stackpeek
← back to leaderboard

audit report

Mixpanel

https://mixpanel.com · product analytics

warn
scanned 2026-04-16 23:32:44 utc permalink · /audit/mixpanel

Mixpanel's policy emphasizes compliance with GDPR/CCPA, end-to-end data protection, and EU data residency, but the observed tech stack reveals extensive third-party vendor integration that is never mentioned or detailed in the policy. The company loads 15+ advertising/tracking vendors (Google DoubleClick, Facebook Pixel, Twitter Ads, LinkedIn, AppNexus, etc.), multiple analytics platforms (Google Analytics, Marketo, Mixpanel), session replay (Microsoft Clarity), and AB testing (Optimizely)—none of which are disclosed in privacy claims. While Mixpanel itself is a product designed for customer analytics, the company's own site uses sophisticated tracking infrastructure that creates tension with the claimed transparency and compliance posture.

claim vs. reality

“We're committed to keeping your personal data safe.”

— Mixpanel privacy policy

observed · html 

Microsoft Clarity

findings

  1. warn

    Session replay tools detected

    Session replay tools record user interactions. Observed: Microsoft Clarity. The policy should clearly disclose this and how recordings are stored.

    
            Microsoft Clarity
    how we detected this →
  2. warn

    Undisclosed third-party vendor ecosystem contradicts transparency claims

    The policy emphasizes compliance and data protection but does not disclose any of the 30+ third-party vendors observed in the tech stack. Specifically, the policy claims Mixpanel is 'built in compliance with industry best practices' and offers EU data residency, yet the site loads advertising networks (DoubleClick, Facebook Pixel, Twitter Ads, AdRoll, Taboola, Rubicon), marketing automation (Marketo, Customer.io), and session replay (Microsoft Clarity) without any mention of these processors, their purposes, or user rights regarding their data collection.

    
            Policy makes no mention of third-party vendors or subprocessors
Tech stack includes: doubleclick.net (4 hits), facebook.net & facebook.com (4 hits), ads-twitter.com (1 hit), adroll.com (2 hits), marketo.com (3 hits), clarity.ms (3 hits), mktoresp.com, etc.
GDPR/CCPA-compliant processors must disclose subprocessors and their purposes; this policy is silent on these vendors
    how we detected this →
  3. warn

    Session replay and behavioral tracking not mentioned despite heavy implementation

    Microsoft Clarity (session replay, 3 hits) and Qualified.com (8 hits, likely conversion tracking) are loaded on the site but receive no mention in the privacy policy. Session replay tools capture keystroke, scroll, and interaction patterns—sensitive under both GDPR and CCPA—yet there is no disclosed consent mechanism, purpose statement, or retention policy for this data collection.

    
            clarity.ms: 3 hits (session replay/behavioral analytics)
qualified.com: 8 hits (conversion/intent signals)
Policy claims 'protect customer data from end to end' but does not disclose behavioral capture mechanisms
    how we detected this →
  4. note

    Optimizely loaded (ab_testing)

    Observed 9 time(s) on the page.

    
            script src: https://cdn.optimizely.com/js/5838709522694144.js
link preload: https://cdn.optimizely.com/js/5838709522694144.js
link preconnect: https://logx.optimizely.com
    how we detected this →
  5. note

    Microsoft Bing loaded (advertising)

    Observed 4 time(s) on the page.

    
            CSP: https://*.bing.com
    how we detected this →
  6. note

    Google DoubleClick loaded (advertising)

    Observed 4 time(s) on the page.

    
            CSP: https://*.doubleclick.net
    how we detected this →
  7. note

    Microsoft Clarity loaded (session_replay)

    Observed 3 time(s) on the page.

    
            CSP: https://*.clarity.ms
    how we detected this →
  8. note

    Facebook loaded (social)

    Observed 3 time(s) on the page.

    
            CSP: https://*.facebook.com
    how we detected this →
  9. note

    Google Analytics loaded (analytics)

    Observed 3 time(s) on the page.

    
            CSP: https://*.google-analytics.com
    how we detected this →
  10. note

    Google AdSense loaded (advertising)

    Observed 3 time(s) on the page.

    
            CSP: https://*.googlesyndication.com
    how we detected this →
  11. note

    Google Tag Manager loaded (tag_manager)

    Observed 3 time(s) on the page.

    
            CSP: https://www.googletagmanager.com
    how we detected this →
  12. note

    Marketo loaded (analytics)

    Observed 3 time(s) on the page.

    
            CSP: https://*.marketo.com
    how we detected this →
  13. note

    Pinterest loaded (social)

    Observed 3 time(s) on the page.

    
            CSP: https://ct.pinterest.com
    how we detected this →
  14. note

    AddToAny loaded (social)

    Observed 2 time(s) on the page.

    
            CSP: https://static.addtoany.com
    how we detected this →
  15. note

    AppNexus loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://*.adnxs.com
    how we detected this →
  16. note

    AdRoll loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://*.adroll.com
    how we detected this →
  17. note

    LinkedIn loaded (social)

    Observed 2 time(s) on the page.

    
            CSP: https://*.linkedin.com
    how we detected this →
  18. note

    Reddit loaded (social)

    Observed 2 time(s) on the page.

    
            CSP: https://*.reddit.com
    how we detected this →
  19. note

    Twitter/X Ads Pixel loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://*.ads-twitter.com
    how we detected this →
  20. note

    Facebook Pixel loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://connect.facebook.net
    how we detected this →
  21. note

    Google Ads loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://*.googleadservices.com
    how we detected this →
  22. note

    Gravatar loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://*.gravatar.com
    how we detected this →
  23. note

    Mixpanel loaded (analytics)

    Observed 1 time(s) on the page.

    
            inline: de.insertBefore(e,g)}})(document,window.mixpanel||[]); mixpanel.init('metrics-1', { api_payload_format: 'json',
    how we detected this →
  24. note

    Marketo loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://*.mktoresp.com
    how we detected this →
  25. note

    OpenX loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://*.openx.net
    how we detected this →
  26. note

    Outbrain loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://sync.outbrain.com
    how we detected this →
  27. note

    PubMatic loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://*.pubmatic.com
    how we detected this →
  28. note

    Rubicon Project loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://pixel.rubiconproject.com
    how we detected this →
  29. note

    Twitter/X short URL loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://t.co/
    how we detected this →
  30. note

    Taboola loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://sync.taboola.com
    how we detected this →
  31. note

    Twitter/X loaded (social)

    Observed 1 time(s) on the page.

    
            CSP: https://analytics.twitter.com
    how we detected this →
  32. note

    Framer presence (89 hits) and related domains suggest heavy use of third-party design/build platform

    The site loads framerusercontent.com (89 hits) and framer.com (7 hits), indicating significant reliance on Framer (a design/hosting platform). This third-party infrastructure is not mentioned in the privacy policy, raising questions about data flows and who has access to visitor data during page rendering.

    
            framerusercontent.com: 89 hits (highest-traffic third party)
framer.com: 7 hits
No mention of Framer or similar design platforms in policy
    how we detected this →
  33. info

    Extensive Google marketing and advertising pixels despite GDPR/CCPA messaging

    The site loads multiple Google properties (Google Ads, DoubleClick, Google Tag Manager, Google Analytics, Facebook Pixel, LinkedIn Insights) totaling 20+ hits. While these are common, the policy's emphasis on GDPR/CCPA compliance and European data residency suggests these cross-border data transfers should be explicitly addressed (e.g., Standard Contractual Clauses, Data Processing Addendum references) but are not.

    
            googletagmanager.com (3 hits), google-analytics.com (3 hits), doubleclick.net (4 hits), googleadservices.com (1 hit)
facebook.net (1 hit), licdn.com (LinkedIn CDN, 1 hit)
Policy claims EU data residency available but does not explain how marketing pixels align with this
    how we detected this →

third parties observed

vendor domain category hits disclosure
AdRoll adroll.com advertising 2 not named
AddToAny addtoany.com social 2 not named
AppNexus adnxs.com advertising 2 not named
Facebook facebook.com social 3 not named
Facebook Pixel facebook.net advertising 1 not named
Google AdSense googlesyndication.com advertising 3 not named
Google Ads googleadservices.com advertising 1 not named
Google Analytics google-analytics.com analytics 3 not named
Google DoubleClick doubleclick.net advertising 4 not named
Google Tag Manager googletagmanager.com tag_manager 3 not named
Gravatar gravatar.com social 1 not named
LinkedIn linkedin.com social 2 not named
Marketo marketo.com analytics 3 not named
Marketo mktoresp.com analytics 1 not named
Microsoft Bing bing.com advertising 4 not named
Microsoft Clarity clarity.ms session_replay 3 not named
Mixpanel mixpanel.com analytics 1 not named
OpenX openx.net advertising 1 not named
Optimizely optimizely.com ab_testing 9 not named
Outbrain outbrain.com advertising 1 not named
Pinterest pinterest.com social 3 not named
PubMatic pubmatic.com advertising 1 not named
Reddit reddit.com social 2 not named
Rubicon Project rubiconproject.com advertising 1 not named
Taboola taboola.com advertising 1 not named
Twitter/X twitter.com social 1 not named
Twitter/X Ads Pixel ads-twitter.com advertising 1 not named
Twitter/X short URL t.co social 1 not named
33across.com 33across.com other 1 not named
3lift.com 3lift.com other 1 not named
6sc.co 6sc.co other 3 not named
AWS amazonaws.com hosting 5 not named
Adobe Typekit typekit.net fonts 1 not named
Bugsnag bugsnag.com error_tracking 2 not named
Cloudflare cloudflare.com cdn 1 not named
Cloudinary cloudinary.com cdn 1 not named
Google google.com other 15 not named
Google APIs googleapis.com api 3 not named
Google Static gstatic.com cdn 5 not named
Google User Content googleusercontent.com cdn 1 not named
LinkedIn CDN licdn.com cdn 1 not named
Rollbar rollbar.com error_tracking 2 not named
Sentry sentry.io error_tracking 2 not named
Stripe stripe.com payments 2 not named
Typeform typeform.com embed 2 not named
Vimeo vimeo.com video 1 not named
YouTube youtube.com video 3 not named
YouTube thumbnails ytimg.com cdn 1 not named
Zendesk zdassets.com chat_support 4 not named
Zendesk zendesk.com chat_support 3 not named
bidswitch.net bidswitch.net other 1 not named
bizible.com bizible.com other 2 not named
bizibly.com bizibly.com other 1 not named
capterra.com capterra.com other 1 not named
casalemedia.com casalemedia.com other 1 not named
crwdcntrl.net crwdcntrl.net other 1 not named
customer.io customer.io other 5 not named
customerioforms.com customerioforms.com other 2 not named
exelator.com exelator.com other 1 not named
framer.com framer.com other 7 not named
framerstatic.com framerstatic.com other 2 not named
framerusercontent.com framerusercontent.com other 89 not named
g2.com g2.com other 1 not named
g2crowd.com g2crowd.com other 2 not named
gist.build gist.build other 6 not named
google.ad google.ad other 1 not named
google.ae google.ae other 1 not named
google.al google.al other 1 not named
google.am google.am other 1 not named
google.as google.as other 1 not named
google.at google.at other 1 not named
google.az google.az other 1 not named
google.ba google.ba other 1 not named
google.be google.be other 1 not named
google.bf google.bf other 1 not named
google.bg google.bg other 1 not named
google.bi google.bi other 1 not named
google.bj google.bj other 1 not named
google.bs google.bs other 1 not named
google.bt google.bt other 1 not named
google.by google.by other 1 not named
google.ca google.ca other 1 not named
google.cat google.cat other 1 not named
google.cd google.cd other 1 not named
google.cf google.cf other 1 not named
google.cg google.cg other 1 not named
google.ch google.ch other 1 not named
google.ci google.ci other 1 not named
google.cl google.cl other 1 not named
google.cm google.cm other 1 not named
google.cn google.cn other 1 not named
google.co.ao google.co.ao other 1 not named
google.co.bw google.co.bw other 1 not named
google.co.ck google.co.ck other 1 not named
google.co.cr google.co.cr other 1 not named
google.co.id google.co.id other 1 not named
google.co.il google.co.il other 1 not named
google.co.in google.co.in other 1 not named
google.co.jp google.co.jp other 1 not named
google.co.ke google.co.ke other 1 not named
google.co.kr google.co.kr other 1 not named
google.co.ls google.co.ls other 1 not named
google.co.ma google.co.ma other 1 not named
google.co.mz google.co.mz other 1 not named
google.co.nz google.co.nz other 1 not named
google.co.th google.co.th other 1 not named
google.co.tz google.co.tz other 1 not named
google.co.ug google.co.ug other 1 not named
google.co.uk google.co.uk other 1 not named
google.co.uz google.co.uz other 1 not named
google.co.ve google.co.ve other 1 not named
google.co.vi google.co.vi other 1 not named
google.co.za google.co.za other 1 not named
google.co.zm google.co.zm other 1 not named
google.co.zw google.co.zw other 1 not named
google.com.af google.com.af other 1 not named
google.com.ag google.com.ag other 1 not named
google.com.ar google.com.ar other 1 not named
google.com.au google.com.au other 1 not named
google.com.bd google.com.bd other 1 not named
google.com.bh google.com.bh other 1 not named
google.com.bn google.com.bn other 1 not named
google.com.bo google.com.bo other 1 not named
google.com.br google.com.br other 1 not named
google.com.bz google.com.bz other 1 not named
google.com.co google.com.co other 1 not named
google.com.cu google.com.cu other 1 not named
google.com.cy google.com.cy other 1 not named
google.com.do google.com.do other 1 not named
google.com.ec google.com.ec other 1 not named
google.com.eg google.com.eg other 1 not named
google.com.et google.com.et other 1 not named
google.com.fj google.com.fj other 1 not named
google.com.gh google.com.gh other 1 not named
google.com.gi google.com.gi other 1 not named
google.com.gt google.com.gt other 1 not named
google.com.hk google.com.hk other 1 not named
google.com.jm google.com.jm other 1 not named
google.com.kh google.com.kh other 1 not named
google.com.kw google.com.kw other 1 not named
google.com.lb google.com.lb other 1 not named
google.com.ly google.com.ly other 1 not named
google.com.mm google.com.mm other 1 not named
google.com.mt google.com.mt other 1 not named
google.com.mx google.com.mx other 1 not named
google.com.my google.com.my other 1 not named
google.com.na google.com.na other 1 not named
google.com.ng google.com.ng other 1 not named
google.com.ni google.com.ni other 1 not named
google.com.np google.com.np other 1 not named
google.com.om google.com.om other 1 not named
google.com.pa google.com.pa other 1 not named
google.com.pe google.com.pe other 1 not named
google.com.pg google.com.pg other 1 not named
google.com.ph google.com.ph other 1 not named
google.com.pk google.com.pk other 1 not named
google.com.pr google.com.pr other 1 not named
google.com.py google.com.py other 1 not named
google.com.qa google.com.qa other 1 not named
google.com.sa google.com.sa other 1 not named
google.com.sb google.com.sb other 1 not named
google.com.sg google.com.sg other 1 not named
google.com.sl google.com.sl other 1 not named
google.com.sv google.com.sv other 1 not named
google.com.tj google.com.tj other 1 not named
google.com.tr google.com.tr other 1 not named
google.com.tw google.com.tw other 1 not named
google.com.ua google.com.ua other 1 not named
google.com.uy google.com.uy other 1 not named
google.com.vc google.com.vc other 1 not named
google.com.vn google.com.vn other 1 not named
google.cv google.cv other 1 not named
google.cz google.cz other 1 not named
google.de google.de other 1 not named
google.dj google.dj other 1 not named
google.dk google.dk other 1 not named
google.dm google.dm other 1 not named
google.dz google.dz other 1 not named
google.ee google.ee other 1 not named
google.es google.es other 1 not named
google.fi google.fi other 1 not named
google.fm google.fm other 1 not named
google.fr google.fr other 1 not named
google.ga google.ga other 1 not named
google.ge google.ge other 1 not named
google.gg google.gg other 1 not named
google.gl google.gl other 1 not named
google.gm google.gm other 1 not named
google.gr google.gr other 1 not named
google.gy google.gy other 1 not named
google.hn google.hn other 1 not named
google.hr google.hr other 1 not named
google.ht google.ht other 1 not named
google.hu google.hu other 1 not named
google.ie google.ie other 1 not named
google.im google.im other 1 not named
google.iq google.iq other 1 not named
google.is google.is other 1 not named
google.it google.it other 1 not named
google.je google.je other 1 not named
google.jo google.jo other 1 not named
google.kg google.kg other 1 not named
google.ki google.ki other 1 not named
google.kz google.kz other 1 not named
google.la google.la other 1 not named
google.li google.li other 1 not named
google.lk google.lk other 1 not named
google.lt google.lt other 1 not named
google.lu google.lu other 1 not named
google.lv google.lv other 1 not named
google.md google.md other 1 not named
google.me google.me other 1 not named
google.mg google.mg other 1 not named
google.mk google.mk other 1 not named
google.ml google.ml other 1 not named
google.mn google.mn other 1 not named
google.mu google.mu other 1 not named
google.mv google.mv other 1 not named
google.mw google.mw other 1 not named
google.ne google.ne other 1 not named
google.nl google.nl other 1 not named
google.no google.no other 1 not named
google.nr google.nr other 1 not named
google.nu google.nu other 1 not named
google.pl google.pl other 1 not named
google.pn google.pn other 1 not named
google.ps google.ps other 1 not named
google.pt google.pt other 1 not named
google.ro google.ro other 1 not named
google.rs google.rs other 1 not named
google.ru google.ru other 1 not named
google.rw google.rw other 1 not named
google.sc google.sc other 1 not named
google.se google.se other 1 not named
google.sh google.sh other 1 not named
google.si google.si other 1 not named
google.sk google.sk other 1 not named
google.sm google.sm other 1 not named
google.sn google.sn other 1 not named
google.so google.so other 1 not named
google.sr google.sr other 1 not named
google.st google.st other 1 not named
google.td google.td other 1 not named
google.tg google.tg other 1 not named
google.tl google.tl other 1 not named
google.tm google.tm other 1 not named
google.tn google.tn other 1 not named
google.to google.to other 1 not named
google.tt google.tt other 1 not named
google.vu google.vu other 1 not named
google.ws google.ws other 1 not named
gstatic.cn gstatic.cn other 1 not named
honeycomb.io honeycomb.io other 1 not named
imrworldwide.com imrworldwide.com other 1 not named
jsDelivr jsdelivr.net cdn 1 not named
kapa.ai kapa.ai other 2 not named
leandata.com leandata.com other 9 not named
liveblocks.io liveblocks.io other 2 not named
loom.com loom.com other 1 not named
marketo.net marketo.net other 1 not named
mxpnl.com mxpnl.com other 13 not named
myfonts.net myfonts.net other 1 not named
navattic.com navattic.com other 1 not named
oribi.io oribi.io other 1 not named
pinimg.com pinimg.com other 1 not named
qualified.com qualified.com other 8 not named
reCAPTCHA recaptcha.net other 5 not named
redditstatic.com redditstatic.com other 2 not named
rive.app rive.app other 2 not named
rlcdn.com rlcdn.com other 1 not named
run.app run.app other 1 not named
sendbird.com sendbird.com other 3 not named
sentry-cdn.com sentry-cdn.com other 3 not named
singular.net singular.net other 2 not named
sitescout.com sitescout.com other 1 not named
smartnews-ads.com smartnews-ads.com other 3 not named
spline.design spline.design other 1 not named
sprig.com sprig.com other 1 not named
trustarc.com trustarc.com other 8 not named
truste.com truste.com other 1 not named
turn.com turn.com other 1 not named
unpkg unpkg.com cdn 2 not named
walmart.com walmart.com other 1 not named
wp.com wp.com other 1 not named
wpengine.com wpengine.com other 4 not named
wpenginepowered.com wpenginepowered.com other 4 not named
yahoo.com yahoo.com other 1 not named
yimg.jp yimg.jp other 1 not named
youtube-nocookie.com youtube-nocookie.com other 2 not named
zoominfo.com zoominfo.com other 2 not named
zopim.com zopim.com other 3 not named
zopim.io zopim.io other 2 not named

policy claims

source · https://mixpanel.com/security-privacy/

collects pii
yes
shares 3p
not stated
sells data
not stated
cookies
not stated
analytics
not stated
advertising
not stated

response headers

hsts
yes
csp
yes
server
nginx

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://mixpanel.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://mixpanel.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://mixpanel.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.