Privacy group files complaint against AI surveillance service
Lithuania-based Whitebridge.ai faces GDPR complaint over selling personal data reports compiled from social media without consent or legal basis.
A Lithuania-based company selling AI-generated "reputation reports" on individuals faces a formal complaint for violating European data protection laws. Noyb, the European Center for Digital Rights, filed the complaint with Lithuania's data protection authority on 29 September 2025.
Whitebridge.ai markets itself as an AI tool that compiles comprehensive dossiers on anyone with an online presence. The service scrapes social media platforms including Facebook, Instagram, LinkedIn and TikTok to create reports containing photos, personality assessments, conversation guidelines, and background checks flagging adult, political or religious content.
Subscribe PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
The complaint details how Whitebridge generated approximately 560,000 reports since launch, with nearly 80,000 registered users and 2.6 million people searched as of August 2025. Anyone willing to pay can purchase a report on any individual without that person's knowledge or consent.
"Whitebridge AI just has a very shady business model aimed at scaring people into paying for their own, unlawfully collected data," said Lisa Steinfeld, data protection lawyer at noyb. "Under EU law, people have the right to access their own data for free."
The company's advertising specifically targets those being profiled, using slogans like "this is kinda scary" and "check your own data." Yet when two complainants submitted access requests in December 2024, Whitebridge demanded payment for the reports rather than providing free access as required under Article 15 GDPR.
Questionable legal justification
Whitebridge claims in its privacy policy that processing personal data falls within its "freedom to conduct a business." The complaint challenges this reasoning, noting that business freedom under Article 16 of the EU Charter of Fundamental Rights explicitly requires compliance with existing laws like the GDPR.
The company asserts it only processes data from "publicly available sources." However, most social media content comes from profiles not indexed by search engines. Facebook, Instagram and LinkedIn all maintain robots.txt files that explicitly prohibit automated data collection.
The Court of Justice of the European Union addressed this issue in case C-252/21, ruling that entering information on a social networking application does not constitute making it "manifestly public" under Article 9 GDPR. Data visible only to accepted connections on private social media accounts remains in the private sphere.
One complainant maintains a private Instagram account accessible only to approved followers. Despite this restricted access, Whitebridge claimed to have used the account as a source for its report.
False AI-generated content
Data brokers and AI-powered surveillance have emerged as significant privacy concerns. The reports purchased by noyb on behalf of the complainants contained false warnings. One included an alert for "sexual nudity" while another flagged "dangerous political content" - both categories of sensitive personal data requiring special protection under Article 9 GDPR.
When complainants requested rectification of this inaccurate information on 15 and 17 January 2025, Whitebridge refused to correct the errors. The company demanded a "qualified electronic signature" to verify their identities, despite the complainants having already provided copies of national ID cards.
"Modern AI technologies make it increasingly easy to generate highly convincing forged documents," Whitebridge responded on 4 March 2025. The GDPR does not require qualified electronic signatures for identity verification. Most EU residents do not possess such signatures, which typically require payment to obtain.
Aitana Pallas from noyb noted: "The amount of personal data that Whitebridge AI processes is downright spooky, as Whitebridge itself states in advertisements for the service. This is made even worse by the fact that Whitebridge AI completely ignores data subjects when they try to exercise their rights."
Technical scraping methods
The complaint specifies that Whitebridge violates the terms of service of major social media platforms. Facebook's robots.txt file contains "User-agent: *" and "Disallow: /" strings that prevent automated scraping. Instagram and LinkedIn maintain identical restrictions.
Data subjects share content on social networks for personal purposes within their private circles. Whitebridge processes this private data to sell commercial reports - a purpose completely incompatible with the original intent under Article 5(1)(b) GDPR's purpose limitation principle.
The service also offers real-time monitoring of individuals' online activities with notifications when new information appears. Reports include leisure activities, hobbies, data breach exposure, social media performance analysis, and AI-generated interaction guidelines with personality assessments.
Buy ads on PPC Land. PPC Land has standard and native ad formats via major DSPs and ad platforms like Google Ads. Via an auction CPM, you can reach industry professionals.
Information obligations ignored
Whitebridge failed to inform the complainants about processing their personal data, violating Article 14 GDPR. Controllers must provide such information within one month of obtaining data, or at the latest when first disclosing data to another recipient.
The company claims in its privacy policy that providing information would involve "disproportionate effort" under Article 14(5)(b) GDPR. Yet Whitebridge identifies and processes the social media accounts and contact details of searched persons to create its reports. The UK Information Commissioner's Office has determined that processing large amounts of data "cannot be a deciding factor against it being proportional to notify people about the processing."
Noyb's complaint argues that claiming impossibility creates "a perverse incentive to gather as much data as possible in order to reduce the burden to notify people." The exemption under Article 14(5)(b) applies primarily to archiving, scientific research or statistical purposes - not commercial surveillance services.
Multiple GDPR violations
The formal complaint identifies violations of Articles 5(1)(a), (b) and (d), 6(1), 9, 12(1), (2), (3), (5) and (6), 14, 15(1), (3) and 16 GDPR. Noyb requests that Lithuania's data protection authority:
- Issue a declaratory decision confirming the violations
- Prohibit processing of scraped personal data and AI-generated false information
- Order Whitebridge to comply with access and rectification requests
- Order compliance with notification obligations under Article 19 GDPR
- Impose administrative fines
The complaint demonstrates growing scrutiny of AI systems that process personal data without proper legal basis. Noyb has filed approximately 800 cases against companies including major technology firms, funded by over 5,000 supporting members.
Whitebridge operates from Krivių str. 5, Vilnius LT-01204, Lithuania with legal entity code 306680556. Lithuania's State Data Protection Inspectorate holds jurisdiction as the company's lead supervisory authority.
Subscribe PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Timeline
- December 2024: Two complainants discover anyone can purchase reports about them on Whitebridge.ai without notification
- 9 December 2024: Both complainants submit access requests under Article 15 GDPR with national ID cards
- 2 January 2025: Whitebridge refuses requests, claiming no "registered users" at those email addresses
- 10 January 2025: Noyb purchases reports on both complainants containing false warnings about "sexual nudity" and "dangerous political content"
- 15-17 January 2025: Complainants request rectification of inaccurate sensitive data
- 24 January 2025: Whitebridge demands qualified electronic signature for identity verification
- 17 February 2025: Complainant explains qualified electronic signatures are not widely available
- 4 March 2025: Whitebridge cites AI forgery risks as justification for signature requirement
- 29 September 2025: Noyb files formal complaint with Lithuanian data protection authority
Related Coverage
Subscribe PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Summary
Who: Noyb (European Center for Digital Rights) filed a complaint on behalf of two individuals against Lithuania-based UAB Whitebridge.ai, a company selling AI-generated personal data reports.
What: The complaint alleges multiple GDPR violations including lack of legal basis for processing, failure to handle access and rectification requests, generation of false sensitive data, unlawful scraping of social media, and charging people to access their own data.
When: The complaint was filed on 29 September 2025, following incidents beginning in December 2024 when complainants discovered their profiles and requested access to their data.
Where: The complaint targets a Lithuanian company operating from Vilnius, filed with Lithuania's State Data Protection Inspectorate, concerning data processing affecting individuals across the European Union.
Why: Whitebridge.ai scrapes social media platforms to create comprehensive dossiers sold to anyone, including the profiled individuals themselves, without legal basis or consent. The business model appears designed to profit from people's fear about what data has been collected about them, despite EU law guaranteeing free access to personal data.