audit report
Datadog
Datadog's privacy policy transparently discloses comprehensive data collection, sharing, and advertising practices aligned with observable behavior: it loads Google Tag Manager, Vimeo, and social tracking domains while claiming analytics and advertising use; names specific partners like PayPal/Braintree and lists broad sharing with service providers and advertising networks; acknowledges selling personal information with opt-out rights; and claims cookie use though no cookies were set during this session. The policy substantively matches detected third-party activity and makes user rights and opt-out mechanisms explicit, presenting a clear rather than opaque transparency posture.
findings
- note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
link dns-prefetch preconnect: https://www.googletagmanager.com - note
No cookies detected despite cookie claims
Policy explicitly states use of cookies and similar technologies for tracking user interactions, yet the observation shows zero cookies were set during page load. This could indicate cookies are set on subsequent interactions or behind authentication, but the absence during initial homepage visit contradicts the blanket cookie-use assertion.
cookies_set: [] in observation Policy quote: 'We use cookies and similar technologies (like web beacons and pixels) to collect information about your interactions' - note
Third-party tracking stack partially undisclosed by name
Policy names analytics and advertising partners generically (Google, LinkedIn, Twitter, YouTube) but observed third-party domains include Brella and ZeroClick, which are not explicitly named in the privacy policy's third-party list. These vendors' purposes (categorized as 'other') lack disclosure, creating opacity around specific partner roles.
Observed: brella.io (Brella, category: other, 1 hit), zeroclick.ai (ZeroClick, category: other, 1 hit) Named third parties in policy: PayPal/Braintree, Google, Twitter, LinkedIn, YouTube—no mention of Brella or ZeroClick - info
Google Tag Manager: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this → - info
Datadog RUM inline detection suggests own analytics collection
Inline pattern 'Datadog RUM' indicates Datadog's own Real User Monitoring product is embedded on the homepage. This self-monitoring is distinct from third-party analytics but aligns with policy claims about collecting Product interaction data. However, RUM is not explicitly named in the policy's third-party analytics disclosures, implying first-party collection is treated as outside the third-party sharing framework.
inline_patterns: [Datadog RUM, Hugo] Policy focuses on third-party analytics sharing but does not detail Datadog's own data collection mechanisms
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
| AWS CloudFront | cloudfront.net | cdn | 1 | not named |
| Brella | brella.io | other | 1 | not named |
| Datadog | dd-static.net | error_tracking | 62 | not named |
| Datadog | datadoghq.com | error_tracking | 4 | not named |
| Docebo | docebosaas.com | hosting | 1 | not named |
| Gather | gather.town | video | 1 | not named |
| OnlineExperiences | onlinexperiences.com | hosting | 1 | not named |
| Pheedloop | pheedloop.com | hosting | 1 | not named |
| Vimeo | vimeo.com | video | 1 | not named |
| ZeroClick | zeroclick.ai | other | 1 | not named |
policy claims
source · https://www.datadoghq.com/legal/privacy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- yes
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (5)
PayPal/Braintree, Google, Twitter, LinkedIn, YouTube
retention
Datadog retains personal information only as long as necessary to fulfill the purposes it was collected for, then deletes or archives it unless required by law or for legitimate business purposes. Retention periods depend on agreement terms, legitimate interests, legal obligations, and nature of the information.
user rights
Users have rights to access, update, and delete their personal information. In the EEA/UK/Switzerland: rights to restrict processing, object, and withdraw consent. In the US: rights to correct, opt out of behavioral advertising and sales, and restrict sensitive information use. Users can exercise rights via Data Subject Rights intake form or by contacting help@datadoghq.com.
response headers
- hsts
- yes
- csp
- yes
- server
- AmazonS3
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://datadoghq.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://datadoghq.comprovenance
This audit was generated by running
stackpeek
against https://datadoghq.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.