What PrivacyFixed does — and what it doesn't claim

We open the URL you enter in an automated browser with an honest, identifying user-agent (PrivacyFixed-Scanner). As the page loads, we record every network request it makes, the cookies it stores, and the device-fingerprinting APIs it calls. We then match the outside requests against a curated registry of known trackers to name the companies behind them.

Every finding is an observation — something we directly saw the page do during the scan. We do not guess, and we do not infer intent.

A scan runs seven independent checks. Each looks at a different way a page can track you, so a finding in one doesn't depend on the others:

1. 01Outside requests — Records every request the page makes to a domain that isn't the site's own, and matches each against a curated registry of known trackers to name the company.
2. 02Hidden (cloaked) trackers — Follows DNS records to catch a tracker disguised as a first-party subdomain — e.g. metrics.thesite.com that secretly points to a known ad network.
3. 03Cookies — Notes which cookies are set, and flags the tracking-relevant ones: third-party cookies (readable across sites) and persistent cookies (that survive after you leave). We record that a cookie exists, never its value.
4. 04Device fingerprinting — Watches for scripts that probe your device — canvas, WebGL, audio, fonts — the techniques commonly used to build a stable identifier that works even when you block cookies. We record which APIs were called, never the resulting signature.
5. 05Fingerprinting breadth — Measures how many independent fingerprinting surfaces a page touches together. Touching many at once is far more identifying than any single one, so breadth is reported separately.
6. 06Consent enforcement — Checks whether a cookie-consent banner is present, whether trackers fire before you could consent, and — the finding regulators focus on — whether trackers keep firing after a rejection. We click reject, never accept.
7. 07Tracking parameters — Inspects the URLs the page uses for tracking identifiers riding along in the address (fbclid, gclid, and similar) that hand an ID to whoever reads the link.

We rate each service by privacy risk — not legal risk, and the rating describes the categorya service belongs to from its own documented purpose, not a judgment about any one company's conduct. "Critical" means a class of service designed to recognize people across sites. It does notmean a site is breaking any law — that depends on consent, jurisdiction, and contracts a scan can't see.

• CriticalServices whose documented purpose is recognizing people across sites — ad exchanges, data brokers, identity-resolution. We rate the category by that stated purpose.
• HighServices commonly used to collect rich behavioral data — cross-site analytics, ad pixels, fingerprinting.
• MediumServices that typically measure or assist — tag managers, A/B testing, lighter analytics. Real data collection, but not designed to profile people across the web.
• Low / safeFunctional infrastructure — fonts, CDNs, payment, CAPTCHA. Usually needed for the page to work, with little tracking value.

Every claim carries a label for the kind of evidence behind it, so we never over-state what we know:

• Confirmed — We watched this request fire and identified the company.We observed the request fire and matched it to a known company.
• Documented — What it collects is taken from the vendor's own documentation.What the company collects is sourced from its own published documentation, not inferred.
• Inferred — We saw a third-party request we couldn't identify.We saw an outside request fire but couldn't identify it— we report that it happened, and we don't name a company.

• We scan public pages only. We never log in, never enter credentials, and never bypass a paywall or a CAPTCHA — that's the real line, and we don't cross it.
• We scan one page you ask us to, the same as you opening it in your own browser — we are not a bulk crawler. (Reputable on-demand scanners work the same way.) If a site formally asks us to stop, we honor that and remove it from scanning.
• We minimize data: we never store cookie values, device-fingerprint signatures, IP addresses, or page contents — only the metadata needed to describe the tracking.
• We never profile you. We assess the website's behavior, not any individual person.
• We never make legal conclusions. We describe what a site does; whether that breaks a specific law is a question for a lawyer.

A scan is a snapshot of one page load. Sites change, and a page may behave differently for different visitors or regions. If you believe a finding is wrong, we want to fix it — findings are evidence-based, and we'll correct or remove anything we can't stand behind.

PrivacyFixed is an informational tool. Its output is generated automatically from what the scan observed and is not legal advice.