audit report
Heroku
Heroku's homepage loads third-party trackers including Google Tag Manager, Parsely analytics, and Cloudflare CDN, but the privacy policy referenced is Salesforce's (Heroku was acquired by Salesforce in 2007). The Salesforce policy explicitly names Google Analytics and advertising networks, though the observed tech stack includes Parsely rather than explicitly disclosed analytics. The policy claims no data selling and comprehensive user rights, but notably omits Parsely from its named third parties while loading it on the site. No cookies were detected as set during page load, contradicting claims of using session and persistent cookies, though this may reflect timing or initial page state rather than actual policy violation.
claim vs. reality
“The Personal Data we collect directly from you depends on how you choose to interact with us and what you choose to share. This may include identifiers such as contact information, professional or employment-related information, financial account information, commercial information, visual informati”
observed · html
Third-party tech stack shows 'parsely.com' with 2 hits in analytics categoryfindings
- mismatch
Parsely analytics loaded but not named in policy
Parsely (analytics vendor) is actively loaded on the homepage (2 hits) but is not listed among Salesforce's named third parties in the privacy policy. The policy names Google Analytics specifically but not Parsely, creating a disclosure gap for this tracking vendor.
Third-party tech stack shows 'parsely.com' with 2 hits in analytics category Policy named third parties list: Google Analytics, LinkedIn, GitHub, Network Advertising Initiative, Digital Advertising Alliance, TrustArc — Parsely absent - warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager, Parsely.
Google Tag Manager Parsely - note
Google Tag Manager loaded (tag_manager)
Observed 2 time(s) on the page.
inline: var gtm4wp_datalayer_name = "dataLayer"; var dataLayer = dataLayer || []; <iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-JD26 - note
Parsely loaded (analytics)
Observed 2 time(s) on the page.
script src: https://cdn.parsely.com/keys/heroku.com/p.js?ver=3.23.1 link preconnect: https://p1.parsely.com - note
Policy URL points to Salesforce, not Heroku-specific privacy statement
The privacy policy URL is https://www.salesforce.com/company/privacy/, not a Heroku-branded policy. While Heroku is Salesforce-owned, this creates potential user confusion about whose data practices apply and may not clearly signal which company is the data controller for Heroku.com visitors.
Policy URL: https://www.salesforce.com/company/privacy/ Site URL: https://www.heroku.com/ - note
Cookie claims unverified by passive observation
Policy claims use of session-based and persistent cookies with management via Cookie Preferences footer link, but no cookies were detected as set during passive page load. This does not indicate violation (cookies may be set after user interaction or on subsequent loads), but means the policy's cookie claims cannot be independently verified from the initial page state alone.
cookies_set: [] in observation Policy claims: 'We use both session-based and persistent cookies on our websites' - info
WordPress.com hosting detected but not explained in policy
A hit to wp.com (WordPress.com hosting) is recorded but not disclosed in the privacy policy. This may be infrastructure-related rather than a tracking vendor, but the purpose and necessity of this third-party connection is undisclosed to users.
Third-party: wp.com (WordPress.com, hosting category, 1 hit)
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 2 | not named |
| Parsely | parsely.com | analytics | 2 | not named |
| Cloudflare | cloudflare.com | cdn | 3 | not named |
| GMPG | gmpg.org | other | 1 | not named |
| google.com | other | 1 | not named | |
| Heroku | herokucdn.com | cdn | 1 | not named |
| WordPress.com | wp.com | hosting | 1 | not named |
policy claims
source · https://www.salesforce.com/company/privacy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (6)
Google Analytics, LinkedIn, GitHub, Network Advertising Initiative, Digital Advertising Alliance, TrustArc
retention
Salesforce retains Personal Data for a period consistent with the original purpose of collection or as long as required to fulfill legal and regulatory obligations. After expiry of retention periods, data is deleted, though where technical deletion is impossible, Salesforce implements measures to prevent further use.
user rights
Users have rights to access, rectify, erase, restrict processing, and port Personal Data. They can object to processing, opt out of third-party disclosures and targeted advertising, withdraw consent, and complain about usage. Users can exercise rights via form submission, email, or phone. Users have the right to lodge complaints with supervisory authorities in EEA/UK.
response headers
- hsts
- yes
- csp
- yes
- server
- nginx
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://heroku.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://heroku.comprovenance
This audit was generated by running
stackpeek
against https://heroku.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.