audit report
LogRocket
LogRocket's privacy policy makes clear, specific claims about data collection (PII, usage data, payment info), third-party sharing (service providers, legal requests, M&A scenarios), cookies, analytics, and advertising—all of which are substantiated by the policy text. The observed tech stack shows minimal third-party loading (only googleapis.com and LogRocket's own domain), no cookies set at page load, and no CSP header, which means the policy's claims about cookie usage and third-party sharing are not directly observable from this single page view. The policy explicitly discloses data retention, user rights (including GDPR, CCPA, and DPF compliance), and security measures. Overall, the policy is transparent and internally consistent with its claims, though real-world cookie and advertising practices would require monitoring across user sessions and customer pages to fully verify.
claim vs. reality
“Personal Information means all information relating to a person that identifies such person or could reasonably be used to identify such person, including but not limited to, as first and last name, home address, billing address, or other physical address, email address, telephone number”
observed · html
LogRocketfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: LogRocket.
LogRocket - note
LogRocket loaded (session_replay)
Observed 1 time(s) on the page.
inline: ms, and easy integration into their existing systems.\nWith LogRocket, Matt gained insights into user interactions within 7-Eleve - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Policy claims cookie usage but none set at page load
The policy states LogRocket uses cookies to measure activity and maintain session coherence, and that third-party service providers may use cookies. However, the observation shows zero cookies set on the homepage. This is not a mismatch—cookies could be set on subsequent pages, during service usage (for customers), or by third parties on different domains—but it means cookie practices are not verifiable from this single landing page snapshot.
Policy: 'We, or third party service providers, may use cookies to...measure activity, personalize your experience' Observation: cookies_set = [] - note
Named third parties are opt-out orgs, not data recipients
The policy names three 'third parties': BBB National Programs, Network Advertising Initiative, and Digital Advertising Alliance. These are actually industry consortia for opt-out/opt-in preferences, not service providers or ad networks LogRocket shares data with directly. The actual third-party data recipients (web hosts, email services, payment processors, ad networks) are described generically in the policy without specific names. This is a common but potentially confusing disclosure pattern—the named entities serve as *controls* for interest-based advertising, not as data recipients.
Policy named_third_parties list includes 'Network Advertising Initiative' and 'Digital Advertising Alliance' Policy text: 'third parties may use the fact that you visited our Site to target online ads to you. In addition, our third-party advertising networks might use information'—networks are not named. - info
Absence of CSP header limits visibility into ad/tracking enforcement
The observation shows has_csp: false. Given the policy's claims about third-party advertising and data collection, a Content Security Policy would help enforce which domains can be loaded. Its absence doesn't contradict the policy claims, but it does mean there is no measurable technical control preventing unauthorized third-party script injection, which aligns with LogRocket's business model (session replay and product analytics inherently require broad data collection).
Observation: has_csp = false Policy: permits third-party advertising and analytics
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| LogRocket | logrocket.com | session_replay | 1 | not named |
| Google APIs | googleapis.com | api | 1 | not named |
policy claims
source · https://logrocket.com/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (3)
BBB National Programs, Network Advertising Initiative, Digital Advertising Alliance
retention
LogRocket retains personal information necessary to fulfill the purpose for which it was collected or as required by law, and does not retain it longer than necessary. Information is destroyed in a way that prevents restoration or reconstruction.
user rights
Users have the right to access, rectify, and delete personal information. Residents of EEA, UK, Switzerland, or California have additional rights including data portability, right to restrict processing, opt-out of marketing, and the right to lodge complaints with supervisory authorities. Users can exercise rights by contacting [email protected].
response headers
- hsts
- yes
- csp
- no
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://logrocket.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://logrocket.comprovenance
This audit was generated by running
stackpeek
against https://logrocket.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.