Work With Us
Resources

Find Peace of Mind with this 4-Step Personal Data Privacy Recipe

Updated:

| Time to read:

14–21 minutes

Written by Design Action Collective

Image created by Design Action Collective.

In a world where every keystroke and click is monitored, the stakes for non-profits have never been higher. If you’re in the non-profit sector, protecting your organization’s data isn’t just important; it’s essential. You’ve come here because you recognize the urgency of tightening your security. Let’s transform that awareness into proactive strategies to keep your mission—and the sensitive data tied to it—safe from prying eyes and malicious actors.

We all face different threats and are comfortable with different levels of risk. It’s important to know that there is no one data privacy recipe that fits everyone’s threat model. But what you’ll find here will give you a solid place to start. Plus, with the exception of the optional (but strongly encouraged) USB Security Key, the tools used in this recipe are entirely free (as of March, 2026).

Follow this recipe and you will acquaint yourself with important privacy tools that will make it harder for hackers to phish for your account credentials. And you will learn some basic patterns to make it harder for data brokers and law enforcement to collect information about you. If we say this data privacy recipe is an umbrella, then you need to know it’s not suitable for all storms. If you need complete anonymity, you’ll need jackets, lanterns, and other tools. What it is is a 1-hour tutorial that will jump start your journey.

This recipe is for you if…

  • You use Google, Apple or Microsoft as your primary browsers, search engines, or email.
  • You use the same or similar password everywhere or don’t use a password manager.
  • You found your account show up in a data breach on Have I Been Pwned and now you want to keep your account safe from hackers.
  • You don’t know what authenticator apps or USB security keys are.
  • You want to minimize the risk you pose to your friends and family.
  • You don’t have time to get a degree in cybersecurity but still want a solid, easy place to start.

At the end of this data privacy recipe, you will have the following:

  • Basic practice with the security tools needed to function today.
  • Basic protection from credential stuffing and phishing scams.
  • Basic protection from people who want to build a profile of your digital activity.

Do you feel daunted looking at this recipe? Schedule time to do this with your friends or call us and we’ll help.

Table of Contents

Ingredients for your data privacy recipe

To make this tutorial easier to follow, we selected specific tools to use so that you don’t have to figure it out for yourself. But we are not affiliated with any of the companies below.

We chose these because they are reputable and, most important for this data privacy recipe, they are free. It’s a great place to start when you’re not sure you want to invest money, and so we suggest them here.

But if you have an anti-virus, password manager, or secure email account that you prefer, use that. And for certain threat models, you may want to purchase a tool that offers the protection you need.

The tools you’ll need to download

Foundation for your digital security

Tools to protect your accounts

Tools to communicate with privacy

Invent your new identities to keep bad actors in the dark

In this tutorial you will create several identity aliases that include secondary emails, telephone numbers, names and birthdays. It may look like a lot at first, but the tools we provide make it easy to get started and easy to track.

Data Privacy Recipe Template

Step 1: Secure your devices

A) Assess if your behavior is risky enough to benefit from additional antivirus software

Antivirus software detects and removes malware from your computer and devices. Historically you had to install this defense system on your own, but nowadays strong antivirus software comes preinstalled on Windows, Android, and Apple operating systems. So do you need anything else?

If all the apps you download come from your operating system’s official app store, then the answer is probably no. If you download apps from unofficial sources, you may benefit from additional antivirus software.

And on the iPhone in particular, users will find that there is no malware detecting software you can install from the app store. Installing what you would think is an antivirus program instead provides other security features, like a Virtual Private Network (VPN), password manager, and identity theft protection. These tools are now the basic tools we all need to know how to use. But instead of paying for those services, let’s set them up for ourselves so that we understand what they’re doing and how they work. Read on to learn how.

B) Start using a browser and search engine that protects your privacy

Brave browser, Firefox browser and DuckDuckGo browser are each committed to protecting your privacy. They provide built-in tools to protect you from trackers, browser fingerprints1, or having your web searches monitored. 

All these features are useful if you are creeped out by targeted ads, annoyed by the surveillance economy, or just don’t want data brokers to sell your information to law enforcement.

I recommend you download all three. Pick one to use for work and one to use for your private life. Keep the third around as an option.

Step 2: Protect your accounts

A) Create your security journal and store it in a safe place

Your security journal2 is one of the most important parts of your new security system. You will put just a few important passwords in your security journal, including your master password for your recovery email, primary correspondence email, and any recovery kits related to those.

Pick a safe but accessible place in your home. When you are not using your security journal, keep it there.

Is it safe to write my passwords on paper?

For most people, your passwords are more likely to be leaked in an online data breach than to be targeted in home theft. If, however, your security journal is stolen, you should change your master password immediately. We will provide an example for what to include (and not include) in your security journal so that if it is stolen it is less useful for anyone gets their hands on it.

Steps to create your security journal

  • Obtain a beautiful journal that makes your heart feel at ease when it reflects sunlight through the window.
  • Label the inside page something that lets you know what this is. I called mine my “digital recipe book.”
  • Find a safe and accessible place for it in your home. Put it there when you are not using it.

B) Create your recovery email and share it with no one

If you are locked out of your primary correspondence email or password manager account, your recovery email3 is what you will use as a backup of last resort.

It is important to ensure hackers and data brokers don’t know your security email exists, so use your recovery email only for this purpose.

Steps to set up your recovery email

  • Create a Tuta mail account.
  • Create a 30 character passphrase that uses 5 random words in more than one language plus numbers. For example: Displace6-Biblioteca1-Hazily5-Gracious0-Boondocks1.
  • Write an entry in your security journal called “Recovery.” Write down the passphrase.
  • Add multi-factor authentication4 using your USB security key5.
  • Add multi-factor authentication using your authenticator app to get one-time passwords6.
Why should I use security keys and an authenticator app?

The USB Security key and an authenticator app’s one-time password will help protect you from phishing scams8. If a hacker gets your username and password, but not your security key or authenticator app, they will not be able to log into your account.

USB Security keys are more effective at protecting you than authenticator apps, but authenticator apps are better than text message or email codes. Where you have the option, use something stronger than text or email codes.

C) Set up your password manager and start creating strong, unique passwords for every website you use

Your password manager will be where you store all of your strong, unique passwords. Using a password manager helps protect your account from credential stuffing7 and from choosing easily guessable passwords. The best part is that you don’t need to remember anything but your master password; Proton Pass remembers everything else for you.

Steps to set up your Proton Pass account

  • Create your ProtonPass account.
  • Create a 30 character passphrase using 5 random words in more than one language plus numbers. For example: Babble3-Burro7-Hawkish1-Feliz0-Pancacke1.
  • Create an entry in your security journal called “Pass.” Write this password into your security journal.
  • Add multi-factor authentication using your USB Security key.
  • Add multi-factor authentication using your authenticator app to get one-time passwords.
Are password managers safe?

A password manager that helps you have a strong, unique password for every site will keep you much safer than reusing weak passwords everywhere. A few years ago the Last Pass password manager was breached and data, including names, website names, email addresses, partial credit cards and URLs were compromised. The account passwords themselves were encrypted by the user’s master password, so to ensure their security users were required to change their master password.

Step 3: Compartmentalize your correspondence

A) Create your personal correspondence email to share only with friends and family

Your correspondence email is what you use to email with real people. Don’t use it when signing up for coupons, newsletters, social media, or your healthcare app. Those folks might wind up selling your contact to data brokers. Only give your correspondence email to people you know you want to hear from.

For this tutorial we selected Proton Mail and Tuta Mail because both are free and respected email accounts that provide end-to-end encryption (E2EE).

Set up your Proton Mail account so that less of your correspondence is read by Google

  • If you set up Proton Pass as your password manager, then you already have a Proton Mail account. Congratulations. You can access it by going to https://mail.proton.me.
  • If you are using a different password manager, you can set up a Proton Mail account from https://mail.proton.me.

B) Create your email aliases to make it easier to track spam and confuse hackers

One reason I selected Proton Pass for this recipe is that they provide 10 email aliases with their free account, so it’s a great, easy way to learn how aliases work.

But I hear you asking, what are aliases and why should I use them?

The 10 free aliases provided by Proton Mail are alternate addresses you can give people to receive email.

For example, if your email is myPersonalEmail@proton.me, then you can create an alias called myCoupons@passinbox.me. When you sign up for coupons at grocery stores, give them the alias email and you protect your primary email from getting hacked.

The junk email will still make it to your inbox, but I’ll show you how to create a filter so that they are easily siphoned to a special folder.

For this recipe, we’re going to create 8 aliases. You can create them using Proton Pass.

  1. Finance: banking and investments, retirement accounts, and PayPal
  2. Healthcare: healthcare portals
  3. Government: government websites
  4. E-commerce: websites you use to purchase goods like bookshop.org or Etsy.com. This is the address you use to make a purchase, not the one you use to receive a discount code.
  5. Social media: social media apps
  6. Other apps: Other apps that require you to log in, like a photo-sharing or a wedding invitation app.
  7. Newsletters: Sometimes you give your email address to receive a newsletter you actually want to read. Use this alias for those.
  8. Junk: for signups forms that you don’t expect to want mail from.

You might be thinking to yourself, I’d rather have an alias to manage this other task instead. And that’s great. This recipe makes some assumptions about the level of security you are currently at and where you would like to get to. But so long as you stay under 10 aliases, you can do as you wish with Proton’s free account.

We’ll deep dive into the why later, but for now know that a recipe like this protects you in this one important way:

Why should I use email aliases?

If your social media network provider gets hacked, the hacker will have an email that looks something like mySocialMediaAlias@passinbox.me, rather than myPrimaryEmail@proton.me. This prevents a hacker from testing passwords on your email account.

The same goes for your other accounts. Keeping your finances separate from junk, for example, means that your finances are not placed at risk when a provider with your junk email account gets hacked.

Do you use Bit Warden password manager instead? Connect it to DuckDuckGo’s free email masking tool for unlimited email masks. Ask us how.

C) Start spreading misinformation about yourself

Sometimes you will want to register for a service that you know is going to send you junk. They’ll want your name, birthday, home address, and maybe more. And they will expect you to remember these details in the future. 

What can you do to protect yourself from these data brokers and spammers?

Open Proton Pass, create a secure note and add details for a made up person. I recommend including a generic-sounding name, a consistent but fake phone number, and a made up home address that includes a real zip code. 

Then whenever you give your information to an organization that doesn’t need to know your real name, give them the fake instead. 

By spreading misinformation8 about yourself, you make it harder for data brokers to paint a clear picture about who you are.

D) Add a free VoIP number to help you spot phishing texts

Go one step above and get a free VoIP number. Then instead of handing out your real phone number for the grocery store coupon, give this instead.

2ndLine VoIP offers a free, temporary phone number. It expires within about a day, which is enough time to get a confirmation text from a fishy source.

Step 4: Hide your tracks so that it’s harder for snoopers to build a profile on you

In the surveillance economy, everyone wants your private information. A VPN and signal messenger app that uses end-to-end encryption9 will help stop internet service providers from handing your data over to data brokers or law enforcement.

Note: Since March 2026, several lawmakers have been urging the US government to disclose whether using a VPN routed through foreign countries can strip Americans of their constitutional protections against warrantless surveillance. See WIRED’s and PCMag’s articles for more information.

A) Install a VPN to stop internet service providers from giving your web history away

Virtual Private Networks (VPNs) do one thing well–they make it harder for your internet service provider and snoopers to know what websites you go to. When you connect to a VPN, the only website a snooper sees you visit is the VPN’s website.

It’s important to select VPNs with strict no-logs policies10 or low logs policies. If the VPN doesn’t have a record of your search history then that means they can’t give it to anyone.

Download Proton VPN onto your phone and computer. With a free account, you can only have one VPN connection running at a time.

B) Install Signal App to stop internet service providers from giving your private text messages to law enforcement

Now install the Signal messenger app, set the messages to delete at a regular cadence, and insist to your friends that it becomes your new norm. Avoid using your normal text messaging app.

Why should I use an encrypted messaging app?

The best way to ensure only you and your correspondent read your digital message is to use services that provide end-to-end encryption.

Now you can feel confident knowing you are safer

Now you have a basic system for staying private while using apps and corresponding on the web. In a future article, we’ll explain more of the why for all of this. For now, know that if you need to create a new alias, then you have a template and the tools to stay safer. 

But this data privacy recipe is not appropriate for all threats. If you need more anonymity and privacy, you will want to review privacy-oriented operating systems and better understand the abilities of your adversaries.

In a future article, we’ll talk about burner phones, stingrays, map how data brokers wind up with so much data about you, and how to scrub your data from the internet.

Next Steps

Do you have a specific threat you want to model? Email us at info@designaction.org and we’ll connect you with one of our partners who specialize data privacy and security for movement organizations, unions, and worker cooperatives.

FAQ

How can I make my data private?

Using this recipe is a great place to start scrambling the information that data brokers can find about you. A great next step would be to go through the practice of doxxing yourself––or searching for traces of yourself online. If you find a trace of yourself, you can request that this data be removed.

What are the top 3 big data privacy risks?

The top 3 big data privacy risks involve security breaches and cyberattacks, lack of transparency and misuse of data, and regulatory non-compliance, leading to potential identity theft, discrimination, and massive fines, as large datasets become prime targets for hackers, complex algorithms can create biased outcomes, and evolving laws like GDPR demand strict governance.

What are three types of data protection?

There are 3 key data protection strategies:

1. Data security – Protecting data from damage, whether it’s malicious or accidental.
2. Data availability – When you lose data, being able to quickly restore it using backups.
3. Access control – Following the principle of least privilege, ensure that data is accessible to those who actually need it, and not to anyone else.

How do you delete 99.9% of your digital footprint?

To delete most of your digital footprint, you need a multi-step process: find and delete old accounts, remove yourself from data brokers, clear Google/search history, adjust social media privacy, and use privacy tools like VPNs and privacy-focused browsers, while stopping future oversharing and using anonymous methods for new accounts. While 100% removal is nearly impossible, this approach drastically reduces visible data, making you much harder to track.

Glossary of Terms

  1. Browser fingerprints: This is a method to identify you based on information about your browser, like the plugins you have installed. ↩︎
  2. Security Journal: You will put just a few important passwords in your security journal, including your master password for your recovery email, primary correspondence email, and any recovery kits related to those. ↩︎
  3. Recovery email: The email address you give to no one. Use this only as your recovery email address for your primary correspondence email. ↩︎
  4. Multi-factor Authentication: In 2026 it is essential that everyone understand how to use multi-factor authentication. When logging into a service using multi-factor authentication, then in addition to your username and password, you must provide a one-time password or a passkey. ↩︎
  5. USB Security Key: Is an example of a physical device that can store your passkeys. Passkeys help ensure scammers can’t log into your accounts. When using a passkey, you will need a physical device within your proximity to log in ↩︎
  6. One-time password: A type of multi-factor authentication that you receive via an authenticator app, a text message, a telephone call or an email. ↩︎
  7. Credential Stuffing: A method to gain access to your account. Say for example the bookkeeper uses the same or similar username and password for all of their credentials. If their credentials for their airline reservation website is leaked, a hacker could try the same password and username for their email address and successfully get in. ↩︎
  8. Misinformation and Aliases: Two tactics to erode the quality and precision of data that exists about you by intentionally spreading incorrect information. ↩︎
  9. End-to-end encryption (E2EE): The best way to ensure only you and your correspondent read your digital message is to use services that provide end-to-end encryption. ↩︎
  10. No-logs policy: The best way to ensure that nobody can buy, collect, or steal your data is to make sure it doesn’t exist in the first place. This recipe includes service providers that have stronger no-logs policies specifically to respect our privacy. ↩︎