audit report
Railway
Railway loaded 3 third-party domain(s), of which 1 is privacy-sensitive. 1 mismatch finding(s): Google Tag Manager deployment not disclosed in privacy policy. Privacy-sensitive vendors observed: Google Tag Manager.
claim vs. reality
“We collect Personal Data about you from the following categories of sources: You...When you provide such information directly to us...When you use the Services and such information is collected automatically.”
observed · html
Third-party detection: googletagmanager.com with 2 hitsfindings
- mismatch
Google Tag Manager deployment not disclosed in privacy policy
The site loads googletagmanager.com (2 hits) and contains inline Google Tag Manager code patterns, but the privacy policy never mentions GTM by name. It only references 'analytics providers' and specifically names Google Analytics. GTM is a tag management container that can dynamically load third-party pixels and tracking—its presence materially expands the scope of data sharing and should be explicitly disclosed.
Third-party detection: googletagmanager.com with 2 hits Inline pattern detected: 'Google Tag Manager' Policy text only mentions: 'analytics providers to analyze how you interact' and explicitly names 'Google Analytics' - warn
No HSTS header
The response did not include a Strict-Transport-Security header. Users on a compromised network could be downgraded to plaintext HTTP.
how we detected this → - warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager.
Google Tag Manager - warn
Claim of 'only Essential Cookies' contradicts tracking infrastructure
The policy states 'We only place Essential Cookies on our website. Essential Cookies are required for providing you with features or services that you have requested.' However, Google Tag Manager by design is a tracking and analytics tool, not essential functionality. GTM typically loads additional tracking pixels and cookies beyond what's essential for core service delivery. The policy's blanket claim about Essential Cookies only is therefore misleading given the GTM implementation.
Policy quote: 'We only place Essential Cookies on our website.' Observed: Google Tag Manager and GA4 inline code deployed No mention of GTM consent or justification as 'essential' - note
Google Tag Manager loaded (tag_manager)
Observed 2 time(s) on the page.
inline: window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); inline: window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push( - note
Consent and granularity unclear for analytics
The policy does not specify whether Google Analytics or GTM require user consent, or whether users can opt out. It describes analytics as something 'we may use' but provides no mechanism or granular control information. Given GTM's flexibility to load arbitrary vendors, clarity on what data flows to which third parties and consent options would strengthen transparency.
Policy uses permissive language: 'We may use analytics providers' No mention of opt-out, consent mechanics, or granular control GTM deployment allows dynamic third-party tag loading not individually enumerated
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 2 | not named |
| Google APIs | googleapis.com | api | 5 | not named |
| Google Static | gstatic.com | cdn | 1 | not named |
policy claims
source · https://railway.app/legal/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- no
named third parties (2)
Stripe, Inc., Google Analytics
retention
Railway retains Personal Data for as long as necessary to provide Services or fulfill business purposes. Profile information retained while account is active; payment data retained as long as needed to process purchases; device/IP data retained to ensure system functionality. Data may be retained longer if required by law or to resolve disputes.
user rights
Users have rights to access, delete, and correct their Personal Data. California residents have additional rights including access to categories of data collected and purposes. EU/UK residents have rights to access, rectification, erasure, portability, objection, and restriction of processing. Users can submit requests by email at [email protected].
response headers
- hsts
- no
- csp
- yes
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://railway.app from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://railway.appprovenance
This audit was generated by running
stackpeek
against https://railway.app
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.