stackpeek
← back to leaderboard

audit report

Zapier

https://zapier.com · automation

aligned
scanned 2026-04-16 23:32:19 utc permalink · /audit/zapier

Zapier's privacy policy claims broadly align with observed behavior: the site loads Google Tag Manager for analytics, multiple CDN and API integrations for content delivery, and sets a visitor tracking cookie. The policy explicitly claims to use analytics (Google confirmed), share with advertising partners (Google, Meta, LinkedIn, Microsoft, TikTok named), and does not sell data—all consistent with observations. However, the policy discloses sharing with six major ad/analytics vendors while the tech stack shows only Google Tag Manager loaded; this gap suggests either selective loading or incomplete disclosure of which vendors actually receive data on the homepage. Security headers (HSTS, CSP) are present, and user rights are clearly stated, including cookie management and marketing opt-out options.

findings

  1. note

    Google Tag Manager loaded (tag_manager)

    Observed 1 time(s) on the page.

    
            link preload: https://www.googletagmanager.com/gtm.js?id=GTM-K7GFJTV
    how we detected this →
  2. note

    Selective vendor activation vs. broad policy disclosure

    The privacy policy names six advertising/analytics partners (Google, Meta, LinkedIn, Microsoft, TikTok, JAMS) but the homepage tech stack shows only Google Tag Manager actually loaded. This could indicate: (a) vendors are loaded conditionally based on user consent state, (b) tags load later via GTM itself, or (c) the policy discloses potential integrations rather than actual homepage activity. Users cannot verify from homepage alone which vendors receive their data.

    
            Policy claims: 'We use Google's services...Meta...LinkedIn...Microsoft...TikTok'
Observed on homepage: googletagmanager.com only (1 hit)
    how we detected this →
  3. note

    Missing data retention periods across most categories

    The policy submission notes 'retention_description' explicitly states: 'The policy does not specify data retention periods or practices for most categories of personal information.' This is a transparency gap—users cannot know how long their data is kept, creating uncertainty about long-term exposure even if collection and sharing practices are disclosed.

    
            Policy review notes absence of retention timelines for most data types
    how we detected this →
  4. info

    Google Tag Manager: disclosed in policy

    The policy names this vendor explicitly, matching what was observed.

    how we detected this →
  5. info

    Third-party content delivery infrastructure is transparent

    Contentful (API + CDN), Cloudinary, and imgix are standard content infrastructure services, not data brokers. These are clearly disclosed in the policy under service providers that cannot use data for their own purposes. This is appropriately transparent.

    
            ctfassets.net, cloudinary.com, imgix.net loaded for content delivery
Policy states: 'service providers are only permitted to use this information to provide their services to us, not for their own purposes'
    how we detected this →

third parties observed

vendor domain category hits disclosure
Google Tag Manager googletagmanager.com tag_manager 1 not named
Cloudinary cloudinary.com cdn 19 not named
Contentful contentful.com api 1 not named
Contentful CDN ctfassets.net cdn 66 not named
Zapier zapier-deployment.com api 23 not named
imgix imgix.net cdn 19 not named

policy claims

source · https://zapier.com/privacy

collects pii
yes
shares 3p
yes
sells data
no
cookies
yes
analytics
yes
advertising
yes

named third parties (6)

Google, Meta, LinkedIn, Microsoft, TikTok, JAMS

retention

The policy does not specify data retention periods or practices for most categories of personal information.

user rights

Users have the right to access, request correction, request deletion, and request restriction or object to processing of their information. Users can also opt out of marketing emails, manage cookie preferences, and opt out of certain advertising. Users in EEA, UK, or Switzerland have additional rights including opting out of disclosure to independent controllers and use for materially different purposes.

response headers

hsts
yes
csp
yes
server
Vercel

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://zapier.com from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://zapier.com

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://zapier.com from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.