TL;DR: Incogni was built by Surfshark in 2021 and is now owned by Cyberspace B.V., the Netherlands-registered holding company created when Surfshark merged with Nord Security in February 2022. That same corporate family, traced back to Lithuanian venture builder Tesonet, also backs Oxylabs, one of the largest residential proxy and web-scraping infrastructure providers on earth.
The pitch and the part of it that should make you pause
You’ve seen the ad read. A YouTuber leans into the camera, gets serious for thirty seconds, and tells you that for somewhere between $7 and $20 a month, a company called Incogni will hunt down every data broker that has your name, address, and phone number, and make them delete it.
It’s a good pitch because the underlying problem is real. There genuinely are companies out there compiling profiles on you that you never agreed to and can’t easily see. The frustration is legitimate. What’s worth examining is whether the company selling you the fix has a clean relationship with the problem, and that’s where things get tangled.
To request your data be removed from a broker, Incogni first needs your name, date of birth, address, and phone number, the same information you’re paying to have erased. It sends that information to the broker so the broker can confirm you’re in their database before agreeing to delete the entry. If a broker already had your data, you’ve lost nothing. If a broker didn’t have it, you’ve just handed it to them, and they’re under no general obligation to throw it away. There’s no federal law in the U.S. requiring brokers to honor deletion requests, and only a handful of states have passed their own.
None of that makes Incogni fraudulent. It does what it says it does. But it’s worth knowing whose business model that information transfer ultimately supports.
What the term “data broker” covers
Part of why removal services can market themselves so confidently is that “data broker” is vague enough to mean almost anything. It’s worth breaking apart, because the type of broker determines whether deletion is even meaningful.
People search sites
These are the modern phonebook: name, current and past addresses, phone numbers, sometimes arrest or property records, often visible to anyone for free. Spokeo, Whitepages, and BeenVerified-style sites fall here. This is the category data removal services are actually good at, because the information is directly identifiable and many of these sites comply with takedown requests to stay out of legal and reputational trouble, not because they’re required to.
Marketing and advertising data brokers
These companies don’t usually hold your name. They hold behavior: what you bought, what you searched, what app you used at 11pm, tied to an advertising ID rather than your legal identity. A removal request can struggle here, because there’s often nothing identifiable to delete. Clearing cookies or resetting your ad ID does more than a formal opt-out request.
Credit reporting bureaus
Equifax, Experian, and TransUnion. You cannot opt out of this category in the United States, full stop. It exists to support the consumer lending system, and it’s the same category that lost the financial details of roughly 147 million Americans in the 2017 Equifax breach.
Risk mitigation brokers
Used by landlords and employers to run background checks: rental history, employment changes, identity verification. Less visible than people search sites, equally hard to scrub.
Health data brokers
The one that should bother you the most. Purchases of over-the-counter medication, health-related searches, smart device usage, none of it covered by HIPAA once it leaves a covered healthcare provider, which means it can be packaged and sold with very little restriction.
Removal services concentrate almost entirely on the first category. That’s not a criticism by itself, people search sites are genuinely the most actionable kind of broker, but it means the marketing (“we’ll erase you from data brokers”) covers a much bigger universe than the product actually touches.
Who owns Incogni
Here’s the part that took some digging to nail down precisely.
Incogni started as an internal project. Surfshark’s team began looking into data broker practices in September 2021 and built an automated removal tool out of that research. At the time, Surfshark operated independently. In February 2022, that changed: Surfshark finalized a merger with Nord Security, the company behind NordVPN, NordPass, and NordLocker. The combined entity sits under a Netherlands-registered holding company called Cyberspace B.V. Incogni, along with the rest of the Surfshark product suite, now operates under that structure.
So Incogni is a Surfshark product, Surfshark is merged with Nord Security, and both trace their roots to Tesonet, a Lithuanian venture builder founded in 2008 by Tomas Okmanas and Eimantas Sabaliauskas. Nord Security has pushed back on being described as a Tesonet subsidiary, calling itself an independent “community member” of the Tesonet ecosystem rather than something Tesonet owns outright, and the precise equity arrangement has never been made fully public. That distinction matters legally. It matters a lot less to the average person deciding whether to hand over their date of birth, because Tesonet’s own public materials list Nord Security, Surfshark, Oxylabs, Hostinger, and Decodo as companies it built or accelerated, and they all still trade information, infrastructure, and in some cases staff with each other.
The part that doesn’t make it into the sponsorship read
This is the detail that actually changes how I think about the product, more than the ownership chart does.
Tesonet’s portfolio doesn’t stop at VPNs and data removal. It also includes Oxylabs, one of the largest residential proxy and web-scraping infrastructure companies in the world. Oxylabs was founded in 2015 out of the Tesonet accelerator and is still chaired by its original CEO, Julius Černiauskas. The company advertises a pool of more than 175 million residential IP addresses, the kind of infrastructure that scrapers rent specifically to make automated data harvesting look like ordinary household browsing and slip past the rate limits sites use to block bulk collection.
Oxylabs gets the bulk of that residential pool through an exclusive sourcing deal with Honeygain, a bandwidth-sharing app that pays users a small amount to route traffic through their device’s IP address. Both companies describe this as an “ethical” arrangement because participants opt in and get paid. Honeygain’s own ownership structure isn’t something either company has spelled out in much public detail, which is a strange gap for two firms that lead every press release with the word “transparent.”
Oxylabs has also been expanding through acquisition. It picked up Webshare, a self-service proxy provider with more than 10,000 customers including several Fortune 500 names, and Tesonet separately backs Decodo (rebranded from Smartproxy in 2025), which advertises another 125 million-plus IPs of its own. Stack those three together and you’re looking at one corporate family controlling a meaningful share of the global residential proxy market, the exact category of infrastructure that powers a lot of the large-scale scraping that feeds people search sites and marketing data brokers in the first place.
To be clear about what I’m not saying: there’s no evidence Oxylabs scrapes data and routes it to Incogni’s removal pipeline, and the two companies serve completely different, legally distinct customer bases. Oxylabs sells infrastructure to businesses that do their own scraping; it doesn’t appear to be in the business of running people-search sites itself. What I am saying is that the same corporate family makes money two different ways: selling you a service that fights data collection, and selling infrastructure to other companies doing data collection at scale. Both businesses are legal. Whether you’re comfortable paying a monthly subscription into that family is a separate question, and a fair one.
The verification paradox, restated plainly
Strip away the corporate structure and there’s a simpler problem with the entire data-removal category, one that applies to Incogni, DeleteMe, Aura, Optery, and the rest equally.
To prove you’re the person in a broker’s database, you have to give the broker enough information to match you against their existing record. That means the most privacy-conscious people, the ones paying $10 to $20 a month specifically because they don’t want their data circulating, are the ones systematically feeding their real name, birth date, and address into broker verification systems on a recurring schedule. If a broker is engaging in good faith, fine, the entry gets pulled. If a broker is indifferent, you’ve handed over a payment-verified, professionally curated data point describing exactly the kind of customer willing to pay to protect their privacy. Either company in this transaction can sell that signal.
Some competing services, OneRep among them, sidestep part of this by verifying identity through email aliases and virtual phone numbers instead of your real contact details. That’s a meaningfully different design choice, though it comes with its own baggage: a 2024 investigation found OneRep’s founder had previously run several of the same people-search sites the service now requests removals from.
Is Incogni a scam?
No, and I want to be direct about that, because it’s an easy accusation to make and a lazy one. A scam takes your money and gives you nothing. Incogni sends real removal requests to real brokers and a meaningful share of them get honored, particularly in the people-search category. The product does what the label says.
“Is it worth the price” is a different question, and the honest answer is: it depends entirely on where you live. There are an estimated 1,700-plus registered data brokers in the U.S. and thousands more globally that aren’t required to register anywhere. Services like Incogni and DeleteMe typically work through a few hundred of them. If you live in California, which has an actual Delete Act requiring broker registration and compliance, a subscription buys you real, ongoing leverage. If you live almost anywhere else, you’re paying monthly for a service that removes you from a slice of the ecosystem that will likely repopulate the moment a new data set gets scraped or purchased, because nothing stopped the underlying collection in the first place.
What right-to-delete laws actually cover, and what they don’t
California’s law is the most cited example, and it’s worth being specific about its limits. It requires registered data brokers to honor a deletion request and to stay deleted going forward, which is a real improvement over the patchwork everywhere else. It does not cover companies that aren’t classified as data brokers under the statute, which is how a retailer or an automaker can decline to delete purchase history or telematics data while a much smaller people-search site complies without being asked twice. The category boundaries matter more than most people assume when they sign up for a removal service expecting blanket coverage.
A small number of other states have followed with similar registries and rights, but coverage is inconsistent enough that a national subscription service ends up being far more useful to some customers than others depending purely on zip code.
What reduces your exposure
If you want to spend effort rather than money, a few things move the needle more directly than a subscription:
Pull your own removals from the major people-search sites. It takes longer than letting a service do it, but it’s free, and most of these sites publish their opt-out forms even when they’re not legally required to.
Clear your advertising ID and cookies periodically. Marketing data brokers identify you through that ID far more than through your name, and resetting it breaks the link between your history and whatever profile has been built.
Be deliberate about what you connect to your real name publicly. Risk mitigation and people-search data largely gets refreshed from public records and social profiles you control directly.
Treat a removal subscription as a supplement for the one category it’s actually built for, people-search sites, rather than a comprehensive privacy fix. If you live somewhere with strong delete laws, it’s a reasonable convenience purchase. If you don’t, you’re paying recurring money for a service whose structural limits won’t change no matter how good the company’s automation gets.
The bottom line
Incogni isn’t a scam, and I don’t think the people who built it are acting in bad faith. But the corporate structure underneath it is a useful reminder that “privacy company” is a marketing category, not a guarantee about anyone’s broader business model. The same holding ecosystem that profits from helping you opt out of data collection also profits from infrastructure that makes large-scale data collection easier for other companies. Both things can be true, both businesses can be legitimate, and you can still decide that’s not where you want your monthly subscription money going. That’s a judgment call, not a verdict, and it’s one worth making with the full ownership picture in front of you rather than the thirty-second version in a sponsorship read.
