audit report
Vercel
Vercel's privacy policy claims comprehensive data collection, third-party sharing, and use of analytics and advertising. The observed tech stack confirms most of these claims: Google-related services, YouTube embeds, Clearbit API calls, and Contentful integrations align with stated uses. However, the policy names only Google Analytics, Stripe, and Facebook as third parties, while the actual tech stack loads Clearbit (a data enrichment/API platform), Contentful (CMS/API), Intercom (chat support), and AWS—vendors not mentioned in the policy. The site uses three consent cookies but the policy does not detail what consent options are actually offered to users. Overall, Vercel's disclosures are broad enough to cover most observed activity, but critical vendor names are missing, creating a transparency gap.
claim vs. reality
“We collect your contact information when you use, inquire about, or purchase our Services or engage in our Marketing Activities. This information may include your full name, email address, phone number, and location.”
observed · html
Tech stack: clearbit.com (API category, 5 hits)findings
- mismatch
Clearbit API calls not disclosed in named third parties
The site makes 5 calls to clearbit.com (a data enrichment and prospect intelligence API), but Clearbit is not mentioned anywhere in the policy's list of named third parties. The policy states Vercel shares with 'Analytics companies' generically, but Clearbit is primarily a contact data enrichment platform, not an analytics provider.
Tech stack: clearbit.com (API category, 5 hits) Policy named third parties: Google Analytics, Stripe, Facebook, Analytics companies (no Clearbit) - mismatch
Contentful CMS integration not disclosed
Vercel loads contentful.com and ctfassets.net (Contentful's CDN) with 4 combined hits, but Contentful is not named in the policy. The policy mentions 'content delivery network services' and 'cloud providers' generically, but fails to name this significant third-party vendor.
Tech stack: contentful.com (API, 3 hits), ctfassets.net (CDN, 1 hit) Policy named third parties: no mention of Contentful - mismatch
Intercom chat support not disclosed
The site loads messaging.haus (Intercom's domain) for customer support, but Intercom is not named in the policy. The policy states Vercel uses 'customer support providers' generically but does not name this vendor.
Tech stack: messaging.haus (chat_support category, 1 hit) Policy named third parties: no mention of Intercom - warn
Observed vendors not named in policy
The policy names some third parties but omits these observed vendors. Undeclared: Gravatar.
Gravatar - note
Gravatar loaded (social)
Observed 1 time(s) on the page.
CSP: https://www.gravatar.com - note
AWS hosting present but not explicitly named
One call to amazonaws.com is detected, indicating AWS is used for infrastructure. The policy generically mentions 'cloud providers' for hosting and storage but does not name AWS by name.
Tech stack: amazonaws.com (hosting, 1 hit) Policy named third parties: no explicit mention of AWS - info
Consent management cookie present but consent options not detailed
The site sets a '_v-consent' cookie, indicating a consent management mechanism exists. However, the policy does not explain what specific consent choices are available to users or what each cookie controls.
Cookies observed: _v-consent, _v-anonymous-id, _v-anonymous-id-renewed Policy: mentions cookies are collected 'depending on your settings or preferences' but does not detail what those options are
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| Gravatar | gravatar.com | social | 1 | not named |
| AWS | amazonaws.com | hosting | 1 | not named |
| Clearbit | clearbit.com | api | 5 | not named |
| Contentful | contentful.com | api | 3 | not named |
| Contentful CDN | ctfassets.net | cdn | 1 | not named |
| google.com | other | 1 | not named | |
| Intercom | messaging.haus | chat_support | 1 | not named |
| LinkedIn CDN | licdn.com | cdn | 1 | not named |
| Vercel | vercel.app | hosting | 5 | not named |
| Vercel | vercel.sh | hosting | 1 | not named |
| Vercel Storage | vercel-storage.com | hosting | 9 | not named |
| YouTube | youtube-nocookie.com | video | 5 | not named |
| YouTube | youtube.com | video | 1 | not named |
| YouTube thumbnails | ytimg.com | cdn | 1 | not named |
policy claims
source · https://vercel.com/legal/privacy-policy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (4)
Google Analytics, Stripe, Facebook, Analytics companies
retention
Vercel retains information for the minimum necessary period to fulfill legal and contractual obligations, develop sites and services, resolve disputes, and enforce rights. When no longer needed, information is deleted or anonymized, or stored securely if deletion is not possible.
user rights
Users have rights to access, rectify, delete, and withdraw consent for personal information. Users can opt-out of marketing communications and targeted advertising. US users have rights to know about sales/disclosures, opt-out of sale/sharing, and appeal decisions. EEA/UK users have rights to restriction, objection, and data portability.
response headers
- hsts
- yes
- csp
- yes
- server
- Vercel
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://vercel.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://vercel.comprovenance
This audit was generated by running
stackpeek
against https://vercel.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.