Back to Home

ImmuniWeb® Privacy Test

Our A+ Rating – What does it mean and how did we get it?

ImmuniWeb Privacy Test A+

1. ImmuniWeb® – what is it and why does it matter?

ImmuniWeb is a Swiss cybersecurity company operating a free, no-registration test suite called ImmuniWeb® Community Edition since 2019. The suite has run over 380 million tests and performs over 100,000 tests daily. ImmuniWeb's data is also used in Verizon's globally definitive annual Data Breach Investigations Report (DBIR), which indicates the tool's professional recognition.

The Community Edition includes seven different tests covering web applications, SSL/TLS configuration, email security, mobile apps, and Dark Web exposure. The most relevant for us is the Website Privacy Test, which also introduced a PDF certificate and digital badge program in April 2025: anyone achieving an A grade (or higher) can download a document verifying the result.

The ImmuniWeb Privacy Test approaches web privacy from a unique perspective: it doesn't measure what we do on the server (like SSL Labs or the MDN Observatory), but what the site reveals about itself from the user's browser perspective – and, crucially, to whom. Tracking pixels, third-party cookies, external JavaScript files, XHR requests, iframes: these are all mechanisms through which data about user behavior can leak to third-party servers – often without the user's knowledge and in violation of the GDPR.

2. What does the ImmuniWeb® Privacy Test examine?

The tool covers five main testing areas, each targeting a different privacy risk:

2.1. Privacy policy check

The tool checks whether a privacy policy is available on the site and if it is easy to find. This is a fundamental requirement of the information obligation under Articles 13 and 14 of the GDPR: the user has the right to know what data the data controller processes, for what purpose, and on what legal basis.

2.2. Tracking technologies detection

This is one of the most distinguishing features of the ImmuniWeb Privacy Test compared to other tools. The tool loads the page dynamically (like a real browser) and observes what requests are sent to third-party servers. The examined elements:

2.3. Privacy-violating practices detection

The tool identifies page elements that – even without the website operator's knowledge – transmit data to external servers. According to Article 25 of the GDPR (Privacy by Design and Privacy by Default), these are always the operator's responsibility.

2.4. Cookies and external content analysis

The tool provides a detailed picture of all external domain connections appearing on the page, categorizing them by whether they load an image, JavaScript file, CSS, font, media file, or cookie. Every external domain means a 1-point deduction – this encourages operators to serve resources from their own servers as much as possible, reducing external dependencies.

This aspect is particularly important for privacy-focused operations: a typical commercial website "phones home" to dozens of external domains during a single page load – Google Fonts, Google Analytics, Facebook Pixel, CDNs, chat widgets. Each of these represents a potential privacy risk.

2.5. Protection against data collection analysis

The tool also examines the site's encryption status: if the site is available over HTTP (unencrypted), this alone means a 50-point deduction, since without HTTPS, all communication between the user and the site can be intercepted – including entered data.

3. The scoring system

The ImmuniWeb Privacy Test starts with a base score of 100 points, with points added or deducted depending on the results of the examined elements. A final score of over 100 points is required for an A+ grade, which means not only avoiding all penalty points but also acquiring the bonus points (e.g., the +10 points for having a privacy policy).

3.1. Grades

Score Grade
Over 100A+
90–99A
80–89A−
70–79B+
60–69B
50–59B−
35–49C+
20–34C
Under 20F

3.2. Privacy scoring details

Examined element Point impact
Privacy policy on page+10
Page available over HTTP (unencrypted)−50
HTTP available, but no HTTPS redirect−40
Third-party cookies, and no cookie-consent banner−25
Each tracking pixel (Meta, Google, etc.)−20
Tracker placed in browser Local Storage−20
Each third-party cookie with a lifespan > 3 months−5
Each third-party domain sending an XHR request−2
Each third-party domain placing an iframe−2
Each third-party domain sending data via web forms−2
Each third-party domain placing a cookie−1
Each third-party domain loading an image−1
Each third-party domain loading a JavaScript file−1
Each third-party domain loading a CSS file−1
Each third-party domain loading a media file−1
Each third-party domain loading a font−1

Important characteristic: The ImmuniWeb Privacy Test scoring is cumulative and proportional. There is no single element that alone takes away the possibility of an A+ – the final result depends on the sum of all negative factors. This means that someone who operates with truly zero third-party connections, no tracking technologies, and a valid privacy policy can reach 110 points, as the +10 bonus is awarded for having a privacy policy.

4. How do websites generally perform?

The market picture in this regard is concerning. Several large-scale studies and ImmuniWeb's own statistics consistently show that the vast majority of websites fall far below the expected privacy level:

These data show that an A+ ImmuniWeb Privacy Test result is not merely a matter of technical configuration, but the result of a fundamentally different operational approach: a series of decisions questioning the necessity of every single external resource, every third-party connection, and every cookie from a user privacy perspective.

5. What does our A+ rating mean?

The A+ result verifies that our website meets the strictest privacy expectations from the perspective of the user's browser – which is the most real, most objective viewpoint. Specifically, this means the following conditions:

At the time of the test (June 6, 2026, 22:08 GMT+2), ImmuniWeb localized our server to Germany (IP: 178.105.168.4), which is consistent with our Hetzner VPS placement in Nuremberg. This in itself is an important fact for GDPR compliance: data processing and data storage within the EU is a fundamental requirement for the protection of European users, and the server location measured by ImmuniWeb confirms this.

6. Why is this rating special alongside the others?

Our four achieved ratings – the MDN Observatory's 130/100 A+, SSL Labs' A+, Internet.nl's 100%, and the ImmuniWeb Privacy Test's A+ – cover different, complementary dimensions. None can replace the other:

This last dimension is perhaps the one most valued by knowledgeable users and privacy professionals: it is not enough for the server to be well-configured if the site itself is full of invisible tracking pixels, third-party analytics, and data sent to targeted ad networks. The ImmuniWeb A+ proves that this site truly does what a privacy-focused website promises: it does not sell its users.

7. The limitations of the ImmuniWeb Privacy Test

For the sake of objectivity, it is important to point out that the ImmuniWeb Privacy Test is an automated, one-time snapshot with its own limitations:

These limitations do not diminish the value of the result – in the technical layer, the ImmuniWeb Privacy Test is one of the most reliable and comprehensive tools for measuring the actual state of user privacy. The A+ grade verifies that the technical implementation operates with the smallest possible privacy footprint.

8. Summary

The ImmuniWeb® Privacy Test is the most comprehensive, freely available testing tool for a website's privacy implementation: it dynamically analyzes what data leaks from users' browsers to third parties through tracking pixels, cookies, XHR requests, and external resource loads.

Our A+ rating – achieved on the test run on June 6, 2026, for our site hosted in Nuremberg (Hetzner, Germany) – verifies that:

Our four achieved ratings together – MDN Observatory, Qualys SSL Labs, Internet.nl, and ImmuniWeb® Privacy Test – provide the most comprehensive, independent technical verification available that our website and infrastructure meet the strictest security and privacy expectations in every measurable dimension.

Source: ImmuniWeb® Community Edition – immuniweb.com/privacy · Scoring methodology: immuniweb.com/privacy/scoring
Test date: June 6, 2026, 22:08 GMT+2 · Server IP: 178.105.168.4 · Location: Germany (Hetzner, Nuremberg)