Data privacy

PII leak detector

Browser session capture

The tool opens the page in a headless Chromium session and records the cookies, requests, tags, and dataLayer activity visible during that run.

Scoped rule set

Each tool applies a narrow ruleset to the captured session. It is useful for implementation QA, not a full-site crawl or legal determination.

Point-in-time report

Results show what was observed in that session, with severity labels and evidence. Re-run after changes or if your site varies by region or user state.

What we check

Emails in URLs

Scans page URLs, query parameters, and form action URLs for email addresses sent to analytics.

Phone numbers in payloads

Detects phone numbers in tracking payloads, custom dimensions, and event parameters.

IP addresses in custom dims

Finds raw IP addresses being sent as custom dimension values to GA4 or other platforms.

SSN and ID patterns

Pattern-matches for social security numbers, national IDs, and other sensitive identifiers.

How to read results

PII findings are the most severe. Google will delete your entire GA4 property if PII is detected in your data streams.

Critical = PII actively leaking to third-party servers. Fix immediately.Warning = Potential PII pattern detected. Manual review needed.Pass = No PII found in this check.

Common issues we find

Email in form action URLs sent to GA4

Login or signup forms include the email in the URL path, which GA4 captures as a page_view. Fix: use POST instead of GET for auth forms.

Phone numbers in custom dimensions

Developers pass raw phone numbers as event parameters for lead tracking. Fix: hash or remove PII before sending to GA4.

URLs like /login?email=user@company.com get sent as page_location. Fix: strip query params with GTM before the pageview fires.