stackpeek
← back to leaderboard

audit report

Asana

https://asana.com · project management

warn
scanned 2026-04-16 23:34:24 utc permalink · /audit/asana

Asana's privacy policy claims strong data protection practices with ISO certifications, DPA compliance, and user rights under CCPA/GDPR, but the observed technology stack reveals significantly more third-party engagement than the policy explicitly discloses. While the policy acknowledges sharing with "partners and vendors," it does not specifically name or explain the purpose of 60+ detected third parties, including advertising networks (Google DoubleClick, Facebook Pixel, Bing, Amazon ads), behavioral analytics (6sense, Bizographics, Contentsquare session replay), marketing platforms (Marketo, Optimizely A/B testing), and data enrichment services (ZoomInfo). The policy's focus on contractual commitments and regulated use cases (CCPA, FERPA, HIPAA) does not address the extensive tracking infrastructure visible in the page load, creating a transparency gap between stated practices and observed behavior.

claim vs. reality

“Closely reviewing and mapping the data we collect, use, and share”

— Asana privacy policy

observed · html 

Contentsquare

findings

  1. warn

    Session replay tools detected

    Session replay tools record user interactions. Observed: Contentsquare. The policy should clearly disclose this and how recordings are stored.

    
            Contentsquare
    how we detected this →
  2. warn

    Extensive undisclosed third-party tracking ecosystem

    The policy claims Asana shares data with 'partners and vendors' under contractual restrictions, but does not name or explain the business purpose of 40+ observed third parties. Notable omissions: advertising networks (Google DoubleClick, Facebook Pixel, LinkedIn, Pinterest, Amazon ads), account-based marketing vendors (6sense, Bizographics), session replay (Contentsquare), and B2B intent data services (ZoomInfo). The policy emphasizes CCPA service provider restrictions but does not clarify whether these entities fall under that category or a different legal classification.

    
            doubleclick.net, facebook.net, pinterest.com, linkedin.com, amazon-adsystem.com (advertising)
6sc.co, 6sense.com, bizographics.com (analytics/tracking)
contentsquare.net (session replay)
    how we detected this →
  3. note

    Google Tag Manager loaded (tag_manager)

    Observed 5 time(s) on the page.

    
            inline: d:function(e,t){e&&(this.getUserConsentByGroupId(t)?(window.dataLayer=window.dataLayer||[],window.dataLayer.push(e),"asanadotcomLo
inline: gth&&(window.OptanonActiveGroups=","+a.join(",")+",",window.dataLayer=window.dataLayer||[],window.dataLayer.push({event:"OneTrustG
inline: [],window.gtag=function(){dataLayer.push(arguments)},window.gtag("js",new Date),window.gtag("set","developer_id.dNzMyY2",!0),
    how we detected this →
  4. note

    Optimizely loaded (ab_testing)

    Observed 4 time(s) on the page.

    
            inline: ument.head.appendChild(i))}catch(e){console.error("Error in Optimizely setup:",e)}var t,p})("production")
inline: 1062cf8ada8c&ec=asanadotcomLoggedOutExperimentEnrollment&ea=Optimizely+enrollment&el=nav_010_asana_ai_dropdown-mp_precons+-+9e4e79
CSP: https://app.optimizely.com/
    how we detected this →
  5. note

    Yahoo Japan loaded (advertising)

    Observed 4 time(s) on the page.

    
            CSP: https://yjtag.yahoo.co.jp/tag
CSP: https://b92.yahoo.co.jp/rt/
CSP: https://b91.yahoo.co.jp/pagead/
    how we detected this →
  6. note

    Google DoubleClick loaded (advertising)

    Observed 2 time(s) on the page.

    
            link preconnect: https://ad.doubleclick.net
CSP: https://googleads.g.doubleclick.net
    how we detected this →
  7. note

    Google AdSense loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://tpc.googlesyndication.com
CSP: https://pagead2.googlesyndication.com
    how we detected this →
  8. note

    LinkedIn loaded (social)

    Observed 2 time(s) on the page.

    
            CSP: https://px.ads.linkedin.com
CSP: https://www.linkedin.com
    how we detected this →
  9. note

    Yahoo Japan loaded (tag_manager)

    Observed 2 time(s) on the page.

    
            CSP: https://yjtag.jp/tag.js
CSP: https://s.yjtag.jp/tag.js
    how we detected this →
  10. note

    6sense loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://*.6sc.co
    how we detected this →
  11. note

    6sense loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://*.6sense.com
    how we detected this →
  12. note

    Adalyser loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://c0.adalyser.com/adalyser.js
    how we detected this →
  13. note

    AdStack loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://js.adstk.io/convpixel.js
    how we detected this →
  14. note

    Amazon loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://c.amazon-adsystem.com/aat/amzn.js
    how we detected this →
  15. note

    Microsoft Bing loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://bat.bing.com
    how we detected this →
  16. note

    Bizographics loaded (tracking)

    Observed 1 time(s) on the page.

    
            CSP: https://sjs.bizographics.com
    how we detected this →
  17. note

    Spotify loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://pixel.byspotify.com/ping.min.js
    how we detected this →
  18. note

    Contentsquare loaded (session_replay)

    Observed 1 time(s) on the page.

    
            CSP: https://t.contentsquare.net
    how we detected this →
  19. note

    Datadog loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://www.datadoghq-browser-agent.com
    how we detected this →
  20. note

    Facebook Pixel loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://connect.facebook.net
    how we detected this →
  21. note

    Google Analytics loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://www.google-analytics.com
    how we detected this →
  22. note

    Google Ads loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://www.googleadservices.com
    how we detected this →
  23. note

    ListenLoop loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://v2.listenloop.com
    how we detected this →
  24. note

    Marketo loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://*.marketo.com
    how we detected this →
  25. note

    Marketo loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://*.marketo.net
    how we detected this →
  26. note

    Pinterest loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://s.pinimg.com/ct/
    how we detected this →
  27. note

    Pinterest loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://ct.pinterest.com/static/ct/token_create.js
    how we detected this →
  28. note

    Quora loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://a.quora.com/qevents.js
    how we detected this →
  29. note

    Reddit loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://www.redditstatic.com/ads/pixel.js
    how we detected this →
  30. note

    TikTok loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://analytics.tiktok.com/i18n/pixel/
    how we detected this →
  31. note

    TVSquared loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://collector-39548.us.tvsquared.com/tv2track.js
    how we detected this →
  32. note

    ZoomInfo loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://js.zi-scripts.com/
    how we detected this →
  33. note

    A/B testing and experimentation infrastructure not mentioned in policy

    Optimizely (A/B testing vendor) is loaded and mentioned in inline patterns, but the privacy policy does not explain how Asana uses A/B testing, what data flows to Optimizely, or whether this constitutes a service provider or separate business relationship. Similarly, Datadog RUM (real user monitoring) is loaded but not disclosed in the policy.

    
            optimizely.com (4 hits)
datadoghq.com, datadoghq-browser-agent.com (error tracking and analytics)
    how we detected this →
  34. note

    Limited disclosure of analytics and monitoring vendors

    The policy does not explicitly mention use of multiple analytics platforms beyond generic statements. Observed: Google Analytics, Datadog, Marketo, ListenLoop, TVSquared, and 6sense. Asana's policy is silent on whether these are used for product analytics, marketing analytics, or both, and does not explain data retention or user opt-out mechanisms.

    
            google-analytics.com, datadoghq.com, marketo.com, listenloop.com, tvsquared.com
    how we detected this →
  35. info

    OneTrust integration suggests cookie/consent management, not detailed in policy

    OneTrust (cookielaw.org and onetrust.com) is loaded, indicating use of a consent management platform. The policy states 'uses_cookies: null' despite observable cookie-setting and extensive client-side tracking. The policy should explicitly disclose cookie types and consent flows.

    
            cookielaw.org (4 hits), onetrust.com (1 hit)
user_geo cookie observed
    how we detected this →
  36. info

    Cloud infrastructure and CDN vendors listed but purpose not explicit

    Multiple CDN/hosting vendors are loaded (AWS, Cloudflare, CloudFront, Azure CDN, jsDelivr, LinkedIn CDN), which is standard practice, but the policy does not explicitly address data routing, geographic storage, or reliance on these infrastructure providers.

    
            cloudfront.net, cloudflare.com, amazonaws.com, aspnetcdn.com, jsdelivr.net, licdn.com
    how we detected this →

third parties observed

vendor domain category hits disclosure
6sense 6sc.co analytics 1 not named
6sense 6sense.com analytics 1 not named
AdStack adstk.io advertising 1 not named
Adalyser adalyser.com advertising 1 not named
Amazon amazon-adsystem.com advertising 1 not named
Bizographics bizographics.com tracking 1 not named
Contentsquare contentsquare.net session_replay 1 not named
Datadog datadoghq-browser-agent.com analytics 1 not named
Facebook Pixel facebook.net advertising 1 not named
Google AdSense googlesyndication.com advertising 2 not named
Google Ads googleadservices.com advertising 1 not named
Google Analytics google-analytics.com analytics 1 not named
Google DoubleClick doubleclick.net advertising 2 not named
Google Tag Manager googletagmanager.com tag_manager 5 not named
LinkedIn linkedin.com social 2 not named
ListenLoop listenloop.com analytics 1 not named
Marketo marketo.com analytics 1 not named
Marketo marketo.net analytics 1 not named
Microsoft Bing bing.com advertising 1 not named
Optimizely optimizely.com ab_testing 4 not named
Pinterest pinimg.com social 1 not named
Pinterest pinterest.com social 1 not named
Quora quora.com social 1 not named
Reddit redditstatic.com social 1 not named
Spotify byspotify.com social 1 not named
TVSquared tvsquared.com analytics 1 not named
TikTok tiktok.com social 1 not named
Yahoo Japan yahoo.co.jp advertising 4 not named
Yahoo Japan yjtag.jp tag_manager 2 not named
ZoomInfo zi-scripts.com analytics 1 not named
AWS amazonaws.com hosting 1 not named
AWS CloudFront cloudfront.net cdn 2 not named
Asana asana.biz api 80 not named
Atlassian statuspage.io hosting 1 not named
Capterra capterra.com other 2 not named
Cloudflare cloudflare.com cdn 1 not named
Data URI data:image other 50 not named
Datadog datadoghq.com error_tracking 2 not named
G2 g2crowd.com other 1 not named
Google google.com other 5 not named
Google APIs googleapis.com api 1 not named
Google Static gstatic.com cdn 2 not named
Greenhouse greenhouse.io api 2 not named
IPify ipify.org api 2 not named
JotForm jotfor.ms embed 1 not named
JotForm jotform.us embed 1 not named
LinkedIn CDN licdn.com cdn 1 not named
Luna luna1.co other 3 not named
Microsoft aspnetcdn.com cdn 1 not named
Mountain mountain.com other 1 not named
OneTrust cookielaw.org other 4 not named
OneTrust onetrust.com other 1 not named
Podcast SDK pdst.fm embed 1 not named
Postie postie.com other 1 not named
Qualified qualified.com chat_support 1 not named
Recurly recurly.com payments 1 not named
SurveyMonkey surveymonkey.com embed 1 not named
Vimeo vimeocdn.com video 1 not named
Wistia wistia.com video 1 not named
Wistia wistia.net video 1 not named
Xing xingcdn.com cdn 1 not named
Yahoo Japan yimg.jp cdn 1 not named
YouTube youtube.com video 1 not named
YouTube thumbnails ytimg.com cdn 1 not named
jsDelivr jsdelivr.net cdn 1 not named

policy claims

source · https://asana.com/privacy

collects pii
yes
shares 3p
yes
sells data
no
cookies
not stated
analytics
not stated
advertising
not stated

retention

The policy does not specify data retention practices or timeframes.

user rights

Users have rights to request access to and deletion of their data, particularly under CCPA/CPRA. The policy states Asana will cooperate with customers to fulfill deletion and access requests. Data subject rights are addressed through GDPR/UK GDPR compliance.

response headers

hsts
yes
csp
yes
server
Netlify

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://asana.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://asana.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://asana.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.