audit report
Segment
Twilio's privacy policy explicitly commits to collecting and sharing personal data with third parties for service delivery, analytics, and advertising—claims directly supported by observed tech: Google Tag Manager, Adobe DTM, VWO A/B testing, and TrustArc are all loaded. The policy names major partners (Google, Meta) and describes granular sharing categories (network operators, vendors, marketplace partners, law enforcement). Users are offered clear opt-out rights for marketing and advertising cookies. The observational data aligns with policy claims: analytics and advertising tools are present, cookies are set, and no CSP header is detected. Transparency posture is strong overall—the policy is detailed and candid about data flows, though the absence of a Content Security Policy suggests room for tighter technical controls.
claim vs. reality
“we collect, store, use, and share personal data, which is any information that identifies you directly (such as your name) or indirectly (such as a phone number or device identifier)”
observed · html
Adobefindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Adobe, VWO.
Adobe VWO - note
Google Tag Manager loaded (tag_manager)
Observed 3 time(s) on the page.
inline: window.dataLayer = window.dataLayer || []; inline: ontext5.a(2, new Promise(function (resolve) { gtag("get", CONTAINER_ID, property, resolve); })); <iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-5JLZ694 - note
Adobe loaded (tag_manager)
Observed 1 time(s) on the page.
script src: https://assets.adobedtm.com/a62564f453ce/b1b9d7ec982b/launch-29605e749a31.min.js - note
VWO loaded (ab_testing)
Observed 1 time(s) on the page.
link preconnect: https://dev.visualwebsiteoptimizer.com - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Missing CSP header despite complex third-party footprint
The page loads five external third-party domains (Google Tag Manager, Adobe, VWO, TrustArc) and inline Google Tag Manager code, but lacks a Content Security Policy header. While the policy discusses security practices and ISO 27001/NIST compliance, CSP is a basic control that would mitigate risk from compromised third-party scripts.
has_csp: false third_parties: googletagmanager.com (3 hits), adobedtm.com, visualwebsiteoptimizer.com, trustarc.com inline_patterns: Google Tag Manager, Google Tag / GA4 - info
Google Tag Manager: disclosed in policy
The policy names this vendor explicitly, matching what was observed.
how we detected this → - info
TrustArc badge loaded but no explicit mention in policy
TrustArc is loaded (2 hits) on the page—typically for displaying privacy certifications—but TrustArc is not mentioned in the named third parties list or in the policy text. This is not a mismatch (loading a badge is not 'sharing' data in the traditional sense), but worth noting for completeness of third-party disclosure.
trustarc.com present in third_parties with 2 hits named_third_parties does not include TrustArc - info
Policy claims data is not sold, and observational data supports it
The policy explicitly states 'sells_data: false' and does not describe any data-selling practices. The observed third-party stack (tag managers, A/B testing, CDN) aligns with service delivery and analytics, not a data-selling business model. No ad exchange or data broker integrations detected.
sells_data: false in policy claims third_parties are predominantly first-party tools (Google Tag Manager, Adobe) and testing/certification services, not data brokers
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Adobe | adobedtm.com | tag_manager | 1 | not named |
| Google Tag Manager | googletagmanager.com | tag_manager | 3 | not named |
| VWO | visualwebsiteoptimizer.com | ab_testing | 1 | not named |
| Adobe | hlx.page | cdn | 1 | not named |
| TrustArc | trustarc.com | other | 2 | not named |
policy claims
source · https://www.twilio.com/en-us/legal/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (5)
Google, Meta, WhatsApp, Segment, PayPal
retention
Customer Account Data is stored as long as needed to provide Services and operate the business. The policy states Twilio endeavors not to retain personal data in a form permitting identification longer than necessary for processing purposes, in accordance with Twilio's record retention policies and guidelines.
user rights
Users may request access, correction, deletion, and portability of their data. They can object to processing, withdraw consent, opt out of marketing, manage cookie preferences, and object to automated decision-making. Rights vary by jurisdiction (EU, UK, U.S., Brazil). Deletion requests are subject to limitations and may affect Service use.
response headers
- hsts
- yes
- csp
- no
- server
- —
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://segment.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://segment.comprovenance
This audit was generated by running
stackpeek
against https://segment.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.