audit report
1Password
1Password loaded 28 third-party domain(s), of which 7 are privacy-sensitive. 2 mismatch finding(s): Policy says no advertising, but ad trackers were loaded; Policy says no third-party sharing, but third parties received requests. Privacy-sensitive vendors observed: 6sense, Google Analytics, Google DoubleClick, LinkedIn, Ninetailed, The Trade Desk.
claim vs. reality
“We collect information about: Your 1Password account... Your usage... You: Your IP address, the devices connected to your account, and the name, email address, and profile pictures”
observed · html
The Trade Deskfindings
- mismatch
Policy says no advertising, but ad trackers were loaded
The policy states no advertising partners, but the following ad/tracking vendors were observed: The Trade Desk, Google DoubleClick.
The Trade Desk Google DoubleClick - mismatch
Policy says no third-party sharing, but third parties received requests
The policy claims data is not shared with third parties, but the page loaded resources from third-party domains that can observe user behavior.
6sense (tracking) The Trade Desk (advertising) Google DoubleClick (advertising) - note
6sense loaded (tracking)
Observed 4 time(s) on the page.
CSP: https://c.6sc.co CSP: https://ipv6.6sc.co CSP: https://b.6sc.co - note
The Trade Desk loaded (advertising)
Observed 3 time(s) on the page.
CSP: https://insight.adsrvr.org CSP: https://match.adsrvr.org - note
Google DoubleClick loaded (advertising)
Observed 2 time(s) on the page.
CSP: https://cm.g.doubleclick.net CSP: https://stats.g.doubleclick.net - note
Google Analytics loaded (analytics)
Observed 2 time(s) on the page.
CSP: https://www.google-analytics.com - note
LinkedIn loaded (social)
Observed 2 time(s) on the page.
CSP: https://px.ads.linkedin.com CSP: https://px.ads.linkedin.com/ - note
Ninetailed loaded (ab_testing)
Observed 2 time(s) on the page.
CSP: https://experience.ninetailed.co CSP: https://ingest.insights.ninetailed.co - note
6sense loaded (tracking)
Observed 1 time(s) on the page.
CSP: https://epsilon.6sense.com
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| 6sense | 6sc.co | tracking | 4 | not named |
| 6sense | 6sense.com | tracking | 1 | not named |
| Google Analytics | google-analytics.com | analytics | 2 | not named |
| Google DoubleClick | doubleclick.net | advertising | 2 | not named |
| linkedin.com | social | 2 | not named | |
| Ninetailed | ninetailed.co | ab_testing | 2 | not named |
| The Trade Desk | adsrvr.org | advertising | 3 | not named |
| 1Password | 1passwordservices.com | auth | 6 | not named |
| 1Password | 1password.ca | auth | 2 | not named |
| 1Password | 1password.eu | auth | 2 | not named |
| 1Password | 1pstage.com | auth | 1 | not named |
| Contentful CDN | ctfassets.net | cdn | 25 | not named |
| Datadog | browser-intake-datadoghq.com | error_tracking | 1 | not named |
| Figma | figma.com | embed | 1 | not named |
| google.com | other | 3 | not named | |
| LiveChat | livechatinc.com | chat_support | 2 | not named |
| Mountain | mountain.com | other | 1 | not named |
| Reprise | getreprise.com | other | 1 | not named |
| Simplecast | simplecast.com | video | 1 | not named |
| Stripe | stripe.com | payments | 1 | not named |
| Transcend | transcend-cdn.com | cdn | 9 | not named |
| Transcend | sync-transcend-cdn.com | cdn | 1 | not named |
| Transcend | transcend.io | other | 1 | not named |
| Unleash | unleash-hosted.com | feature_flags | 1 | not named |
| Vimeo | vimeo.com | video | 1 | not named |
| YouTube | youtube-nocookie.com | video | 3 | not named |
| Zendesk | zendesk.com | chat_support | 1 | not named |
| unpkg | unpkg.com | cdn | 1 | not named |
policy claims
source · https://support.1password.com/1password-privacy/
- collects pii
- yes
- shares 3p
- no
- sells data
- no
- cookies
- not stated
- analytics
- yes
- advertising
- no
retention
Data in active systems is retained for service provision. Secure and immutable backups are maintained for disaster recovery and data availability, which are left untouched unless legally compelled to remove information.
user rights
Users have the right to export their information at any time, access what 1Password knows about them, have their information erased (account deletion required first, with authenticated request), and control their personal information by contacting 1Password. Deletion requests leave disaster recovery backups untouched unless legally compelled.
response headers
- hsts
- yes
- csp
- yes
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://1password.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://1password.comprovenance
This audit was generated by running
stackpeek
against https://1password.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.