audit report
Linear
Linear's privacy policy aligns closely with its observed tech stack: it discloses use of analytics (PostHog, Google APIs), Intercom for support, Stripe for payments, and Sentry for error tracking—all present in the network. The policy claims to use cookies and tracking pixels, which matches the stated technology. However, Linear reports "0 cookies set" in the observation despite claiming "Essential, Functional, and Performance/Analytical cookies" and stating it uses them "to recognize browsers." This creates ambiguity about implementation—either cookies are set server-side (beyond the audit scope), or the claim overstates current usage. The policy appropriately discloses third-party sharing with service providers and analytics vendors, though it does not name specific vendors in the policy text itself, relying instead on contractual disclosure mechanisms.
findings
- note
Gravatar loaded (social)
Observed 1 time(s) on the page.
CSP: https://secure.gravatar.com - note
PostHog loaded (analytics)
Observed 1 time(s) on the page.
CSP: https://app.posthog.com - note
Cookie policy scope vs. observed implementation unclear
The policy describes multiple cookie categories (Essential, Functional, Performance/Analytical) with specific purposes including browser recognition and advertising measurement. However, the observation records 0 cookies set in the page itself. This could indicate: (1) cookies are set server-side or on subsequent interactions not captured here, (2) cookies are set conditionally after user consent, or (3) the cookie claims describe a broader infrastructure than the homepage alone uses. The policy's specific cookie language suggests active use, but this particular observation can't confirm it.
Policy claims: 'Essential Cookies...Functional Cookies...Performance/Analytical Cookies allow us to understand how visitors use our Services' Observation: 'cookies_set': [] Policy also claims: 'the Services use cookies and similar technologies such as pixel tags, web beacons, clear GIFs and JavaScript to enable our servers to recognize your web browser' - note
Advertising performance measurement without explicit ad-serving disclosure
The policy states Performance/Analytical Cookies 'help us measure the performance of our advertising campaigns' and claims the site 'uses_advertising': true. However, no ad network domains (Google Ads, Meta Pixel, etc.) appear in the third-party list—only analytics (PostHog, Google APIs). This suggests Linear measures campaign performance via its own analytics rather than serving targeted ads on the site itself, which narrows the advertising claim to campaign measurement rather than ad-serving.
Policy: 'measure the performance of our advertising campaigns in order to help us improve our campaigns' Third-party list includes PostHog and Google APIs but no ad-serving networks (e.g., Google Ads Manager, Meta Pixel, DoubleClick) Inline patterns detected: 'Intercom', 'Stripe' (support and payments, not advertising) - info
Third-party vendors disclosed in policy but not named exhaustively
The policy claims sharing with 'Service Providers, Parties You Authorize, Access or Authenticate, Business Partners' but does not list specific vendor names in the policy text itself. The observed tech stack includes Intercom, Stripe, Sentry, PostHog, Sanity, and Algolia among others. Linear appears to rely on a separate disclosure mechanism (likely a cookie consent UI or vendor list) rather than naming vendors in the policy prose. This is compliant but less transparent than an inline vendor list.
Policy quote: 'Categories of Third Parties With Whom We Share this Personal Data - Service Providers, Parties You Authorize, Access or Authenticate, Business Partners' policy_claims shows: 'named_third_parties': [] Observed third-party domains: Intercom, Stripe, Sentry, PostHog, Sanity, Algolia, Ashby
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Gravatar | gravatar.com | social | 1 | not named |
| PostHog | posthog.com | analytics | 1 | not named |
| <UNKNOWN> | 127.0.0.1:18450 | other | 1 | not named |
| <UNKNOWN> | 127.0.0.1:33234 | other | 1 | not named |
| <UNKNOWN> | 127.0.0.1:44450 | other | 1 | not named |
| Algolia | algolia.net | api | 1 | not named |
| Ashby | ashbyhq.com | api | 1 | not named |
| Cloudflare | cloudflare.com | cdn | 1 | not named |
| GitHub | githubusercontent.com | cdn | 2 | not named |
| GitHub | github.com | api | 1 | not named |
| GitHub | githubstatus.com | other | 1 | not named |
| dns.google | api | 1 | not named | |
| Google APIs | googleapis.com | api | 7 | not named |
| Google User Content | googleusercontent.com | cdn | 1 | not named |
| Incident.io | incident.io | api | 1 | not named |
| Intercom | intercom.io | chat_support | 2 | not named |
| Linear | linear.dev | api | 5 | not named |
| Linear | linearstatus.com | other | 1 | not named |
| Sanity | sanity.io | api | 4 | not named |
| Sentry | sentry.io | error_tracking | 2 | not named |
| Slack | slack-edge.com | cdn | 1 | not named |
| Stripe | stripe.com | payments | 3 | not named |
| twimg.com | cdn | 3 | not named | |
| YouTube thumbnails | ytimg.com | cdn | 1 | not named |
policy claims
source · https://linear.app/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
retention
Personal Data is retained as long as the user has an open account or as necessary to provide Services. In some cases, Personal Data is retained longer to comply with legal obligations, resolve disputes, or collect fees owed, or as otherwise permitted by law. Anonymous or aggregated information may be retained indefinitely.
user rights
EU residents have rights including: access to Personal Data, rectification of incorrect data, erasure, withdrawal of consent, data portability in machine-readable format, objection to further use or disclosure, restriction of processing, and right to file a complaint with supervisory authorities. California residents can prevent disclosure for direct marketing purposes. Nevada residents can opt-out of sale of Personal Data.
response headers
- hsts
- yes
- csp
- yes
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://linear.app from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://linear.appprovenance
This audit was generated by running
stackpeek
against https://linear.app
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.