stackpeek
← back to leaderboard

audit report

Intercom

https://intercom.com · customer support

warn
scanned 2026-04-16 23:31:58 utc permalink · /audit/intercom

Intercom's privacy policy claims extensive data collection (PII, device data, audio/video, usage patterns, third-party enrichment) and transparent sharing with service providers and advertising partners, along with AI/ML processing. Observed tech stack partially aligns: Google Tag Manager (analytics), Stripe (payments), and Intercom's own chat widget are loaded; the policy names Google Analytics and Stripe specifically. However, the policy lists Facebook and contact enrichment providers without directly confirming their presence in the current page load. The site sets a GTM cookie and loads Google Tag Manager but lacks CSP headers. No DNT respect is claimed. Overall, policy transparency is high on stated practices, though some named third parties lack visible confirmation in this particular page observation.

claim vs. reality

“first and last names; email addresses; phone numbers; company name; your role in your company”

— Intercom privacy policy

observed · html 

Google Tag Manager

findings

  1. warn

    Observed vendors not named in policy

    The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager.

    
            Google Tag Manager
    how we detected this →
  2. note

    Google Tag Manager loaded (tag_manager)

    Observed 2 time(s) on the page.

    
            link preload: https://www.googletagmanager.com/gtag/js?id=
link preload: https://www.googletagmanager.com/gtm.js?id=GTM-WB899HL
    how we detected this →
  3. note

    No Content-Security-Policy header

    A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.

    how we detected this →
  4. note

    Named third parties lack visible confirmation in page load

    The privacy policy names Facebook and contact enrichment/lead generation providers, identity resolution providers, and geolocation IP intelligence vendors as data sources or partners. None of these domains appear in the observed third-party requests for this particular page load. This doesn't necessarily indicate a mismatch—these services may be used conditionally (e.g., on different pages, via server-side integrations, or for specific customer segments)—but it means the claim of sharing with these parties is not directly observable from this single audit.

    
            Policy claims: 'contact enrichment and lead generation providers', 'identity resolution and insight management provider', 'geolocation IP intelligence provider', 'Facebook'
Observed third parties: only intercom.io, googletagmanager.com, stripe.com
    how we detected this →
  5. note

    No CSP header despite extensive AI/ML and third-party processing claims

    Intercom explicitly claims to use AI and machine learning technologies, including generative AI, to process personal data, and loads multiple third-party integrations. The absence of a Content Security Policy (CSP) header means there are no published restrictions on inline scripts or external resource loading, reducing public visibility into what code can execute in the browser.

    
            Policy: 'We...may use artificial intelligence (AI) and machine learning technologies, including generative AI'
Observation: has_csp = false
    how we detected this →
  6. info

    Vague retention policy without specific timeframes

    The privacy policy states retention is 'only as long as necessary' but does not specify concrete retention periods for different data categories (PII, cookies, audio/video, logs, etc.). This is compliant but operationally opaque—users cannot predict when their data will be deleted.

    
            Retention claim: 'Intercom retains personal data only for as long as necessary to fulfill the purposes set out in this Privacy Policy'
Policy note: 'The policy does not specify exact retention periods for different data types.'
    how we detected this →

third parties observed

vendor domain category hits disclosure
Google Tag Manager googletagmanager.com tag_manager 2 not named
Intercom intercom.io chat_support 12 not named
Stripe stripe.com payments 1 named

policy claims

source · https://www.intercom.com/legal/privacy

collects pii
yes
shares 3p
yes
sells data
no
cookies
yes
analytics
yes
advertising
yes

named third parties (7)

Google Analytics, Facebook, Stripe, contact enrichment and lead generation providers, targeted online advertising providers, identity resolution and insight management provider, geolocation IP intelligence provider

retention

Intercom retains personal data only as long as necessary to fulfill the purposes set out in the Privacy Policy. The policy does not specify exact retention periods for different data types.

user rights

EEA/UK residents can access, correct, update, or request deletion of personal data; object to processing; request portability; withdraw consent; and opt-out of marketing communications. California residents have rights to know, access, correct, and delete personal information, as well as opt-out of targeted advertising and tracking.

response headers

hsts
yes
csp
no
server
Vercel

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://intercom.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://intercom.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://intercom.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.