Offlist.meby TenX Cold Email
Home/Methodology
Transparency Doc · Updated April 2026

Methodology

How OfflistMe generates data broker opt-out requests end-to-end — the user flow, the legal framework we rely on, the broker coverage process, update cadence, and explicit limitations. Written for journalists, researchers, and cautious users.

Summary

OfflistMe is a self-service tool that generates pre-filled opt-out requests for 200+ data brokers and lets users send them from their own inbox. We are not an authorized agent; we do not act on users' behalf; we do not upload ID to brokers; we do not store users' personal data. The legal force of each request comes from the user's own rights under CCPA, VCDPA, CPA, GDPR, and similar laws. Our role is to reduce the research and clerical time of exercising those rights from hours to minutes.

End-to-End User Flow

  1. User arrives and enters identifying info

    Name, email, and optional address/phone. This input lives client-side — it is used to populate request templates but is not persisted on our servers beyond the session needed to generate the output.

  2. Templates are selected and filled

    For each of the 200+ brokers in our coverage list, we maintain a pre-written opt-out request template that cites the appropriate legal provision (CCPA §1798.105, VCDPA, CPA, etc. depending on the user's jurisdiction). The user's info is merged into the templates client-side.

  3. User receives a sendable request set

    Each broker's request arrives as (a) a pre-addressed email the user can send from their own inbox, or (b) a direct deep-link to the broker's self-service opt-out form, pre-populated where the broker's form supports it.

  4. User sends each request

    The user — not OfflistMe — sends the email or submits the form. This is a deliberate design choice. It means the request arrives at the broker from the user's own verified identity, which (i) strengthens the legal standing of the request, and (ii) means OfflistMe never handles the user's data after generation.

  5. Broker responds directly to the user

    Any confirmation, verification request, or rejection goes directly to the user's inbox. We do not see broker responses. Users can escalate unresolved requests to the California Privacy Protection Agency, state attorneys general, or the FTC using templates we provide.

Legal Framework

Every opt-out request OfflistMe generates cites a specific legal basis. The user is the rights-holder; the broker is legally required to comply. Here are the statutes we rely on:

CCPA § 1798.105 (California)

Right to Delete. Brokers must honor deletion requests from California residents within 45 days. They cannot charge or discriminate. Our California templates cite this section directly.

Primary source ↗

California Delete Act (SB 362)

Enacted 2023, effective 2026. Requires registered data brokers to honor universal deletion via the CPPA's Delete Request and Opt-Out Platform (DROP). We link users to this as an escalation path.

Primary source ↗

VCDPA (Virginia)

Virginia Consumer Data Protection Act. 45-day response window. Our Virginia templates cite §59.1-573.

Primary source ↗

CPA (Colorado)

Colorado Privacy Act. Right to delete. 45-day response. Our Colorado templates cite CPA §6-1-1306(1)(d).

Primary source ↗

GDPR Article 17 (EU/UK)

Right to Erasure. Brokers processing EU/UK resident data must delete without undue delay. No fee permitted. Our EU templates cite Article 17 directly.

Primary source ↗

Other US state laws

Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware. Similar deletion rights with varying response windows (30–45 days).

Why We Are Not an "Authorized Agent"

Under CCPA §1798.135, a consumer may appoint a third party as an "authorized agent" to make deletion requests on their behalf. Most subscription services (DeleteMe, Incogni, OneRep) use this model. It requires the consumer to provide the agent with written permission and often a government ID so the agent can verify identity to the broker.

OfflistMe deliberately does not operate as an authorized agent. Instead, each request is sent by the user directly. The reasons:

  • Identity verification is simpler. A request from the user's own email address is often sufficient; brokers do not need to verify an agent relationship.
  • We never handle users' IDs. No government ID upload. No DL scans. No passport photos.
  • Users retain full legal standing. If a broker ignores the request, the user has a direct claim; there is no agent-relationship ambiguity.
  • We never store the request data. Because we do not send on the user's behalf, we do not need to persist anything about the request after generation.

For a longer discussion of this design choice, see The 'Authorized Agent' Loophole.

Broker Coverage & Update Cadence

How the broker list is maintained

Our 200+ broker list is compiled from: (1) the Vermont Data Broker Registry, (2) the California CPPA's data broker registrations, (3) community-sourced broker lists (Privacy Rights Clearinghouse, Reddit r/privacy wiki, PrivacyGuides.org), and (4) targeted audits when a new people-search site ranks for common name searches.

What "200+ brokers" means

We count each consumer-facing opt-out destination as one broker. Where a parent company (e.g., PeopleConnect, BeenVerified Inc., Acxiom) operates multiple sites, we list each site separately because each has its own opt-out process. This is why our count differs from services that claim "750+ brokers" — they often count parent companies as multiple entries, or include marketing-list brokers that are not directly accessible to consumers.

Update cadence

Broker opt-out pages change. Forms break. URLs get redirected. We audit the opt-out link and template for each broker on a rolling basis; no individual broker goes more than 90 days without being re-verified. Broken opt-out flows are flagged in-product; users are notified when a broker's process has changed materially.

Brokers we explicitly do NOT cover

  • Credit bureaus (Equifax, Experian, TransUnion). These require specialized opt-out processes under separate laws (FCRA).
  • Marketing list brokers without consumer opt-out pages. Many B2B data vendors (ZoomInfo, Apollo.io) have opt-out flows but require different request formats; we cover the major ones separately.
  • Government public records. Voter rolls, property records, court filings are not brokers; they are source material. We cover how to minimize what gets scraped from these, not how to remove them.
  • Search engines. Google, Bing removal (via "Results About You" etc.) has separate flows we document but do not automate.

How We Handle User Data

The short version: We do not store user-submitted PII beyond what is needed to generate the output in the active session. We do not sell user data. We do not share it with brokers on the user's behalf.

  • No account required. The tool works without sign-up. Users who do purchase a plan have a minimal billing record (email, payment reference) retained per standard accounting requirements.
  • Template generation is client-side where possible. Name/address inputs are processed in-browser when the broker template does not require server-side logic.
  • No ID uploads — ever. We never ask users to upload government ID. If a specific broker requires ID verification (a small minority do), that verification happens directly between the user and the broker, not through us.
  • No broker response tracking. Because requests go from the user's own inbox, we never see broker responses. This means we can't tell you a removal "succeeded" — but it also means we can't leak that data.
  • Public privacy policy. Full details at offlist.me/privacy.

Known Limitations

We flag these up-front because they affect the decision of whether OfflistMe is right for you.

No automated re-removal

Data brokers re-import from public records every few weeks. Your listings typically reappear within 3–6 months. Subscription services (DeleteMe, Incogni, OneRep) automatically re-submit on a schedule. OfflistMe does not — users must re-run the tool periodically to maintain removal. This is the primary trade-off for the one-time pricing model.

Cannot guarantee outcomes

No data removal service — not ours, not anyone else's — can guarantee removal. Brokers sometimes ignore requests; brokers merge and re-import data; new brokers emerge. We generate the request and cite the legal basis; enforcement ultimately depends on the regulator of the broker's jurisdiction.

US-optimized, globally usable

Our templates are strongest for US residents (CCPA, VCDPA, CPA, etc.) and EU/UK residents (GDPR). Coverage for other jurisdictions (Canada PIPEDA, Australia Privacy Act, India DPDP Act) exists but is narrower. Users outside core coverage may need to supplement with jurisdiction-specific language.

Some brokers require direct ID verification

A minority of brokers (LexisNexis, Acxiom, some background-check sites) require government ID verification directly from the user, regardless of which removal method is used. OfflistMe's templates direct users to these brokers' verification flows rather than attempting to proxy them.

Effectiveness depends on user action

Because the user sends each request, a user who generates the opt-out set but never actually sends them sees no benefit. This is a trade-off for the privacy-preserving design (us not acting as agent = us not auto-sending). We provide a send-tracker so users can check off each request.

How to Verify Any of This Independently

We encourage journalists and researchers to test claims rather than take them at face value.

  • Audit the opt-out templates. We are happy to share the full template set for any broker on request. Email press@offlist.me.
  • Test the flow. Sign up without payment to see the free-tier output. Inspect the generated email before sending to confirm no data flows through us.
  • Check our privacy policy. offlist.me/privacy. Look for what is stored and for how long.
  • Check the broker list. offlist.me/directory. Spot-check 10 random brokers against their stated opt-out pages.
  • Check the legal citations. Every template cites a specific statute. Open the statute. Confirm the citation is correct.

Press & Research Inquiries

For journalist interviews, data requests, or methodology questions: press@offlist.me.

For a full press kit (founder bio, logos, screenshots, statistics): see the press page.

We do not pay for placements, do not run affiliate arrangements with reviewers, and do not gate information behind NDAs. Everything on this page is on the record.

Related Pages

Comparison study: 8 services scored →Our methodology applied to the broader marketHow to remove data for free →The manual method our tool is based onWhy we built OfflistMe →Company story and founder backgroundPrivacy policy →What we store, for how long, and why