audit report
Clerk
Clerk's privacy policy claims comprehensive disclosure of data collection and third-party sharing, and the observed tech stack aligns with stated practices: PostHog session replay, Stripe payments integration, and cookie-based identifiers are all disclosed. However, the policy names six specific third-party vendors (Google Analytics, PostHog, Koala, Inkeep, Plain, Ashby) while the page load only confirms PostHog and Stripe; the gap between claimed and observed vendors suggests either selective activation or outdated policy language. Clerk provides user controls for marketing opt-out and cookie management, though notably lacks Content Security Policy headers despite collecting session-replay data including keystrokes.
claim vs. reality
“We may collect information when you create an account, such as a unique customer ID or an email address or phone number.”
observed · html
Policy: 'PostHog's session-replay technologies to record your interactions with the Services...capture user activities such as clicks, mouse movements, scrolls, and keystrokes'findings
- warn
Session replay without CSP protection
The policy discloses PostHog session replay including keystroke capture ('keystrokes' explicitly mentioned), but the page lacks a Content Security Policy header. This reduces protection against XSS attacks that could exfiltrate sensitive data captured by session replay, particularly problematic given keystroke logging is enabled.
Policy: 'PostHog's session-replay technologies to record your interactions with the Services...capture user activities such as clicks, mouse movements, scrolls, and keystrokes' Observed: has_csp = false - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Vendor list-policy mismatch: Multiple named vendors unobserved in page load
The policy explicitly names six third-party vendors (Google Analytics, PostHog, Koala, Inkeep, Plain, Ashby), but only PostHog and Stripe are confirmed in the actual page load. Google Analytics, Koala, Inkeep, and Plain are absent from network activity. This suggests either: (a) these vendors are integrated but not triggered on the homepage, (b) the policy reflects peak capabilities rather than current deployment, or (c) integrations have been deprecated but the policy wasn't updated.
Policy lists: Google Analytics, PostHog, Koala, Inkeep, Plain, Ashby Observed third-party: Stripe, PostHog only No Google Analytics, Koala, Inkeep, or Plain domains detected - info
No privacy-sensitive third parties detected
No analytics, advertising, tracking, or session replay vendors were observed on this page.
how we detected this → - info
PostHog cookie pattern suggests production telemetry collection
The PostHog cookie (ph_phc_q5TPT5kitT5x2OFKOo7yB3bLWm1ChE24asf8wJGM8cq_posthog) is a production environment identifier, confirming active session replay and analytics collection, not testing. This aligns with the policy claim of 'DVR-like visual video playback,' but users may not fully appreciate that this includes keystroke and mouse movement capture on marketing pages.
Cookie: ph_phc_q5TPT5kitT5x2OFKOo7yB3bLWm1ChE24asf8wJGM8cq_posthog Policy: 'watch a DVR-like visual video playback of user sessions and capture user activities such as clicks, mouse movements, scrolls, and keystrokes'
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Stripe | stripe.com | payments | 1 | not named |
policy claims
source · https://clerk.com/legal/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- not stated
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (6)
Google Analytics, PostHog, Inc., Koala, Inkeep, Inc., Not Just Tickets Ltd (d/b/a Plain), Ashby, Inc.
retention
Personal information is stored for as long as you use the Services or as necessary to fulfill the purpose(s) for which it was collected, provide Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce agreements, and comply with applicable laws.
user rights
Users have rights to access personal information, request correction, request deletion, request restriction or object to processing, and withdraw consent. Users can also opt out of marketing emails, manage cookies via the cookie manager, and opt out of personalized advertisements on mobile devices.
response headers
- hsts
- yes
- csp
- no
- server
- Vercel
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://clerk.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://clerk.comprovenance
This audit was generated by running
stackpeek
against https://clerk.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.