audit report
Sentry
Sentry's privacy policy claims the site uses cookies, analytics, advertising, and shares data with third parties for support and analytics purposes. However, the observed tech stack shows no cookies are actually being set on the page, and only Plausible (analytics) and Contentful CDN are loaded as third-party services—notably absent are Google, GitHub, Azure DevOps, and Stripe, which are explicitly named in the policy. The policy disclosure is detailed but overstates the actual tracking footprint observed on this particular welcome page; whether this gap reflects staged data collection, conditional loading, or outdated policy language is unclear from static analysis.
claim vs. reality
“you may provide your contact information, including your first and last name, email address, and password when you register for the Service”
observed · html
Plausiblefindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Plausible.
Plausible - note
Plausible loaded (analytics)
Observed 1 time(s) on the page.
script src: https://plausible.io/js/script.tagged-events.js - note
Named third parties not observed on page load
The privacy policy names Google, GitHub, Azure DevOps, and Stripe as third-party partners, but only Plausible and Contentful CDN appear in the actual page load. The policy claims Stripe and other services access cookies and tracking technologies, but no evidence of their presence was detected on the welcome page. This could indicate conditional loading (e.g., only after sign-in) or a gap between policy scope and actual implementation on this particular page.
Policy names: Google, Github, Azure Devops, Stripe, JAMS Observed third parties: ctfassets.net (Contentful CDN), plausible.io, sentry.dev, sentry.io - note
No cookies set despite policy claiming cookie use
The policy explicitly states 'We use cookies and similar tracking technology' and claims third parties like Stripe set their own cookies on user devices. However, the observation records zero cookies being set during page load. This is not inherently problematic—cookies may be set conditionally after user interaction or authentication—but it creates opacity about when and how cookie consent is managed.
Policy quote: 'We use cookies and similar tracking technology (collectively, "Cookies") to collect and use personal information about you' Observation: cookies_set: [] - info
Plausible analytics loaded but not explicitly mentioned in named partners
Plausible (a privacy-focused analytics tool) is loaded on the page and the policy confirms analytics services are used, but Plausible is not named in the 'named_third_parties' list—only generic disclosure to 'Third-party analytics partners' appears in the claims. This is consistent with privacy-by-default design, but the lack of explicit naming may reduce transparency compared to named vendors.
Observed: plausible.io Policy named partners do not include Plausible; policy refers only to generic 'Third-party analytics partners'
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Plausible | plausible.io | analytics | 1 | not named |
| Contentful CDN | ctfassets.net | cdn | 1 | not named |
| Sentry | sentry.dev | error_tracking | 1 | not named |
| Sentry | sentry.io | error_tracking | 1 | not named |
policy claims
source · https://sentry.io/privacy/
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (5)
Google, Github, Azure Devops, Stripe, JAMS
retention
Sentry retains personal information where there is an ongoing legitimate business need or legal obligation to do so. Retention periods depend on the nature of the information and legal requirements. Data may be retained longer for legal, compliance, or litigation purposes. When no legitimate need exists, data is deleted or anonymized, or securely stored if deletion is not possible.
user rights
Users can access, correct, update, or request deletion of personal information at https://sentry.io/contact/gdpr/. Users can object to processing, request restriction, request portability, withdraw consent, and opt-out of marketing communications. Users have the right to complain to a supervisory authority.
response headers
- hsts
- yes
- csp
- yes
- server
- nginx
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://sentry.io from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://sentry.ioprovenance
This audit was generated by running
stackpeek
against https://sentry.io
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.