audit report
Auth0
Auth0's privacy policy claims comprehensive data collection (PII, device, location, usage), extensive third-party sharing with service providers and marketing partners, and use of cookies/tracking technologies. The observed tech stack confirms several of these claims: Google Tag Manager and Adobe Tag Manager are loaded (matching policy's advertising and analytics disclosures), Contentful CDN and Cloudflare are present (service provider pattern), and Cloudflare sets a tracking cookie. However, the policy names only 9 specific third parties (Google Analytics, Marketo, OneTrust, Google, Facebook, Twitter, Unity, Heroku, Salesforce) while the page loads Adobe and Google Tag Manager without explicit mention of Adobe in the named list—a potential disclosure gap. Auth0's transparency is generally strong on data categories and user rights, but the mismatch between named vendors and actually-loaded trackers suggests the policy may be incomplete or outdated regarding actual vendor relationships.
claim vs. reality
“We collect contact and/or professional data about you in person, through communications, and through our websites.”
observed · html
adobedtm.com loaded (1 hit) with category 'tag_manager'findings
- mismatch
Adobe Tag Manager loaded but not named in vendor list
The page loads adobedtm.com (Adobe Data Tag Manager) for tracking, but 'Adobe' does not appear in the policy's named_third_parties list. The policy does mention third-party advertising networks and tag managers generically, but does not explicitly name Adobe as a vendor partner.
adobedtm.com loaded (1 hit) with category 'tag_manager' named_third_parties list includes Google Analytics, Marketo, OneTrust, Google, Facebook, Twitter, Unity Technologies, Heroku, Salesforce — but not Adobe - warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Adobe.
Adobe - note
Adobe loaded (tag_manager)
Observed 1 time(s) on the page.
script src: https://assets.adobedtm.com/6bb3f7663515/7006851c9849/launch-af624fe9e34f.min.js - note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
<iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-W7FRLJ - note
Policy claims Okta identity but site is Auth0
The policy language consistently refers to 'Okta' as the collecting entity (e.g., 'Okta retains Personal Data', 'Okta collects contact information'), but the site is Auth0.com. This suggests the privacy policy may be copied from a parent/corporate entity or is outdated. While Okta does own Auth0, the use of 'Okta' throughout without clarification could confuse users about which entity controls their data.
policy_claims retention_description states: 'Okta retains Personal Data...' Multiple policy claims begin with 'Okta collects...' or 'Okta uses...' Page title is 'Auth0' and final_url is auth0.com - info
Google Tag Manager: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this → - info
Comprehensive user rights claimed but implementation opacity
The policy claims users have robust rights (access, rectification, erasure, portability, CCPA opt-out) and cookie preference management. However, no mechanism to exercise these rights is visible in the observed tech stack. The policy states users 'can also opt-out of marketing communications and manage cookie preferences,' but neither a cookie banner, preferences center, nor opt-out form was detected in the page loads.
user_rights_summary mentions cookie preference management and opt-out capabilities cookies_set list only shows '_cfuvid' (Cloudflare), suggesting no visible preference/consent UI was loaded
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Adobe | adobedtm.com | tag_manager | 1 | not named |
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
| Auth0 | auth0.com | auth | 2 | not named |
| Cloudflare | cloudflare.com | cdn | 2 | not named |
| Contentful CDN | ctfassets.net | cdn | 36 | not named |
policy claims
source · https://auth0.com/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- yes
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (9)
Google Analytics, Marketo, OneTrust, Google, Facebook, Twitter, Unity Technologies, Heroku, Salesforce
retention
Okta retains Personal Data for a period consistent with the original purpose of collection or as necessary to comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary based on business, legal and regulatory needs, with data request records retained for at least 24 months as required under the CCPA.
user rights
Users have rights to access, rectify, erase, restrict processing, port data, and object to processing of their Personal Data. California residents have additional CCPA rights including the right to know what data is collected, request deletion, opt-out of sales/sharing, limit use of sensitive data, and correct inaccurate information. Users can also opt-out of marketing communications and manage cookie preferences.
response headers
- hsts
- yes
- csp
- yes
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://auth0.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://auth0.comprovenance
This audit was generated by running
stackpeek
against https://auth0.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.