The requirement to provide a valid email address in order to receive a new password if forgotten is unnecessary and potentially invasive. While the intention may be to ensure the security of the user's account, it could be argued that there are alternative methods to verify a user's identity without requiring personal information such as an email address. Additionally, the statement that the email address is only visible to the user and the admins may not alleviate concerns about privacy, as there is still a possibility of unauthorized access or misuse of the email address. Furthermore, stating that crawlers and other users cannot see the email address may not completely address privacy concerns, as there could be other potential vulnerabilities that could expose the email address to unauthorized individuals.