The Dutch suicide prevention organization 113 Zelfmoordpreventie has come under fire after researchers discovered its website was sharing sensitive visitor data with Google and Microsoft, potentially violating European privacy laws.
The issue was uncovered by ethical hacker Mick Beer from Hackedemia.nl, who found that visitors to the suicide prevention website were being tracked through analytics and monitoring tools, even when they had not consented to cookies. According to the investigation, the shared information included visitors’ locations, browser and device details, previously visited websites, and screen recordings of activity on the platform.
Researchers warned that simply visiting a suicide prevention website already constitutes highly sensitive health-related information under Europe’s GDPR privacy framework. The concern is that technology companies receiving this metadata could potentially use it to enrich advertising or behavioral profiles tied to users.
“If someone opens the 113 page, or clicks on the chat or call menu, that is sensitive information in itself,” Beer told Dutch media.
The investigation found that some information was transmitted to Google regardless of whether users accepted tracking cookies. Data was also reportedly shared with Microsoft through additional analytics systems when cookies were accepted.
Although the organization stated that no chat messages or direct conversation contents were shared, privacy experts say metadata alone can reveal deeply personal information about vulnerable users seeking mental health support. Visiting a suicide prevention page, opening a crisis chat, or accessing emergency support resources may already indicate an individual is in psychological distress.
Following the disclosure, Stichting 113 temporarily disabled all analytics and measurement tools on its website while investigating the scope of the issue. The organization acknowledged concerns surrounding user privacy and said it was reviewing how the tracking systems had been implemented.
“We realize that visitors must be able to trust that their privacy is protected,” a spokesperson said after the findings became public.
The incident has raised broader concerns about tracking technologies embedded across healthcare, therapy, and mental health websites. Privacy researchers have repeatedly warned that analytics scripts, advertising pixels, and session recording tools can unintentionally expose sensitive medical or psychological information to third parties.
Under GDPR rules, organizations handling health-related data are required to apply stronger privacy protections and obtain explicit consent before processing sensitive information. Regulators could now examine whether the suicide prevention organization violated European data protection laws by allowing third-party tracking systems to collect visitor metadata.