audit report
Retool
Retool's privacy policy accurately discloses its use of analytics, advertising, and third-party service providers. Observed tech stack (Google Tag Manager, Intellimize A/B testing, Stripe) aligns with policy claims of analytics, advertising, and payments. Policy explicitly permits third-party advertising networks and A/B testing. However, the policy names only Google Analytics among analytics vendors while GTM is the actual collection infrastructure; GTM itself is a tag container that can deploy multiple vendors. No CSP header observed despite security claims mentioning "two-factor authentication" and "physical audit logs"—the absence of CSP represents a defensive posture gap that isn't disclosed.
claim vs. reality
“you or our Customer may supply Retool with an email address, username, first and last name, your company's name, your (and/or your company's) physical address and other account set up details”
observed · html
Intellimizefindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Intellimize, Google Tag Manager, Intellimize.
Intellimize Google Tag Manager Intellimize - note
Intellimize loaded (ab_testing)
Observed 3 time(s) on the page.
link preconnect: https://api.intellimize.co link preconnect: https://log.intellimize.co link preconnect: https://cdn.intellimize.co - note
Google Tag Manager loaded (tag_manager)
Observed 1 time(s) on the page.
link preload: https://www.googletagmanager.com/gtm.js?id=GTM-WHDC2N5 - note
Intellimize loaded (ab_testing)
Observed 1 time(s) on the page.
link preconnect: https://117371543.intellimizeio.com - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Google Tag Manager used as analytics infrastructure, not explicitly named
Policy names 'Google Analytics' as a specific third party but doesn't mention Google Tag Manager (GTM), which is the actual script container loading on the site. GTM is deployed on 91 CloudFront hits and 1 googletagmanager.com hit. While GTM isn't itself a data broker, it's the infrastructure layer—the policy should explicitly disclose GTM as part of its analytics architecture for full transparency.
googletagmanager.com present in third-party list Policy claims 'uses_analytics: true' and names 'Google Analytics' only GTM is a tag management system, not the analytics vendor itself - note
A/B testing vendor (Intellimize) not named in privacy policy
Intellimize appears twice in the tech stack (intellimize.co and intellimizeio.com with 4 total hits), indicating A/B testing personalization. The policy states 'uses_advertising: true' and mentions third-party information sharing, but does not specifically name Intellimize or disclose A/B testing as a collection practice. This is a disclosure gap even though the general category of third-party sharing is mentioned.
intellimize.co and intellimizeio.com in third-party domains No mention of Intellimize or A/B testing in policy_claims list of named_third_parties Policy permits 'third-party online advertising networks to collect information through cookies' but doesn't name this vendor - info
CSP header absent despite security-focused claims
Policy emphasizes security measures ('round-the-clock data center security, fully redundant power systems, two-factor authentication, and physical audit logs'). However, no Content Security Policy (CSP) header is set on the site. CSP is a standard defensive control that mitigates XSS and injection attacks. Its absence isn't a privacy violation per se, but represents a disconnect between security claims and observable hardening.
has_csp: false in observation Policy claims 'Our data centers have round-the-clock security, fully redundant power systems, two-factor authentication, and physical audit logs'
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 1 | not named |
| Intellimize | intellimize.co | ab_testing | 3 | not named |
| Intellimize | intellimizeio.com | ab_testing | 1 | not named |
| AWS CloudFront | cloudfront.net | cdn | 91 | not named |
| Stripe | stripe.com | payments | 2 | not named |
policy claims
source · https://docs.retool.com/legal/privacy-policy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (2)
Google Workspace, Google Analytics
retention
Customer Data is retained per customer's instructions and applicable law. Other Information is retained as long as reasonably necessary for stated purposes, with additional retention for legal compliance and business interests after account deactivation.
user rights
Users in EEA, UK, and Brazil can request access, update, correction, or deletion of personal data by emailing dpo@retool.com. Users have the right to object to processing based on legitimate interests and to opt out of direct marketing. California consumers have additional CCPA rights including right to know, delete, and opt out of data sales.
response headers
- hsts
- yes
- csp
- no
- server
- Vercel
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://retool.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://retool.comprovenance
This audit was generated by running
stackpeek
against https://retool.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.