stackpeek
← back to leaderboard

audit report

Typeform

https://typeform.com · form builder

mismatch
scanned 2026-04-16 23:32:21 utc permalink · /audit/typeform

Typeform's privacy policy is largely inaccessible for this audit—no substantive policy claims about data handling, third-party sharing, cookies, or analytics were extracted, despite the homepage describing extensive data collection capabilities ("gather more data," "collect customer contact data"). The observed tech stack reveals active use of Google Tag Manager, Optimizely A/B testing, Cookielaw tracking integration, and first-party analytics (GA4), plus CDN and hosting vendors; however, the policy provides zero named third parties, no transparency about analytics vendors, cookie usage, or data retention. This represents a significant transparency gap: the site clearly collects and processes user data but offers no accessible privacy disclosures to explain what data is collected, how it's used, or who it's shared with.

claim vs. reality

“Typeform AI helps you build expertly-designed, best-practice forms proven to get more responses”

— Typeform privacy policy

observed · html 

Homepage claims: 'gather more data, more easily' and 'Collect and then act on customer contact data'

findings

  1. mismatch

    Functional data handling without policy transparency

    The homepage marketing copy explicitly promotes data collection and automated segmentation capabilities ('gather more data,' 'collect and then act on customer contact data,' 'automatic segmentation'), yet the privacy policy claims are entirely empty—no disclosed practices for analytics, cookies, third-party sharing, or data retention.

    
            Homepage claims: 'gather more data, more easily' and 'Collect and then act on customer contact data'
Observed tech: Google Tag Manager (tag_manager), Optimizely (ab_testing), GA4 inline patterns, Cookielaw tracker
Policy claims: all null/empty for uses_analytics, uses_cookies, shares_with_third_parties, named_third_parties
    how we detected this →
  2. warn

    No HSTS header

    The response did not include a Strict-Transport-Security header. Users on a compromised network could be downgraded to plaintext HTTP.

    how we detected this →
  3. warn

    Cookie consent integration without disclosed cookie policy

    Cookielaw domain is loaded (tracking category), indicating active cookie consent management, yet the privacy policy makes no statements about cookies—users have no disclosed basis for understanding what consent Cookielaw is managing or what cookies are being set.

    
            cookielaw.org loaded with 1 hit (tracking category)
_cfuvid cookie set (Cloudflare tracking cookie)
Policy: uses_cookies = null, no cookie disclosure
    how we detected this →
  4. warn

    A/B testing infrastructure with no user disclosure

    Optimizely is actively loaded (2 hits, ab_testing category) for A/B testing experiments, but there is no mention in the privacy policy of experimentation, user profiling for tests, or how users are segmented.

    
            Optimizely domain loaded (ab_testing vendor)
Optimizely inline pattern detected
Policy makes no mention of A/B testing, experimentation, or user segmentation for research
    how we detected this →
  5. note

    Google Tag Manager loaded (tag_manager)

    Observed 3 time(s) on the page.

    
            inline: window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.push(arguments); }
inline: window.dataLayer = window.dataLayer || []; function gtag(){ dataLayer.p
<iframe> src: https://www.googletagmanager.com/ns.html?id=GTM-WH2ZQ3X
    how we detected this →
  6. note

    Optimizely loaded (ab_testing)

    Observed 2 time(s) on the page.

    
            script src: https://cdn.optimizely.com/js/6084697625722880.js
inline: integrationLogger(...parts) { const msg = '[OneTrust ↔ Optimizely] ' + parts.join(' '); /* Prefer any custom `log()` you
    how we detected this →
  7. note

    Cookielaw loaded (tracking)

    Observed 1 time(s) on the page.

    
            script src: https://cdn.cookielaw.org/scripttemplates/otSDKStub.js
    how we detected this →
  8. note

    No Content-Security-Policy header

    A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.

    how we detected this →
  9. note

    Missing security headers

    The site lacks HSTS and CSP headers, which are baseline security expectations for a company promoting data collection and handling to enterprises.

    
            has_hsts: false
has_csp: false
    how we detected this →

third parties observed

vendor domain category hits disclosure
Cookielaw cookielaw.org tracking 1 not named
Google Tag Manager googletagmanager.com tag_manager 3 not named
Optimizely optimizely.com ab_testing 2 not named
AWS CloudFront cloudfront.net cdn 1 not named
Google APIs googleapis.com api 2 not named
Google Static gstatic.com cdn 1 not named
Website Files website-files.com hosting 180 not named
Wistia wistia.com video 1 not named
jsDelivr jsdelivr.net cdn 9 not named

policy claims

source · https://typeform.com

collects pii
not stated
shares 3p
not stated
sells data
not stated
cookies
not stated
analytics
not stated
advertising
not stated

response headers

hsts
no
csp
no
server
cloudflare

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://typeform.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://typeform.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://typeform.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.