audit report
Trello
Trello's privacy policy claims third-party sharing with named vendors (Google, Twitter, Facebook, TRUSTe, DAA) and states use of cookies and analytics. Network observation shows only Atlassian-owned domains (atl-paas.net and atlassian.com) in third-party requests, with four cookies set (atlCohort, ajs_anonymous_id, bxp_gateway_request_id, wac_user_detected). The policy's named third parties are not directly observed in this page load, suggesting they may be contacted during user interaction or account creation rather than on the homepage. The site implements HSTS and CSP security headers. No obvious mismatches exist, but the scope of observed third-party contact is narrower than the policy's disclosure suggests for a logged-out user viewing the homepage.
findings
- note
Third-party vendors mentioned in policy not observed in homepage load
The privacy policy names Google, Twitter, Facebook, and other third parties as recipients of shared data, but network observation on the homepage load shows only Atlassian-owned domains (atl-paas.net, atlassian.com). This is consistent with a logged-out user experience; third-party integrations (analytics, ads, social login) likely activate only upon user interaction or sign-in.
Observed third parties: atl-paas.net (Atlassian), atlassian.com (Atlassian) Policy-named third parties: Google, Twitter, Facebook, TRUSTe, Digital Advertising Alliance No Google Analytics, Facebook Pixel, or Twitter tracking pixels detected in homepage load - info
No privacy-sensitive third parties detected
No analytics, advertising, tracking, or session replay vendors were observed on this page.
how we detected this → - info
Cookie purposes not individually disclosed
Four cookies are set (atlCohort, ajs_anonymous_id, bxp_gateway_request_id, wac_user_detected) but the privacy policy does not enumerate specific cookies or their purposes. ajs_anonymous_id suggests Segment or similar event tracking, while atlCohort indicates Atlassian's experimentation infrastructure, but users cannot determine from the policy alone what each cookie does.
Cookies set: atlCohort, ajs_anonymous_id, bxp_gateway_request_id, wac_user_detected Policy mentions 'cookies' and 'analytics' generically without cookie-level granularity
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Atlassian | atl-paas.net | hosting | 5 | not named |
| Atlassian | atlassian.com | api | 1 | not named |
policy claims
source · https://www.atlassian.com/legal/privacy-policy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (5)
Google, Twitter, Facebook, TRUSTe, Digital Advertising Alliance
retention
Atlassian retains account information for as long as an account is active plus a reasonable period thereafter. Content may be retained longer for shared team use. Marketing information is retained for a reasonable period from last engagement. Information in backup archives may be kept longer until deletion is possible.
user rights
Users may request access to or copies of their information, object to processing, update or correct information, request deletion or restriction, request data portability, withdraw consent, and opt out of targeted advertising and promotional communications. EU/UK residents have additional rights under GDPR. US residents can opt out of sales/sharing and have rights under state privacy laws.
response headers
- hsts
- yes
- csp
- yes
- server
- AtlassianEdge
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://trello.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://trello.comprovenance
This audit was generated by running
stackpeek
against https://trello.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.