See what others can find out about you.
Glasshaus is a self-hostable, open-source personal exposure scanner. You give it identifiers you know are yours — an email, a phone number, a username — and it discovers what is publicly linkable back to you across the open web, shows you where every finding came from, scores how exposed you are, and tells you how to reduce it.
The name is the idea: you think you live behind walls, but much of your online life is a glass house. Glasshaus shows you the glass.
Important
Local-first by design — there is no "we". Glasshaus runs entirely on your own machine. Your identifiers and your findings never leave it: no Glasshaus server, no account, no telemetry, no third party holding your data. For a privacy tool this isn't a feature, it's the whole point — we can't see your data because there is no we. It's the one guarantee a cloud reverse-lookup service structurally cannot make. (The only data that leaves your machine is the queries the OSINT connectors you enable send to their respective services — by design, and on your terms.)
Warning
Status: pre-alpha / planning. This repository currently contains the project's design and documentation, not a working application. The architecture and roadmap are settled; implementation has not started. Watch the repo or see ROADMAP.md for progress.
Consumer "reverse lookup" services (ClarityCheck, Spokeo, BeenVerified and friends) answer a creepy question — "who is this stranger?" — using stale, resold data, fake "we found results!" teasers, paywalls, and hidden sources.
Glasshaus deliberately answers the opposite question — "what can a stranger find out about me?" — and answers it honestly:
| Their pattern | Glasshaus |
|---|---|
| Fake teasers to upsell | Shows real results, or plainly says "nothing found" |
| Your data lives on their servers | Your data never leaves your machine — there's no server to hold it |
| Hides where data came from | Provenance on every finding — which tool found it, and the evidence |
| Sells stale resold dumps | Active, live queries — current truth, not a database from 2019 |
| Vague "trust scores" | An exposure score with inspectable contributing factors |
| Leaves you scared and stuck | Remediation guidance — concrete steps to shrink your footprint |
| Paywalled, closed | Free, open-source, self-hosted, bring-your-own keys |
Reframing reverse-lookup as a self-audit is what makes Glasshaus a privacy tool rather than a surveillance product. See DISCLAIMER.md for the intended-use and legal boundaries — please read it.
one or more SEEDS (your email / phone / username)
│
▼
┌──────────────────────────────────────────────┐
│ Engine: a frontier "pivot loop" │
│ • run connectors that accept each selector │
│ • normalize every result to a Finding │
│ • findings derive NEW selectors → pivot │
│ • correlation resolves it all into a graph │
└──────────────────────────────────────────────┘
│
▼
Exposure dossier + exposure score + remediation guidance
Two modes over one engine:
- Quick — automatic, fast tier, shallow. A dossier card that fills in within seconds. For "just show me."
- Explore — deep, human-in-the-loop. You approve each pivot and inject your own leads, with a full entity-graph view. For enthusiasts.
Glasshaus does not reimplement the OSINT tools it relies on — it orchestrates and normalizes them behind one Finding model, with provenance and remediation attached.
- Backend: Python 3.11+, FastAPI,
arq(async Redis queue), Redis, PostgreSQL - Frontend: React + a graph visualization library (Cytoscape.js / sigma.js), live updates over SSE/WebSocket
- Deployment: self-hosted, single-tenant, bring-your-own API keys (you supply HIBP, etc.)
Glasshaus is an orchestrator. Its value depends on the excellent open-source OSINT tools it integrates — including (planned) Holehe, Maigret, Sherlock, Ignorant, PhoneInfoga, ExifTool, and APIs such as Have I Been Pwned and Epieos/GHunt. Credit and thanks to their authors. Each integration is subject to that tool's own license and terms of use.
The short version: Phase 1 is the person-OSINT core; Phase 2 adds breadth (SpiderFoot-as-a-connector, appsec/infra connectors, reverse-image); Phase 3 adds hardened guardrails and optional hosting. Full detail in ROADMAP.md.
Contributions are very welcome — especially new connectors. Start with CONTRIBUTING.md and our CODE_OF_CONDUCT.md.
Found a vulnerability? Please report it privately — see SECURITY.md. Do not open a public issue for security problems.