What does your site actually do?
Upload a HAR file. Get a structured report: tracker inventory, third-party domain map, CDP payload analysis with raw and hashed PII detection, CMP identification and load order, GPC response, consent enforcement gaps. With regulatory citations and audit questions generated from your specific stack.
Set up your browser first
chrome://extensions.- Chrome Incognito mode open
- All extensions disabled except GPC
- GPC plugin active and confirmed
- Not logged into your own site
- Fresh tab. No prior visits this session
- Brave capture planned (optional)
Capture your site's network traffic
A HAR file captures full request contents. Auth tokens, session cookies, API keys, and form data. Opening it in an AI tool or cloud service sends that data to infrastructure you don't control. That's the same category of exposure this tool detects on your site.
This tool processes everything locally in your browser. Nothing is transmitted anywhere. Verify by opening DevTools while using this tool. No outbound requests from your file.
✓ Local processing only. File never leaves your browserRecommended: Firefox. Firefox exports complete HAR files including full response bodies and all cookie data without modification. Chrome may omit response bodies and offers a sanitize option that removes data the analysis needs. Instructions below are for Firefox. Chrome steps follow.
Firefox (recommended)- Open a new Private Window in Firefox (
Ctrl+Shift+P/Cmd+Shift+P) - Press
F12to open DevTools → click the Network tab - Navigate to the page you want to audit
- Once loaded, right-click anywhere in the Network panel → Save All As HAR
- Save the file, then open it below
- Open an Incognito window in Chrome (
Ctrl+Shift+N/Cmd+Shift+N) - Press
F12→ click the Network tab - Navigate to the page you want to audit
- Right-click in the Network panel → Save all as HAR with content
- Important: if Chrome asks about sanitizing, choose the unsanitized option for complete analysis
Was GPC active during capture?
Global Privacy Control tells sites "do not sell or share my data." Under CPRA § 1798.135(b) and CCPA Regulations § 7025, California businesses must honor it. The California Attorney General's August 2022 settlement with Sephora ($1.2 million) explicitly named GPC non-compliance as the CCPA violation.
Help us calibrate regulatory framing
HARstack uses your answers to show which privacy laws are likely to apply to your situation. ECPA applies to all websites regardless of size. State comprehensive privacy laws have applicability thresholds based on revenue and the number of consumers whose data you process. IAPP US State Privacy Legislation Tracker
These answers stay in your browser and are never transmitted. Skip this step to see full regulatory framing regardless of threshold.
Run the audit
Your audit report
A finding warrants investigation. No findings does not mean compliant. Surface-level audit. One page. One session.
Ready to audit
Complete the steps on the left and open your HAR file. Your audit report appears here.