audit report
Netlify
Netlify's privacy policy and observed tech stack align on core points: the site loads Google Tag Manager and GA4 (which the policy explicitly discloses), HubSpot forms (consistent with marketing/support disclosures), and Cookielaw (consistent with cookie consent claims). The policy comprehensively discloses cookie usage, third-party sharing with service providers, and advertising practices. However, the policy lacks specificity about which named vendors actually receive data—it mentions GitHub, GitLab, and Bitbucket as integrations but doesn't clarify whether these receive personal data routinely or only when users actively invoke them, creating ambiguity about the scope of "sharing." The AI/ML opt-in clause is clearly stated and observed data provides no evidence of breach.
claim vs. reality
“when you register for an account with Netlify, we collect information that identifies you such as your name, username, email address, and password”
observed · html
Google Tag Managerfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager.
Google Tag Manager - note
Google Tag Manager loaded (tag_manager)
Observed 4 time(s) on the page.
inline: window.dataLayer = window.dataLayer || []; function gtag() { dataLayer.push(arguments); } gtag('consent', 'd inline: window.dataLayer = window.dataLayer || []; function gtag() { dataLayer.p inline: (function(){const id = "G-X2FMMZSSS9"; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); g - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Vague integration-sharing scope
The policy states Netlify 'may share your Personal Data with such third parties' when users 'choose to interact with' third-party tools, but doesn't specify whether data sharing is automatic during integration setup or only during active use. The named integrations (GitHub, GitLab, Bitbucket) could be routine OAuth/SSO flows vs. data sharing events—the policy lumps these together with optional 'choose to interact' language, obscuring when sharing actually occurs.
Policy claim: 'if you choose to interact with, activate, or otherwise use third-party tools, we may share your Personal Data with such third parties' Named third parties list includes GitHub, GitLab, Bitbucket without clarifying whether they're always recipients or only when users explicitly activate them - note
Service provider list lacks specificity
The policy broadly lists categories of service providers ('IT and system administration and hosting, credit card processing, research and analytics, marketing, events planning, customer support') but doesn't name which vendors fall into each category. For example, it's unclear whether Google Tag Manager/GA4 (observed) are categorized as 'research and analytics' service providers or as separate consent-requiring vendors.
Policy generically describes 'with our contracted service providers, who provide services such as IT and system administration and hosting, credit card processing, research and analytics, marketing...' Observed vendors (Google Tag Manager, HubSpot) are not explicitly named in the named_third_parties list - info
CSP header missing despite complex third-party footprint
The site loads multiple third parties (Google Tag Manager, HubSpot forms, Cookielaw) but has no CSP header. While this doesn't contradict the privacy policy, it represents a security-relevant gap: CSP could prevent unauthorized injection of tracking or form scripts.
Observation shows has_csp: false Third-party vendors observed: googletagmanager.com, hsforms.net, cookielaw.org
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 4 | not named |
| Cookielaw | cookielaw.org | other | 2 | not named |
| HubSpot | hsforms.net | embed | 1 | not named |
policy claims
source · https://netlify.com/privacy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (5)
GitHub, Gitlab, Bitbucket, European Commission, U.S. Department of Commerce
retention
Data is retained for a period consistent with the original purpose of collection or as long as required to fulfill legal obligations. Retention periods are determined based on the amount, nature, sensitivity of the data, potential risk of harm, and applicable legal requirements.
user rights
Users may access, rectify, erase, or restrict processing of their personal data; transfer data to another controller; object to processing; opt out of third-party disclosures; withdraw consent; and not be subject to automated decision-making. Requests should be submitted to privacy@netlify.com and Netlify aims to respond within one month.
response headers
- hsts
- yes
- csp
- no
- server
- Netlify
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://netlify.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://netlify.comprovenance
This audit was generated by running
stackpeek
against https://netlify.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.