SP
Report
From the investigation
Five anonymized deep dives
Real investigation findings. Real evidence patterns. Company names withheld.
Anonymous D2C brand
13 trackers. 6 not in the policy. A checkout tool that already knew our phone number.
We opened a D2C shopping website. 13 trackers loaded — including Microsoft Clarity (visit recording), Meta Pixel, Snap Pixel, and GoKwik (checkout identity). 6 of those trackers were not named anywhere in the privacy policy. When we signed in with Google, the site obtained our phone number from a third party — we never gave it directly.
Anonymous healthcare platform
20+ trackers on a health website. Most not in the policy. Visit recording active on medical pages.
We visited a healthcare platform where people book doctor appointments and look up medical information. Over 20 trackers loaded — including visit recording, identity matching, and more than a dozen advertising networks. Most were not mentioned in the privacy policy. Visit recording was active on pages where people look up health information.
Anonymous financial platform
20+ trackers on a financial platform. DND override in the policy. Visit recording active.
We visited an investment and trading platform. Over 20 trackers loaded — including visit recording, identity matching tools, and more than a dozen advertising networks. The privacy policy explicitly reserves the right to call or text users even if they are registered on DND.
Anonymous travel platform
20+ trackers. The policy allows SMS and contact access. Chatbot data may train AI.
We visited a travel booking website. Over 20 trackers loaded during the session. The privacy policy allows the company to access SMS, contacts, camera, and location. Partners can combine your booking data with other services. Chatbot conversations may be used to train AI. The grievance response redirected us instead of answering.
Anonymous edtech service
7 trackers. All 7 undisclosed. The policy allows collecting your entire phone contact list.
We visited an education technology platform. 7 trackers loaded — including Microsoft Clarity (visit recording), LinkedIn Insight, Meta Pixel, and Google Ads. None of the 7 were named in the privacy policy. The policy allows the company to collect your phone's entire contact list. It has conflicting rules about collecting data from minors.