audit report
Heap
Heap's privacy policy claims use of cookies, analytics, advertising, and sharing with multiple third parties (LinkedIn, Facebook, X, YouTube, Google, Meta, Contentsquare), yet the observed page load shows no cookies set, no CSP header, and only minimal third-party activity: Google Tag Manager, Heap's own analytics, Wistia video hosting, Contentful CDN, and CookieLaw script. The policy extensively discloses data practices and user rights (access, deletion, portability, opt-out mechanisms for California residents), indicating transparency about collection and sharing practices, though there is a notable disconnect between the ambitious third-party sharing claims and what's actually loaded on the homepage.
claim vs. reality
“We collect personal information that you provide when you inquire about our Service or request a free trial or demo...when you register for an account to use our Service.”
observed · html
Google Tag Managerfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager, Heap.
Google Tag Manager Heap - note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
<iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-K3HQ8NT - note
Heap loaded (analytics)
Observed 1 time(s) on the page.
inline: nternalName":"Status","text":"Status","url":"https://status.heap.io/"},"metadata":{"concepts":[],"tags":[]},"sys":{"contentTy - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Cookie disclosure contradicts observation
Policy explicitly discusses cookies and related technologies, mentions tracking pixels in emails, and references a consent banner for California residents to opt-out—yet the homepage load shows zero cookies set and no obvious consent banner visible in the DOM inspection. This suggests either the consent UI is lazy-loaded/conditional, or the cookie implementation diverges from policy language.
Policy claims: 'For information about our, and our third-party providers and partners', use of cookies and related technologies' Observed: cookies_set = [] (empty array), no consent UI evident in page load - note
Named advertising partners not present in page load
Policy names LinkedIn, X, Facebook, and YouTube as recipients of personal information for advertising/social media purposes, yet only Google Tag Manager and Heap's own analytics fire on the homepage. No pixels or tracking code from the named social platforms are loaded, suggesting either selective activation based on user interaction/location or policy overstatement of ongoing data sharing.
Policy named partners: LinkedIn, X, Facebook, YouTube, Google Inc., Meta Observed third-parties: googletagmanager.com, heap.io, wistia.net, ctfassets.net (CDN), cookielaw.org - note
Missing CSP header despite advertised security measures
Policy claims 'appropriate technical and organizational measures' for data protection, but the homepage lacks a Content Security Policy (CSP) header, a standard control for mitigating XSS and injection attacks. This is a gap between claimed protective measures and observable security posture.
Policy: 'We implement appropriate technical and organizational measures to protect your personal data' Observed: has_csp = false - info
Contentsquare disclosure present but not observed
Policy explicitly states 'We may share personal information with Contentsquare Group for all purposes mentioned above,' but no Contentsquare domain appears in third-party requests on the homepage. This is consistent with selective activation but warrants transparency: users may not realize sharing occurs off the homepage.
Policy claim: Contentsquare Group listed as named recipient Observed: No Contentsquare domain in third-party list
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
| Heap | heap.io | analytics | 1 | not named |
| Contentful CDN | ctfassets.net | cdn | 23 | not named |
| CookieLaw | cookielaw.org | other | 2 | not named |
| Wistia | wistia.net | video | 1 | not named |
policy claims
source · https://heap.io/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- yes
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (9)
LinkedIn, X (Twitter), Facebook, YouTube, Google Inc., Meta Platforms, Inc., Contentsquare Group, ICDR-AAA, Federal Trade Commission
retention
Heap retains personal information based on legal basis: for legitimate interests, a reasonable period based on the particular interest; for consent, until withdrawn or until service is no longer needed; for contract, duration plus additional limited time for compliance or statute of limitations; for legal obligations, period necessary to fulfill the obligation; and with legal holds retained until claim is resolved.
user rights
Users have rights to access, correct, delete, and port their personal data. EU/UK/Switzerland residents have additional rights including restriction of processing, withdrawal of consent, and right to object. California residents can request deletion, correction, access, opt-out of sale/sharing, and restriction of sensitive information use. Users can unsubscribe from marketing emails and modify account information.
response headers
- hsts
- yes
- csp
- no
- server
- Netlify
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://heap.io from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://heap.ioprovenance
This audit was generated by running
stackpeek
against https://heap.io
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.