stackpeek
← back to leaderboard

audit report

PostHog

https://posthog.com · product analytics

aligned
scanned 2026-04-16 23:32:26 utc permalink · /audit/posthog

PostHog's privacy policy and observed tech stack are largely consistent. The site loads Cloudinary (a CDN) but claims no third-party cookies and explicitly states it does not permit third-party tracking—consistent with the observation that no cookies were set during the audit. The policy discloses sharing with named service providers (AWS, Salesforce, Slack, etc.) and states users can opt out of targeted advertising sharing. The policy accurately reflects observed data collection (technical and voluntary), retention practices tied to account lifecycle, and user rights for access and deletion. PostHog's transparency on avoiding retargeting and invasive tracking is backed by the absence of ad tech in the tech stack.

findings

  1. note

    No Content-Security-Policy header

    A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.

    how we detected this →
  2. note

    Opt-out mechanism relies on single contact email

    While the policy claims users can opt out of targeted advertising data sharing, the only mechanism provided is a single email address (Brian@GetPostHog.com). This is more cumbersome than automated unsubscribe flows and creates a single point of contact dependency. The policy does provide unsubscribe links for marketing emails, but the advertising opt-out lacks comparable self-service.

    
            Policy: 'You have the option to opt out of your personal information being sent to third-party platforms for targeted marketing or advertising purposes by sending an email to Brian@GetPostHog.com.'
No automated opt-out mechanism observed in tech stack or policy
    how we detected this →
  3. note

    Indefinite retention of open-source contributions lacks clear scope limits

    The policy states PostHog may retain personal information 'indefinitely' for open source project integrity, including embedded data in community contributions and GitHub issues. While transparency about this practice is present, the language ('limited personal information') is somewhat vague about what qualifies as 'limited' and no mechanism is described for users to request removal of embedded personal data.

    
            Policy: 'we may retain limited personal information indefinitely in order to ensure transactional integrity... if you contribute to a PostHog project and provide your personal information in connection with that contribution, that information will be embedded and publicly displayed'
No mechanism described for removing or redacting personal information from public contributions
    how we detected this →
  4. info

    No privacy-sensitive third parties detected

    No analytics, advertising, tracking, or session replay vendors were observed on this page.

    how we detected this →
  5. info

    Absence of Content Security Policy despite stated privacy commitment

    The site has HSTS enabled (good) but does not implement a Content Security Policy (CSP). Given PostHog's stated commitment to privacy and minimal third-party loading, a CSP would strengthen protection against unexpected inline script injection and reinforce the privacy posture to users.

    
            Observation: has_csp = false
Site uses Gatsby (inline patterns), which can generate inline scripts; CSP would help mitigate risks
    how we detected this →

third parties observed

vendor domain category hits disclosure
Cloudinary cloudinary.com cdn 14 not named

policy claims

source · https://posthog.com/privacy

collects pii
yes
shares 3p
yes
sells data
no
cookies
yes
analytics
yes
advertising
yes

named third parties (10)

Amazon Web Services (AWS), Clay, GitHub, Google Cloud Platform, Google Workspace, Salesforce, Slack, Zendesk, Ashby, Giphy

retention

PostHog retains information as long as the user's account is active or as needed to perform contractual obligations, provide services, comply with legal obligations, resolve disputes, and enforce agreements. Limited personal information may be retained indefinitely for open source project integrity (e.g., community contributions, blog posts, GitHub issues).

user rights

Users have rights to access, correct, restrict, and delete their personal information. They can withdraw consent for marketing at any time via unsubscribe links or by contacting PostHog. Users have rights to data portability, objection to processing, and complaint to supervisory authorities. Deletion requests may be limited if information is necessary for legal compliance or to maintain project code integrity.

response headers

hsts
yes
csp
no
server
Vercel

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://posthog.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://posthog.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://posthog.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.