audit report
Airtable
Airtable's privacy policy claims align well with observed behavior: the site loads Google Tag Manager (analytics), Intellimize (A/B testing), and Qualified (chat support), all consistent with stated third-party sharing for analytics and vendor services. Cookies are set and documented. However, the policy names only four third parties (Google, Apple, Okta, Google Drive) in its examples but loads additional vendors (Intellimize, Qualified, Heroku) without explicit mention, creating a gap between named parties and actual vendor ecosystem.
claim vs. reality
“This includes your name, mailing address, email address, postal code, telephone number, and other similar identifiers...payment information, company name, job title, business email address, and department.”
observed · html
Intellimizefindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Intellimize, Intellimize.
Intellimize Intellimize - note
Intellimize loaded (ab_testing)
Observed 3 time(s) on the page.
link preload: https://cdn.intellimize.co/snippet/117868712.js link preconnect: https://api.intellimize.co link preconnect: https://log.intellimize.co - note
Google Tag Manager loaded (tag_manager)
Observed 2 time(s) on the page.
script src: https://www.googletagmanager.com/gtm.js?id=GTM-NCLXNTS <iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-NCLXNTS>m_cookies_win=x - note
Intellimize loaded (ab_testing)
Observed 1 time(s) on the page.
link preconnect: https://117868712.intellimizeio.com - note
Vendor ecosystem broader than named examples
The policy provides illustrative examples of third-party services (Google, Apple, Okta, Google Drive) but the site actually loads Intellimize for A/B testing and Qualified for chat support, which aren't explicitly mentioned. While the policy uses broad language ('vendors that help us...') this creates ambiguity about which vendors users should expect.
Observed third parties: intellimize.co, intellimizeio.com, qualified.com Policy named third parties: Google, Apple, Okta, Google Drive Policy states vendors help with 'marketing and email campaigns' but Intellimize specifically is for A/B testing/personalization - note
Session replay scripts mentioned but vendor not named
The policy explicitly discloses 'session replay scripts' as a tracking technology used, but the actual vendor implementing this isn't disclosed (neither in the named vendors nor observable in the tech stack provided). This leaves the specific replay vendor unidentified to users.
Policy quote: 'cookies and other tracking technologies, such as web beacons, pixels, session replay scripts' No session replay vendor found in observed third parties - info
Google Tag Manager: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this →
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 2 | not named |
| Intellimize | intellimize.co | ab_testing | 3 | not named |
| Intellimize | intellimizeio.com | ab_testing | 1 | not named |
| Browser Native | data:image | other | 23 | not named |
| Heroku | herokuapp.com | hosting | 1 | not named |
| Qualified | qualified.com | chat_support | 1 | not named |
policy claims
source · https://airtable.com/company/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (4)
Google, Apple, Okta, Google Drive
retention
Data is retained for no longer than necessary for purposes for which it was collected, including legal or reporting requirements. Content deletion may retain archived or backup copies to enable revision history and base snapshots.
user rights
Users can access, correct, amend, or delete content within Services. Users can opt-out of marketing communications. EU/UK/Swiss residents have rights to access, portability, rectification, erasure, restriction, withdraw consent, and object. US state residents have rights to access, deletion, correction, and appeal. Users can opt-out of targeted advertising via Cookie Preference Center or Global Privacy Control.
response headers
- hsts
- yes
- csp
- yes
- server
- Vercel
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://airtable.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://airtable.comprovenance
This audit was generated by running
stackpeek
against https://airtable.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.