Tools by Lunar Turtle
Back to Privacy Signal

How Privacy Signal Works

Privacy Signal runs a lightweight scan only when you open the popup. It reads what the page has already loaded (scripts, iframes, resource hosts, and a few browser-visible signals). It does not send results anywhere and it does not make network requests.

When it runs

On demand, when the visitor opens the privacy widget. No background tracking.

What it reads

Page DOM + browser APIs (resource timing), already available in the visitor’s session.

What it means

Signals, not verdicts. It highlights likely third-party tracking, not “good” vs “bad.”

Analytics & Tracking Scripts

Privacy Signal inspects every <script src="…"> on the page and extracts the hostname. It compares that hostname against a curated list of known analytics, ad, and tracking vendors (examples: Google Tag Manager, Meta Pixel, HubSpot, Hotjar, Segment).

How to interpret it

  • Amber dot means the domain matched a known vendor list.
  • Green dot means no known third-party analytics scripts were detected in the DOM at scan time.

Limitations

  • It’s a heuristic list. Self-hosted analytics (served from your own domain) may not appear here.
  • Scripts added later (after the popup opens) won’t appear unless you reopen the privacy widget.

Analytics Globals

Many analytics tools expose a global on window when they initialize (examples: window.gtag, window.fbq, window.mixpanel). Privacy Signal checks for a small set of common analytics globals.

Why this helps

Some tools are loaded from first-party domains or generic CDNs (which might not match the tracker list), but still expose recognizable globals. This section is a “second signal.”

Limitations

  • In SPAs, globals may persist across routes even if the current view didn’t load new scripts.
  • Globals can be renamed or hidden. Absence doesn’t mean “no analytics.”

Third-Party Embeds

Privacy Signal counts <iframe src="…"> elements whose src points to a different domain than the page. Examples include YouTube players, Google Maps, Spotify embeds, chat widgets, and payment widgets.

How to interpret it

This is shown as a neutral signal. Third-party iframes are common, but they can see the visitor’s IP and may set cookies depending on the provider and browser settings.

Limitations

  • Iframes without a src attribute are not counted.
  • Same-domain iframes are excluded.

Network Requests

This section shows the third-party hostnames the page requested resources from (scripts, images, fonts, beacons, XHR/fetch, etc.) using the browser’s Resource Timing data. Hosts are grouped and counted, and known tracker vendors are highlighted.

Important

  • “No third-party requests” does not mean “no tracking.” A site can track via its own domain (server-side analytics, reverse proxying, etc.).
  • Some browsers and resources limit what shows up here due to privacy rules (Timing-Allow-Origin).

Referrer Policy

When a visitor clicks a link, the browser may send a Referer header to the destination containing the URL of the page they came from. A referrer policy controls how much information is shared (full URL vs origin-only vs none).

Privacy Signal reads the page’s <meta name="referrer" content="…"> tag and displays the value. If the tag is missing, the browser falls back to a default policy (commonly strict-origin-when-cross-origin).

Note

This only reads the <meta> tag. Sites can also set referrer policy via the Referrer-Policy HTTP header, which a client-side script cannot reliably read.

Privacy Signal does not collect data

All scanning happens locally in the visitor's browser. No results are sent to any server. The embed script has no external dependencies and makes no network requests.

Privacy Signal highlights signals and common patterns. It is not a guarantee that a page is (or is not) tracking you.