audit report
Render
Render's privacy policy claims comprehensive data collection (PII, payment data, device/IP, analytics, geolocation) and third-party sharing with service providers, ad networks, and analytics partners like Google and Stripe. The observed tech stack largely aligns with these claims: Google Tag Manager, Google Analytics, and Segment confirm analytics/tracking infrastructure; Sanity and Algolia support API operations; HubSpot and Salesloft support business functions. However, the policy discloses named third parties minimally (only Stripe, Google LLC, Google Analytics) while the actual stack includes many additional vendors (Segment, Ashby, GrowthBook, Inkeep, etc.) not explicitly named, creating a transparency gap. The site sets no observable cookies on the initial page load, despite claiming "essential, functional, performance/analytical, and retargeting/advertising cookies"—a discrepancy that may reflect timing (cookies set post-interaction) but remains unverified.
claim vs. reality
“Profile or Contact Data such as first and last name, email address, and password”
observed · html
Google Tag Managerfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager, Google AdSense, GrowthBook, LinkedIn, Segment, Segment.
Google Tag Manager Google AdSense GrowthBook - warn
Named third parties significantly underrepresent actual vendor ecosystem
The privacy policy names only three third parties: Stripe, Google LLC, and Google Analytics. However, the observed tech stack includes at least 22 distinct third-party domains across analytics (Segment), sales/recruitment (Ashby, Salesloft), testing/personalization (GrowthBook), support (Inkeep, HubSpot), and content management (Sanity). While some (Segment, Google) act as aggregators/pipelines to other vendors, the policy provides no visibility into this more complex data-sharing ecosystem. Users cannot assess all entities with data access.
Policy named parties: Stripe, Google LLC, Google Analytics Observed domains: sanity.io (65 hits), googletagmanager.com, osano.com, salesloft.com, segment.com, ashbyhq.com, hsforms.com, inkeep.com, growthbook.io, and 13 others - note
Google Tag Manager loaded (tag_manager)
Observed 5 time(s) on the page.
inline: window.dataLayer=window.dataLayer||[];function a(){dataLayer.push(arguments)} inline: pt\",null,{\"dangerouslySetInnerHTML\":{\"__html\":\"window.dataLayer=window.dataLayer||[];function a(){dataLayer.push(arguments)} <iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-N644GXSK - note
Google Analytics loaded (analytics)
Observed 1 time(s) on the page.
CSP: https://*.google-analytics.com - note
Google AdSense loaded (advertising)
Observed 1 time(s) on the page.
CSP: https://pagead2.googlesyndication.com - note
GrowthBook loaded (ab_testing)
Observed 1 time(s) on the page.
CSP: https://cdn.growthbook.io - note
LinkedIn loaded (social)
Observed 1 time(s) on the page.
CSP: https://*.linkedin.com - note
Segment loaded (analytics)
Observed 1 time(s) on the page.
CSP: https://*.segment.com - note
Segment loaded (analytics)
Observed 1 time(s) on the page.
CSP: https://*.segment.io - note
Ashby (recruitment platform) integration not disclosed
Ashby HQ is loaded on the homepage but not mentioned in the privacy policy's third-party disclosures. This suggests HR/recruitment data collection (e.g., job application funnels, candidate tracking) that isn't explicitly acknowledged. Users visiting the careers page or interacting with job listings may have data shared with Ashby without clear notice.
ashbyhq.com detected with 1 hit in tech stack No mention of Ashby in policy third-party section - note
Segment used as data aggregator but not explicitly named in policy
Segment.com and Segment.io are detected (2 hits combined) but not named in the policy's third-party disclosures. Segment typically acts as a customer data platform routing events to multiple downstream vendors (analytics, advertising, CRM). The policy's claim to share with 'Analytics providers' and 'Advertising Partners' may flow through Segment, but this intermediary role is opaque to users.
segment.com and segment.io detected in tech stack Policy mentions generic 'Analytics providers' and 'Advertising Partners' but not Segment by name - note
No observable cookies set on initial page load despite cookie policy claims
The policy explicitly claims use of 'Essential Cookies, Functional Cookies, Performance/Analytical Cookies, Retargeting/Advertising Cookies,' but the observation shows zero cookies set. This may reflect lazy-loading or post-interaction cookie setting, but it means the cookie consent/notice flow (if any) is not evident from the initial page state, limiting user ability to make informed consent decisions upfront.
cookies_set: [] in observation Policy claims: 'We use the following types of Cookies: Essential Cookies, Functional Cookies, Performance/Analytical Cookies, Retargeting/Advertising Cookies' - info
Google Analytics: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this → - info
Google AdSense (advertising) detected but policy frames advertising vaguely
googlesyndication.com (Google AdSense) is loaded, confirming programmatic advertising. The policy discusses 'third-party ad networks' generically and reserves the right to serve 'interest-based advertisements' but does not name Google AdSense or explain how user behavioral data informs ad targeting on the site itself.
googlesyndication.com detected (1 hit) Policy states: 'We may serve advertisements, and also allow third-party ad networks... to serve advertisements through the Services' without specific vendor identification
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google AdSense | googlesyndication.com | advertising | 1 | not named |
| Google Analytics | google-analytics.com | analytics | 1 | named |
| Google Tag Manager | googletagmanager.com | tag_manager | 5 | not named |
| GrowthBook | growthbook.io | ab_testing | 1 | not named |
| linkedin.com | social | 1 | not named | |
| Segment | segment.com | analytics | 1 | not named |
| Segment | segment.io | analytics | 1 | not named |
| AWS | amazonaws.com | hosting | 1 | not named |
| Algolia | algolia.net | api | 1 | not named |
| Algolia | algolianet.com | api | 1 | not named |
| Ashby | ashbyhq.com | other | 1 | not named |
| google.com | other | 2 | not named | |
| Google APIs | googleapis.com | api | 1 | not named |
| Google Static | gstatic.com | cdn | 1 | not named |
| HubSpot | hsforms.com | other | 1 | not named |
| Inkeep | inkeep.com | chat_support | 1 | not named |
| LinkedIn CDN | licdn.com | cdn | 1 | not named |
| Osano | osano.com | other | 4 | not named |
| Report URI | report-uri.com | error_tracking | 1 | not named |
| Salesloft | salesloft.com | other | 2 | not named |
| Sanity | sanity.io | api | 65 | not named |
| Unify Intent | unifyintent.com | other | 1 | not named |
policy claims
source · https://render.com/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- yes
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (3)
Stripe, Inc., Google LLC, Google Analytics
retention
Render retains personal data as long as necessary to provide services or fulfill business purposes. Profile information and credentials are retained for the lifetime of user accounts. Device/IP data is retained as needed for system functionality. Data may be retained longer if required by law, to resolve disputes, or collect fees. Some data is retained in anonymous or aggregated form.
user rights
California residents can access, delete, and correct personal data, and opt-out of sales/shares via email (privacy@render.com) or Do Not Sell link. EU/UK residents have rights to access, rectification, erasure, withdraw consent, portability, objection, and restriction of processing. Nevada residents can opt-out of sales. All users can control cookies through browser settings.
response headers
- hsts
- yes
- csp
- yes
- server
- cloudflare
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://render.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://render.comprovenance
This audit was generated by running
stackpeek
against https://render.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.