In 2024, the average person had 168 online accounts, according to NordPass’s annual password report. Each account holds some combination of name, email address, phone number, physical address, payment information, browsing history, purchase history, location data, and behavioral patterns. When a single one of those accounts is breached, that data enters circulation in underground markets. When multiple accounts share the same password — which 65% of people admit to, according to a 2023 Google/Harris Poll survey — a single breach cascades into access to dozens of services.
Most people know their digital privacy is not great. But the problem feels overwhelming: too many accounts, too many settings, too many potential vulnerabilities. So nothing gets done, and the exposure grows.
A privacy audit changes this by making the problem finite and actionable. In 30 minutes, you can assess your current exposure across the most critical privacy categories, identify the highest-risk issues, and fix the ones that matter most. This is not about achieving perfect privacy — it is about closing the gaps that are most likely to cause real harm.
Here is the 30-minute audit, broken into six five-minute segments.
Minutes 0-5: Password Audit
Passwords are the foundation of digital security. Weak or reused passwords are the single most exploitable vulnerability for most people.
Check for Compromised Passwords
Apple has built this directly into iOS and macOS:
- On iPhone, go to Settings > Passwords (or on Mac, System Settings > Passwords).
- Tap Security Recommendations at the top of the list.
- iOS flags three categories:
- Compromised passwords: Passwords that have appeared in known data breaches. These must be changed immediately.
- Reused passwords: The same password used across multiple accounts. If one account is breached, every account sharing that password is vulnerable.
- Weak passwords: Passwords that are easily guessable — short, common, or based on dictionary words.
Prioritize Your Fixes
You likely do not have time to change all flagged passwords in five minutes. Prioritize:
- Email accounts first. Your email is the recovery mechanism for every other account. If an attacker controls your email, they can reset passwords on everything else. Change any compromised email password immediately.
- Financial accounts second. Banking, investment, and payment accounts (PayPal, Venmo, Zelle).
- Cloud storage third. iCloud, Google Drive, Dropbox — these contain your documents, photos, and backed-up data.
- Social media fourth. These accounts contain personal information and can be used for identity theft or social engineering.
Use a Password Manager
If you are not already using one, start now. Apple’s built-in Passwords feature (formerly iCloud Keychain) works across all Apple devices and generates strong, unique passwords automatically. For cross-platform use, 1Password or Bitwarden are strong choices.
For managing passwords for apps and services that require secure storage beyond browser-based logins, PanicVault provides encrypted storage on your device for sensitive credentials and codes that you need accessible in emergencies — account recovery codes, two-factor backup keys, and other critical security information that should be stored securely but remain accessible when needed.
Minutes 5-10: App Permission Review
Every app on your iPhone has requested — and been granted — access to some subset of your data. Many of these permissions were granted hastily during initial setup and never revisited.
Location Access Audit
- Go to Settings > Privacy & Security > Location Services.
- Review every app in the list. For each one, ask: “Does this app need to know where I am?”
- Set permissions appropriately:
- Never: For apps that have no legitimate need for location data (games, calculators, text editors, most social media).
- While Using the App: For apps that need location during active use (maps, ride-sharing, weather).
- Always: Almost nothing legitimately needs “Always” access. Even fitness apps can use “While Using” in most cases.
Critical check: Scroll to the bottom of Location Services and tap System Services. Review which system features are using your location. Consider disabling:
- Significant Locations — Apple tracks frequently visited locations. Useful for some features but a privacy concern.
- Location-Based Apple Ads — Uses your location for ad targeting.
- iPhone Analytics — Shares location data with Apple for product improvement.
Why Weather Apps Deserve Special Attention
Weather apps are among the worst offenders for unnecessary data collection. A 2024 investigation by The Markup found that several popular free weather apps collected precise location data hundreds of times per day and sold it to data brokers. This data — accurate to within a few meters — reveals where you live, where you work, where you worship, and where you receive medical care.
YAWA (Local Weather) provides weather data without ads and without tracking. It requests location only to provide weather for your area and does not collect, store, or sell your location data. Switching to a privacy-respecting weather app is one of the highest-impact single changes in a privacy audit.
Camera and Microphone Access
- Go to Settings > Privacy & Security > Camera (then repeat for Microphone).
- Revoke access from any app that does not need it.
- Pay special attention to apps that have microphone access but are not audio or video apps — a note-taking app or shopping app with microphone access is a red flag.
Contacts Access
- Go to Settings > Privacy & Security > Contacts.
- Many apps request contacts access during onboarding (“Find friends who use this app!”) but do not need ongoing access.
- Revoke access from any app where you do not actively use a contacts-based feature.
Why this matters: When an app has contacts access, it uploads your entire address book to its servers — every name, phone number, email, and physical address. Your contacts did not consent to this. You are sharing their data without their knowledge.
Minutes 10-15: Location Tracking Deep Check
Location data is the most sensitive category of personal data because it reveals patterns of life — where you go, how long you stay, and who you are near.
Review Location History
-
Google Maps: If you use Google Maps, open the app > tap your profile picture > Your Timeline. Review the location history Google has collected. You may be surprised by the granularity. Consider deleting history and setting auto-delete to 3 months (or turning off location history entirely).
-
Google Account: Visit myactivity.google.com in Safari. Review Location History, Web & App Activity, and YouTube History. Google aggregates this data across all its services to build a comprehensive profile.
-
Apple Maps: Apple’s approach is more privacy-focused — location data is processed on-device and not linked to your Apple ID. However, review Settings > Privacy & Security > Location Services > System Services > Significant Locations to see what Apple has recorded on your device.
Social Media Location Exposure
Check your social media accounts for location exposure:
- Instagram/Facebook: Review whether location is embedded in your posts. Go to Settings > Privacy and disable location tagging for new posts.
- Twitter/X: Check whether tweet location is enabled. Disable it in Settings > Privacy and Safety > Location Information.
- Photos shared online: Photos taken with your iPhone embed EXIF data including GPS coordinates. Most social platforms strip this on upload, but some do not. Be aware when sharing photos via email or messaging — the full location data may be included.
Minutes 15-20: Social Media and Online Exposure
Your social media profiles are the public face of your digital identity — and they often reveal far more than you intend.
Public Profile Audit
For each social media account (Facebook, Instagram, LinkedIn, Twitter/X, TikTok):
- View your profile as a stranger. Most platforms have a “View as public” option. Use it.
- Check what is visible: Full name, employer, location (city/neighborhood), education, birth date, phone number, email address, relationship status, family members.
- Assess the risk: Each piece of information is a potential vector for social engineering, identity theft, or targeted phishing. Your mother’s maiden name combined with your birthday and hometown — commonly visible on Facebook — answers most security questions used by banks and financial institutions.
Reduce Exposure
- Birth date: Remove the year at minimum. Full birth date is used in identity verification by most financial institutions.
- Phone number and email: Make these private. Public contact information enables targeted phishing.
- Employer and job title: Consider whether this needs to be public. It enables targeted spear-phishing and business email compromise.
- Location: Sharing your city is usually safe. Sharing your neighborhood or frequent locations is a pattern-of-life disclosure.
- Friend/follower lists: Make these private. They reveal your social network and can be used for social engineering (“Hey, I’m a friend of [your actual friend]. Can you help me…?”).
Data Broker Check
Data brokers aggregate and sell personal information. Check whether your data is available:
- Search for your name on Google. Review the first three pages of results.
- Check haveibeenpwned.com — enter your email address to see which data breaches include your information.
- Review people-search sites (Spokeo, WhitePages, BeenVerified). Many of these allow you to request removal, though the process varies by site.
Minutes 20-25: Browser Privacy Settings
Your browser is the primary interface between you and the internet, and its configuration directly controls how much data you leak to every website you visit.
Safari Privacy Settings
Safari on macOS and iOS has strong privacy features, but some are not enabled by default:
- Prevent Cross-Site Tracking: Settings > Safari > toggle on “Prevent Cross-Site Tracking.” This blocks third-party cookies used by advertisers to track you across websites.
- Hide IP Address: Settings > Safari > “Hide IP Address” > “From Trackers” (or “From Trackers and Websites” for maximum privacy).
- Fraudulent Website Warning: Should already be enabled. Verify in Settings > Safari.
- Privacy Report: Tap the shield icon (Aa menu on Mac) in Safari’s address bar to see which trackers Safari blocked on the current site. This report helps you understand which sites are most aggressive in their tracking.
Clear Accumulated Data
Over time, Safari accumulates browsing data that reveals your interests, habits, and activities:
- Go to Settings > Safari > Clear History and Website Data for a fresh start.
- Going forward, consider using Private Browsing mode for sensitive searches (medical conditions, financial planning, legal questions).
Clean Genie helps you identify and remove accumulated data, caches, and digital clutter from your device. Regular cleanup reduces the amount of personal data stored locally that could be exposed if your device is lost, stolen, or accessed by someone else.
Extension Audit
If you use Safari extensions, review them:
- Go to Safari > Settings > Extensions (Mac) or Settings > Safari > Extensions (iPhone).
- Disable any extension you do not actively use. Extensions can read the content of every page you visit.
- For extensions you keep, review their permissions — does a formatting extension really need access to all websites, or can it be limited to specific sites?
Minutes 25-30: Quick Wins and Next Steps
Use the final five minutes for high-impact, fast-implementation privacy improvements.
Enable Two-Factor Authentication (2FA) Everywhere
If you do one thing after this audit, enable 2FA on your most critical accounts:
- Apple ID: Settings > [your name] > Password & Security > Two-Factor Authentication. (Likely already enabled, but verify.)
- Email accounts: Your email provider’s security settings.
- Financial accounts: Every bank, brokerage, and payment service.
- Social media: All active accounts.
Use the built-in iOS authenticator (Settings > Passwords > select an account > Set Up Verification Code) or a dedicated authenticator app. SMS-based 2FA is better than nothing but vulnerable to SIM-swapping attacks. App-based 2FA is significantly more secure.
Review Email Aliases
Apple’s Hide My Email feature creates random email addresses that forward to your real address:
- Go to Settings > [your name] > iCloud > Hide My Email.
- Use alias addresses for new account signups. If a service is breached, only the alias is exposed — your real email address remains private.
- If an alias starts receiving spam, deactivate it without affecting your real address.
Review App Store Subscriptions
- Go to Settings > [your name] > Subscriptions.
- Cancel any subscriptions for apps you no longer use. Each active subscription is a company that has your payment information and (usually) your email address.
Set Up Automatic Cleanup
Schedule this audit as a recurring event. Monthly is ideal, but even quarterly is better than never:
- Set a calendar reminder: “Privacy Audit — 30 minutes.”
- Follow this same checklist each time.
- Track what you change and what you discover.
For a comprehensive look at privacy and security tools available for iPhone and Mac, see the guide to the best privacy and security apps for iPhone and Mac and the guide to managing passwords with KeePass on iPhone.
Thirty minutes, once a month, is less time than most people spend choosing what to watch on streaming services. But those 30 minutes directly reduce your vulnerability to identity theft, financial fraud, stalking, and the slow, invisible erosion of personal autonomy that happens when every company you interact with knows more about you than you know about what they know. The audit does not achieve perfect privacy — nothing does. It achieves informed privacy: knowing what you are sharing, with whom, and making that a deliberate choice rather than a default you never examined.
