How StackPatrol works

We launch a headless Chromium browser (via Playwright) with a desktop User-Agent and a 1366×800 viewport. We then load the URL you provided and wait for the page to reach networkidle for up to six seconds.

To improve coverage we also try to scan one additional internal page. We pick the most “interesting” same-domain link we can find, typically checkout, contact, pricing, signup or login, because those pages often load payment, support and conversion-tracking scripts that the front page does not.

We do not log in, fill out forms, click consent banners, or interact with the page beyond loading it.

For every network request the browser makes we record the URL, the host and the resource type. A request is classified as third-party when its registrable domain is different from the registrable domain of the scanned site (for example, cdn.acme.com is first-party for acme.com, but fonts.googleapis.com is third-party).

We use a small last-two-labels heuristic with a list of common two-part TLDs (.co.uk, .com.au, .co.jp, …) to determine the registrable domain.

We maintain a curated database of 469 third-party vendors: browse the directory. Each vendor entry contains one or more domain patterns.

A request matches a vendor when:

• its hostname equals the pattern, or
• its hostname ends with . + pattern (suffix match), or
• for the few non-domain patterns we use (e.g. _vercel/insights), the full URL contains the pattern.

When a request matches multiple patterns we pick the most specific (longest) one. This avoids false positives like shop.app matching myshop.appspot.com.

Domains that don’t match any vendor are listed as unmatched. Help us catalogue them by emailing your unmatched list. We add new vendors regularly.

Each vendor is classified by ownership region: US, EU, EEA, UK, Switzerland, China, Global or Unknown. The classification is based on where the parent company is incorporated, not on where data physically resides; a US-owned vendor with EU data centres is still classified as US because data-access requests (FISA 702, Cloud Act) are governed by ownership.

For some sites we also detect that the scanned site itself is owned by a major non-EU company (for example, tiktok.com or apple.com). When that happens we cap and relabel the score so it isn’t misleading.

The score is an experimental signal, not a compliance rating. It starts at 100 and we subtract:

• −8 for every detected US-owned vendor
• −10 for every detected Chinese-owned vendor
• −3 for every unmatched third-party domain, capped at −30 total

We cap the unknown penalty so a single noisy site (a news article embedding twenty third-party widgets we can’t identify) does not collapse to zero.

When you view a report, the score card shows the full breakdown so you can see exactly how each component contributed.

• We don’t determine GDPR or DSA compliance.
• We don’t click consent banners or accept cookies on your behalf.
• We don’t crawl the entire site (only the front page + one internal link).
• We don’t log in to authenticated areas.
• We don’t store IP addresses in plaintext; they are salted-hashed daily.

Conditional and consent-gated scripts are the biggest blind spot. Many ad and tracking scripts only load after a user accepts a consent banner. Because we don’t click the banner, we will underestimate trackers on sites that use a strict consent gate.

Geographic bias also matters: some vendors serve different scripts based on the visitor’s country. We currently scan from a European IP, so results approximate what European visitors see.