audit report
Slack
Slack's privacy policy transparently discloses widespread data collection, third-party sharing, advertising, and analytics practices—all confirmed by observable tech stack. The site loads Google Tag Manager, GA4, and Clearbit API; uses multiple tracking cookies (utm, b, x); and enables CloudFront CDN. Policy claims align with observed behavior: collection of PII, usage metadata, device data, cookies, and location signals are all documented. Third-party sharing and advertising are explicitly claimed and match the Clearbit API observation. The stated no-data-sales commitment is present. Notably, only "Salesforce" is named among third parties, despite integrating multiple tracking vendors not similarly disclosed by name—a transparency gap for users seeking to understand the full scope of data recipients.
claim vs. reality
“To create or update a Workspace account, you or our Customer supply Slack with an email address, phone number, password, domain, and/or other account set up details”
observed · html
Google Tag Managerfindings
- warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Google Tag Manager.
Google Tag Manager - note
Google Tag Manager loaded (tag_manager)
Observed 5 time(s) on the page.
inline: window.dataLayer = window.dataLayer || []; function gtag(){window.dataLayer.push(arguments);} function loadGTM() { inline: window.dataLayer = window.dataLayer || []; function gtag(){window.dataLayer.pu inline: = grantedIfBoth(policySet, activeSet, 4); // category 4 gtag('consent', "default", {"ad_storage":"denied","ad_user_data": - note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Named third parties incomplete
Policy names only 'Salesforce' as a named third party, but observable integrations include Google Tag Manager, Clearbit, and AWS CloudFront without equivalent named disclosure. Slack's policy does reference 'service providers' and 'Third-Party Services' generically, but users cannot easily cross-reference the specific vendors actually receiving data.
Policy claims: named_third_parties = ['Salesforce'] Observed domains: googletagmanager.com (Google Tag Manager), clearbit.com (Clearbit API), cloudfront.net (AWS CloudFront) Policy states 'We may engage third-party companies or individuals as service providers' but does not name the analytics, attribution, or CDN vendors in use - note
Advertising claim supported but vendor details sparse
Policy explicitly states sharing personal information with 'third party advertisers for purposes of targeting advertisements on non-Slack websites.' Clearbit API integration (1 hit) aligns with this claim—Clearbit offers identity resolution and enrichment for ad targeting—but the policy does not name which ad networks or advertising platforms receive Slack user data.
Policy quote: 'we may share personal information (in the form of identifiers and internet activity information) with third party advertisers for purposes of targeting advertisements on non-Slack websites' Observed: clearbit.com domain (1 hit), category 'api', vendor 'Clearbit'
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Google Tag Manager | googletagmanager.com | tag_manager | 5 | not named |
| AWS CloudFront | cloudfront.net | cdn | 2 | not named |
| Clearbit | clearbit.com | api | 1 | not named |
| Oneanother | cookielaw.org | other | 1 | not named |
| Slack | slack-edge.com | hosting | 146 | not named |
policy claims
source · https://slack.com/trust/privacy/privacy-policy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (1)
Salesforce
retention
Slack retains Customer Data according to customer instructions and applicable law. Other Information is retained as long as necessary for the purposes described in the policy, including after account deactivation for legitimate business interests, audits, legal compliance, dispute resolution, and agreement enforcement.
user rights
Users in the EEA, UK, Brazil and globally can request access, update, delete, or correct personal information through account settings or by contacting their workspace controller. Users can object to processing based on legitimate interests and opt out of direct marketing. California consumers have specific CCPA/CPRA rights including right to know, delete, and opt out of data sales.
response headers
- hsts
- yes
- csp
- no
- server
- Apache
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://slack.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://slack.comprovenance
This audit was generated by running
stackpeek
against https://slack.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.