketing company to tell you the truth about what they have. You can watch their behaviour and act accordingly. That's the whole game. They've spent years building profiles on you without asking. You don't need their permission to dismantle the raw material they depend on.
Ready to act on this?
We've reviewed the tools so you don't have to.