audit report
Monday.com
monday.com's privacy policy claims align with observed behavior: cookies, analytics, and advertising tech are documented in the policy, and observed third parties (Google Tag Manager, Cloudflare Analytics, Cloudinary CDN) match stated practices. The policy explicitly discloses data enrichment from LinkedIn, ZoomInfo, Clearbit, Cognism, and Lusha, and states data is not sold under CCPA. However, Google Tag Manager is loaded but Google is only mentioned generically as a service provider; the policy does not explicitly name Google Analytics or clarify what specific Google services receive data. Cloudflare Web Analytics is not explicitly mentioned in the named third-party list despite being loaded. The site lacks CSP headers despite handling sensitive contact and billing data, and cookie purposes (experiment_visitor_id, t_* tokens) are not granularly documented in the policy beyond general analytics claims.
claim vs. reality
“We collect or generate the following categories of personal data in relation to the Services”
observed · html
Cloudflare Web Analyticsfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Cloudflare Web Analytics.
Cloudflare Web Analytics - warn
Google Tag Manager loaded but Google services not explicitly named
Google Tag Manager is active on the site (1 hit to googletagmanager.com), yet the policy lists 'Google' only as a generic service provider without specifying which Google products or services receive user data. GTM typically routes data to Google Analytics and other Google services; the policy should clarify this data flow explicitly.
googletagmanager.com loaded (observed) Policy names 'Google' but does not clarify what Google services receive data Google Analytics is a common GTM downstream service but is not explicitly mentioned - note
Cloudflare Web Analytics loaded (analytics)
Observed 1 time(s) on the page.
script src: https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 - note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
<iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-WMDX8GX - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Cloudflare Web Analytics active but not explicitly disclosed in policy
cloudflareinsights.com was detected (1 hit), indicating Cloudflare Web Analytics is in use. Cloudflare is mentioned in the context of the __cf_bm cookie, but the policy does not explicitly list Cloudflare's analytics service in the named third-party vendors section or describe what analytics data is shared with it.
cloudflareinsights.com loaded (observed) __cf_bm and _cfuvid cookies set (Cloudflare Botmanagement/fingerprint) Policy does not explicitly name Cloudflare or its analytics service - note
Cookie purpose transparency gap
Multiple cookies are set (experiment_visitor_id, t_8037, t_8101, t_9007, t_9307) with unclear purposes. The policy states cookies are used for performance, personalization, and marketing, but does not granularly map individual cookie names to their specific purposes, making it difficult for users to understand what each token tracks.
7 cookies set with minimal naming convention clues Policy uses broad categories (analytics, marketing, personalization) but does not provide cookie-by-cookie disclosure - note
No Content Security Policy despite sensitive data handling
The site lacks CSP headers (has_csp: false) while collecting and processing contact information, billing details, and login credentials. CSP would mitigate certain XSS and data exfiltration risks, representing a minor security gap inconsistent with the data sensitivity claims in the policy.
has_csp: false (observed) Policy discloses collection of login credentials and billing details - info
Google Tag Manager: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this →
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Cloudflare Web Analytics | cloudflareinsights.com | analytics | 1 | not named |
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
| Cloudinary | cloudinary.com | cdn | 78 | not named |
| Website Files | website-files.com | hosting | 221 | not named |
policy claims
source · https://monday.com/l/privacy/privacy-policy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (7)
Google, LinkedIn, ZoomInfo, Clearbit, Cognism, Lusha, VeraSafe
retention
monday.com retains personal data for as long as reasonably needed to maintain relationships and provide services, to comply with legal and contractual obligations, or to protect against disputes. Retention periods are determined based on data sensitivity, risk, processing purposes, and applicable legal requirements.
user rights
Users have rights to access, rectify, erase, restrict, or object to processing of personal data; to port data; to non-discrimination in services/prices; and to lodge complaints with supervisory authorities. Requests should be submitted to privacy@monday.com. Authorized agents may submit requests on behalf of users.
response headers
- hsts
- yes
- csp
- no
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://monday.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://monday.comprovenance
This audit was generated by running
stackpeek
against https://monday.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.