stackpeek
← back to leaderboard

audit report

Fly.io

https://fly.io · hosting

mismatch
scanned 2026-04-16 23:35:26 utc permalink · /audit/flyio

Fly.io's privacy policy claims not to track users beyond Google Analytics and explicitly states "we do not permit third-party services to track your activity on our site beyond our basic Google Analytics tracking." However, the site loads Google Tag Manager (2 hits) alongside GA4, sets a `fly_gtm` cookie, and contains inline patterns for "Google Tag Manager"—a server-side tagging platform that can trigger arbitrary third-party tracking without being individually listed in the privacy policy. The policy names only Google Analytics as a tracking vendor but does not disclose Google Tag Manager, which materially expands tracking scope beyond what the policy claims.

claim vs. reality

“The information we collect about all visitors to our website includes the visitor's browser type, language preference, referring site, additional websites requested, and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (”

— Fly.io privacy policy

observed · html 

Third-party domain: googletagmanager.com (2 hits)

findings

  1. mismatch

    Google Tag Manager not disclosed in privacy policy

    The site loads Google Tag Manager (googletagmanager.com, 2 hits) and sets a `fly_gtm` cookie, but the privacy policy only names 'Google Analytics' as a tracking vendor and explicitly claims 'we do not permit third-party services to track your activity on our site beyond our basic Google Analytics tracking.' GTM is a server-side container that can dynamically load arbitrary tracking tags without explicit disclosure, creating a gap between the stated tracking scope and actual implementation.

    
            Third-party domain: googletagmanager.com (2 hits)
Cookie set: fly_gtm
Inline pattern: 'Google Tag Manager'
    how we detected this →
  2. warn

    No HSTS header

    The response did not include a Strict-Transport-Security header. Users on a compromised network could be downgraded to plaintext HTTP.

    how we detected this →
  3. warn

    Observed vendors not named in policy

    The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager, Hachyderm.

    
            Google Tag Manager
Hachyderm
    how we detected this →
  4. note

    Google Tag Manager loaded (tag_manager)

    Observed 2 time(s) on the page.

    
            inline: V' window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date());
inline: const tagId = 'G-EX6DMZ1DZV' window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(ar
    how we detected this →
  5. note

    Hachyderm loaded (social)

    Observed 1 time(s) on the page.

    
            link me: https://hachyderm.io/@flydotio
    how we detected this →
  6. note

    No Content-Security-Policy header

    A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.

    how we detected this →
  7. note

    Missing security headers for a SaaS platform

    The site does not include HSTS (HTTP Strict-Transport-Security) or CSP (Content-Security-Policy) headers. Given that Fly.io is a developer platform handling sensitive application deployments, the absence of these security headers is inconsistent with the privacy policy's claim to 'follow generally accepted industry standards' for protecting user data.

    
            has_hsts: false
has_csp: false
Policy claim: 'follow generally accepted industry standards'
    how we detected this →
  8. info

    Hachyderm social embed loaded without explicit policy mention

    The site loads a resource from hachyderm.io (a federated social network), categorized as 'social' with 1 hit. The privacy policy does not mention social embeds or any federated social integrations, leaving unclear whether this constitutes a third-party data share or simply a client-side iframe.

    
            Third-party domain: hachyderm.io (1 hit, category: social)
    how we detected this →

third parties observed

vendor domain category hits disclosure
Google Tag Manager googletagmanager.com tag_manager 2 not named
Hachyderm hachyderm.io social 1 not named

policy claims

source · https://fly.io/legal/privacy-policy

collects pii
yes
shares 3p
yes
sells data
no
cookies
yes
analytics
yes
advertising
no

named third parties (1)

Google Analytics

retention

User Personal Information is retained as long as the account is active or needed to provide services. Inactive accounts are not automatically deleted; users must manually delete their accounts, after which personal information is deleted within 30 days (barring legal requirements). Some data may be retained indefinitely for legal compliance.

user rights

Users can access, update, alter, or delete their basic profile information by editing their user profile or contacting support@fly.io. Users can delete their account through the Fly.io dashboard under Account Settings, resulting in permanent deletion within 30 days.

response headers

hsts
no
csp
no
server
Fly/9e64c111f (2026-04-16)

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://fly.io from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://fly.io

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://fly.io from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.