audit report
Amplitude
Amplitude's privacy policy claims use of cookies, analytics, and third-party sharing, which align with observed web traffic patterns. The policy explicitly permits sharing with ad partners and subsidiaries for marketing purposes but disclaims selling data under CCPA. However, the observed third-party vendors (Google Tag Manager, Optimizely, LaunchDarkly) are not named in the policy's limited disclosure of specific third parties (Stripe, Google, JAMS only), creating opacity about which vendors actually process user data. The policy's framing as "sharing for marketing" rather than "sale" may technically comply with CCPA but obscures the commercial value exchange with ad partners.
claim vs. reality
“This Personal Data may include: first and last name, company name, job title, work email address, country and/or state, phone number”
observed · html
Amplitudefindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Amplitude, Optimizely.
Amplitude Optimizely - warn
Distinction between 'sharing' and 'sale' may obscure ad partner data monetization
The policy states 'We do not sell your Personal Data' while simultaneously claiming the right to 'share Personal Data with third party ad partners...by providing lists of email addresses for potential customers.' This language distinction (sharing vs. sale) may technically satisfy CCPA requirements but obscures the commercial value exchange: email lists provided to ad partners for targeted marketing are effectively monetized user data, even if not labeled as 'sales.'
Policy claim: 'We do not sell your Personal Data' Policy claim: 'We may share Personal Data with third party ad partners...by providing lists of email addresses' Observed: Google Tag Manager and Optimizely (ad/marketing-focused) detected on page - note
Amplitude loaded (analytics)
Observed 2 time(s) on the page.
inline: alytics platform and experimentation tools.","url":"https://amplitude.com/a-rebrand","publisher":{"@type":"Organization","name":"A inline: y":"primary-button","text":"Get started","url":"https://app.amplitude.com/signup"},{"_key":"6998e430e3e0","_type":"link","ctaClick - note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
<iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-T6JXPP5 - note
Optimizely loaded (ab_testing)
Observed 1 time(s) on the page.
inline: ":{"_type":"slug","current":"/compare/optimizely"}},"text":"Optimizely"},{"_key":"b18587f71358","_type":"link","ctaClickedLocation - note
Undisclosed third-party vendors loading on homepage
The policy names only three specific third parties (Stripe, Google, JAMS), yet the page loads scripts and assets from Optimizely (A/B testing), LaunchDarkly (feature flags), and Google Tag Manager (tag management). While the policy uses a generic clause permitting sharing with 'third-party service providers,' these specific vendors are not named, leaving users unaware of which companies are processing their interactions.
Optimizely and LaunchDarkly detected in inline_patterns Google Tag Manager (googletagmanager.com) detected with 1 hit Policy named_third_parties: [Stripe, Google, JAMS] - no mention of Optimizely, LaunchDarkly, or GTM - note
Sanity.io API calls prominent but not disclosed
Sanity.io (a headless CMS vendor) is loaded 31 times—by far the heaviest third-party—yet is entirely absent from the policy. While Sanity may function as a backend content service rather than user data processor, the lack of transparency about this dependency is notable given the policy's claims about third-party data handling.
sanity.io detected with 31 hits (highest frequency third party) No mention of Sanity in policy named_third_parties or third-party sharing clauses - info
Google Tag Manager: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this →
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Amplitude | amplitude.com | analytics | 2 | not named |
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
| Optimizely | optimizely.com | ab_testing | 1 | not named |
| Google APIs | googleapis.com | api | 1 | not named |
| LaunchDarkly | launchdarkly.com | feature_flags | 1 | not named |
| Mutiny | mutinycdn.com | cdn | 2 | not named |
| Round Prince Music | roundprincemusic.com | other | 2 | not named |
| Sanity | sanity.io | api | 31 | not named |
| data URI scheme | data:image | other | 7 | not named |
policy claims
source · https://amplitude.com/privacy/archive/2025-12
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (3)
Stripe, Google, JAMS
retention
Personal Data is not kept longer than necessary for the specific purpose identified in the Privacy Notice, unless required to comply with legal obligations, resolve disputes, or enforce legal agreements. Data is deleted or anonymized when no longer needed.
user rights
Users have the right to access, correct, delete, and obtain a copy of their Personal Data by logging into their account or emailing privacy@amplitude.com. Users can opt-out of promotional emails and can withdraw consent for marketing communications. California residents and EEA/UK/Swiss residents have additional rights including opt-out of data sales and sharing with ad partners.
response headers
- hsts
- yes
- csp
- yes
- server
- nginx/1.22.0
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://amplitude.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://amplitude.comprovenance
This audit was generated by running
stackpeek
against https://amplitude.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.