audit report
Loom
Loom's privacy policy makes broad claims about data collection, sharing, and third-party use, but the observed tech stack reveals a meaningful gap: the policy is apparently generic Atlassian boilerplate that does not reflect Loom's actual infrastructure. The page loads Sanity.io (47 hits), Amplitude analytics, LaunchDarkly feature flags, Google Analytics, and others, yet only "Google" appears in the policy's named third parties—Amplitude, LaunchDarkly, and Sanity are never mentioned. The policy's extensive disclosures about "Atlassian partners," "service providers," and data retention are presented as applying to Loom, but lack specificity to Loom's actual vendors and data flows. This suggests either outdated policy language or inadequate customization for the Loom product itself.
claim vs. reality
“We collect information when you register for an account, create or modify your profile, set preferences...you provide contact information (e.g., name or email address) and, in some cases, billing information”
observed · html
Observed: sanity.io (47 hits), amplitude.com (1 hit), launchdarkly.com (1 hit)findings
- mismatch
Policy uses Atlassian boilerplate; does not name observed vendors
The privacy policy is heavily Atlassian-focused (references 'Atlassian collects,' 'Atlassian partners,' 'Atlassian ads') and claims to disclose to 'service providers' generically, but fails to name critical vendors actually loading on the page: Amplitude (analytics), LaunchDarkly (feature flags), and Sanity.io (CMS/API). The policy's named third parties list only includes Google, Twitter, Facebook, TRUSTe, and DAA—none of which explain the heavy reliance on Sanity (47 hits) or Amplitude analytics infrastructure.
Observed: sanity.io (47 hits), amplitude.com (1 hit), launchdarkly.com (1 hit) Policy claims named third parties: Google, Twitter, Facebook, TRUSTe, Digital Advertising Alliance Policy text repeatedly refers to 'Atlassian' and 'Atlassian partners' rather than 'Loom' or Loom-specific vendors - warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Amplitude.
Amplitude - warn
No discernible cookie management despite policy claims
The policy claims Loom and third-party partners 'use cookies and other tracking technologies' and offers opt-out rights for targeted advertising, but the observation shows zero cookies set and no visible cookie consent banner. This could indicate cookies are set on subsequent pages or require user action, but it creates a transparency gap: users landing on the homepage cannot immediately exercise the advertised right to opt out of tracking before any data collection occurs.
Policy: 'Atlassian and our third-party partners...use cookies and other tracking technologies' Observed: cookies_set = [] No cookie consent interface observed on initial page load - note
Amplitude loaded (analytics)
Observed 1 time(s) on the page.
link preconnect: https://cdn.amplitude.com - note
Google Analytics loaded (analytics)
Observed 1 time(s) on the page.
link preconnect: https://www.google-analytics.com - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Sanity.io traffic volume unexplained in policy
The observation shows 47 hits to sanity.io (likely a headless CMS or content API), making it the single largest third-party traffic source. The policy does not explain what data flows to Sanity or for what purpose. This is a significant operational relationship that warrants explicit disclosure, particularly if Sanity has access to user data or content.
Observed: sanity.io 47 hits, category 'api' Policy: no mention of Sanity or comparable content/API infrastructure partner - info
Google Analytics: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this → - info
Missing Security Headers
The site has HSTS enabled (good), but lacks a Content Security Policy (CSP), which limits the ability to mitigate XSS and data exfiltration risks. This is notable given the reliance on multiple third-party APIs and the sensitive nature of video recording data.
Observed: has_csp = false, has_hsts = true
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Amplitude | amplitude.com | analytics | 1 | not named |
| Google Analytics | google-analytics.com | analytics | 1 | not named |
| Atlassian | atlassian.com | other | 1 | not named |
| google.com | other | 1 | named | |
| Google Static | gstatic.com | cdn | 2 | not named |
| LaunchDarkly | launchdarkly.com | feature_flags | 1 | not named |
| Sanity | sanity.io | api | 47 | not named |
policy claims
source · https://loom.com/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- not stated
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (5)
Google, Twitter, Facebook, TRUSTe, Digital Advertising Alliance
retention
Data retention depends on the type of information and purposes for collection. Account information is retained as long as the account is active and a reasonable period thereafter. Marketing information is retained for a reasonable period from last engagement. Information is either deleted, de-identified, or securely stored and isolated from further use until deletion is possible.
user rights
Users can request access to their information, request a copy in portable format, delete their account and information, update or correct information, object to data processing, restrict processing, opt out of marketing communications and targeted advertising, and lodge complaints with supervisory authorities (for EEA/UK residents).
response headers
- hsts
- yes
- csp
- no
- server
- Vercel
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://loom.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://loom.comprovenance
This audit was generated by running
stackpeek
against https://loom.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.