audit report
Plausible
Plausible Analytics' privacy policy claims no tracking of personal data on their public website, and the technical audit confirms this: no third-party trackers are loaded, no cookies are set, and only self-hosted Plausible analytics (their own product) is present. The policy accurately discloses use of named third-party vendors for essential services (hosting, email, payments, support), explicitly forbids data selling and advertising, and guarantees EU-only data processing. The claims are well-supported by observed behavior.
claim vs. reality
“An email address is required to create an account.”
observed · html
Plausiblefindings
- warn
No HSTS header
The response did not include a Strict-Transport-Security header. Users on a compromised network could be downgraded to plaintext HTTP.
how we detected this → - warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Plausible.
Plausible - note
Plausible loaded (analytics)
Observed 1 time(s) on the page.
inline: text":"https://schema.org","@type":"WebSite","description":"Plausible is a lightweight and open-source Google Analytics alternati - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Missing HSTS and CSP security headers
The policy emphasizes 'All of the data that we collect is kept fully secured' and promises strong security posture, yet the site does not implement HSTS (HTTP Strict-Transport-Security) or CSP (Content-Security-Policy) headers. These are standard defensive security measures expected from a privacy-focused company handling sensitive customer data.
has_hsts: false has_csp: false Policy quote: 'All of the data that we collect is kept fully secured, encrypted' - info
Self-hosted analytics consistency check
The policy states 'We use Plausible Analytics to collect some anonymous usage data for statistical purposes' on their own website. The tech audit confirms only plausible.io domain is loaded (their own service), and no cookies are set on the visitor. This aligns with the claim that visitor data is collected for statistical purposes with no persistent identification.
Only 'plausible.io' domain detected in third-party list (self-hosted) cookies_set: [] (no cookies set on visitor) Policy quote: 'The goal is to track overall trends in our website traffic, not to track individual visitors.'
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Plausible | plausible.io | analytics | 1 | not named |
policy claims
source · https://plausible.io/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- no
named third parties (11)
Hetzner, Bunny, UpCloud, Paddle, Postmark, Gravatar, DuckDuckGo, Help Scout, Nolt, hCaptcha, Mailchimp
retention
Data is retained for as long as the account is active and as necessary to provide the service. Personal data is not retained longer than necessary unless required by law. All data is permanently deleted without undue delay upon account deletion.
user rights
Users have the right to access personal data, correct inaccurate data, request deletion, and object to processing where applicable. To exercise these rights, contact privacy@plausible.io.
response headers
- hsts
- no
- csp
- no
- server
- BunnyCDN-TX1-1343
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://plausible.io from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://plausible.ioprovenance
This audit was generated by running
stackpeek
against https://plausible.io
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.