ImmuniWeb® Privacy Test
Our A+ Rating – What does it mean and how did we get it?
Table of Contents
- 1. ImmuniWeb® – what is it and why does it matter?
- 2. What does the ImmuniWeb® Privacy Test examine?
- 3. The scoring system
- 4. How do websites generally perform?
- 5. What does our A+ rating mean?
- 6. Why is this rating special alongside the others?
- 7. The limitations of the ImmuniWeb Privacy Test
- 8. Summary
1. ImmuniWeb® – what is it and why does it matter?
ImmuniWeb is a Swiss cybersecurity company operating a free, no-registration test suite called ImmuniWeb® Community Edition since 2019. The suite has run over 380 million tests and performs over 100,000 tests daily. ImmuniWeb's data is also used in Verizon's globally definitive annual Data Breach Investigations Report (DBIR), which indicates the tool's professional recognition.
The Community Edition includes seven different tests covering web applications, SSL/TLS configuration, email security, mobile apps, and Dark Web exposure. The most relevant for us is the Website Privacy Test, which also introduced a PDF certificate and digital badge program in April 2025: anyone achieving an A grade (or higher) can download a document verifying the result.
The ImmuniWeb Privacy Test approaches web privacy from a unique perspective: it doesn't measure what we do on the server (like SSL Labs or the MDN Observatory), but what the site reveals about itself from the user's browser perspective – and, crucially, to whom. Tracking pixels, third-party cookies, external JavaScript files, XHR requests, iframes: these are all mechanisms through which data about user behavior can leak to third-party servers – often without the user's knowledge and in violation of the GDPR.
2. What does the ImmuniWeb® Privacy Test examine?
The tool covers five main testing areas, each targeting a different privacy risk:
2.1. Privacy policy check
The tool checks whether a privacy policy is available on the site and if it is easy to find. This is a fundamental requirement of the information obligation under Articles 13 and 14 of the GDPR: the user has the right to know what data the data controller processes, for what purpose, and on what legal basis.
2.2. Tracking technologies detection
This is one of the most distinguishing features of the ImmuniWeb Privacy Test compared to other tools. The tool loads the page dynamically (like a real browser) and observes what requests are sent to third-party servers. The examined elements:
- Tracking pixels: single-pixel, invisible images used by advertising and analytics providers (Google, Meta, TikTok, etc.) to record user browsing behavior. Every single such pixel deducts 20 points from the score.
- Local Storage trackers: identifiers placed in the browser's Local Storage that persist even after cookies are cleared. This is a particularly aggressive tracking method because it bypasses traditional cookie-clearing defenses.
- Third-party cookies: cookies placed by external domains, especially those with a lifespan longer than 3 months, enabling persistent user identification.
2.3. Privacy-violating practices detection
The tool identifies page elements that – even without the website operator's knowledge – transmit data to external servers. According to Article 25 of the GDPR (Privacy by Design and Privacy by Default), these are always the operator's responsibility.
- Data transmission via web forms: if data entered by the user into a form (e.g., name, e-mail address) goes to a third-party server.
- XHR (XMLHttpRequest) requests: background requests sent to external domains by the page's JavaScript code, which may contain user data.
- Iframes: embedded windows loading external content, which can bring their own cookies and tracking elements.
2.4. Cookies and external content analysis
The tool provides a detailed picture of all external domain connections appearing on the page, categorizing them by whether they load an image, JavaScript file, CSS, font, media file, or cookie. Every external domain means a 1-point deduction – this encourages operators to serve resources from their own servers as much as possible, reducing external dependencies.
This aspect is particularly important for privacy-focused operations: a typical commercial website "phones home" to dozens of external domains during a single page load – Google Fonts, Google Analytics, Facebook Pixel, CDNs, chat widgets. Each of these represents a potential privacy risk.
2.5. Protection against data collection analysis
The tool also examines the site's encryption status: if the site is available over HTTP (unencrypted), this alone means a 50-point deduction, since without HTTPS, all communication between the user and the site can be intercepted – including entered data.
3. The scoring system
The ImmuniWeb Privacy Test starts with a base score of 100 points, with points added or deducted depending on the results of the examined elements. A final score of over 100 points is required for an A+ grade, which means not only avoiding all penalty points but also acquiring the bonus points (e.g., the +10 points for having a privacy policy).
3.1. Grades
| Score | Grade |
|---|---|
| Over 100 | A+ |
| 90–99 | A |
| 80–89 | A− |
| 70–79 | B+ |
| 60–69 | B |
| 50–59 | B− |
| 35–49 | C+ |
| 20–34 | C |
| Under 20 | F |
3.2. Privacy scoring details
| Examined element | Point impact |
|---|---|
| Privacy policy on page | +10 |
| Page available over HTTP (unencrypted) | −50 |
| HTTP available, but no HTTPS redirect | −40 |
| Third-party cookies, and no cookie-consent banner | −25 |
| Each tracking pixel (Meta, Google, etc.) | −20 |
| Tracker placed in browser Local Storage | −20 |
| Each third-party cookie with a lifespan > 3 months | −5 |
| Each third-party domain sending an XHR request | −2 |
| Each third-party domain placing an iframe | −2 |
| Each third-party domain sending data via web forms | −2 |
| Each third-party domain placing a cookie | −1 |
| Each third-party domain loading an image | −1 |
| Each third-party domain loading a JavaScript file | −1 |
| Each third-party domain loading a CSS file | −1 |
| Each third-party domain loading a media file | −1 |
| Each third-party domain loading a font | −1 |
Important characteristic: The ImmuniWeb Privacy Test scoring is cumulative and proportional. There is no single element that alone takes away the possibility of an A+ – the final result depends on the sum of all negative factors. This means that someone who operates with truly zero third-party connections, no tracking technologies, and a valid privacy policy can reach 110 points, as the +10 bonus is awarded for having a privacy policy.
4. How do websites generally perform?
The market picture in this regard is concerning. Several large-scale studies and ImmuniWeb's own statistics consistently show that the vast majority of websites fall far below the expected privacy level:
- 68.4% of websites have a privacy policy, but only 18.41% have a cookie-consent banner according to ImmuniWeb's 2024 measurements – meaning more than four-fifths of sites place tracking cookies without user consent.
- According to a 2024 study analyzing 1 million websites, nearly half of websites (47%) use the Meta pixel, and 12% use the TikTok pixel. Cookies are activated on loading for 98.5% of the sites – and 98% of these load before the cookie-consent banner appears.
- 43% of tracking cookies are activated even if the user presses the "Reject" button on the banner – meaning the technical implementation falls short of the legal intent.
- The rate of GDPR-violating pixel-based tracking is extremely high in Europe as well: according to a 2024 study examining one million websites, 44.2% of pages on .de domains, 66.4% on .fr domains, and 75.2% on .nl domains used pixels without valid GDPR consent.
- According to ImmuniWeb's own data, the vast majority of sites examined by the Privacy Test receive a B or lower grade. An A+ is exceedingly rare – achieved only by those who consciously designed their site based on the zero-third-party principle.
These data show that an A+ ImmuniWeb Privacy Test result is not merely a matter of technical configuration, but the result of a fundamentally different operational approach: a series of decisions questioning the necessity of every single external resource, every third-party connection, and every cookie from a user privacy perspective.
5. What does our A+ rating mean?
The A+ result verifies that our website meets the strictest privacy expectations from the perspective of the user's browser – which is the most real, most objective viewpoint. Specifically, this means the following conditions:
- Zero tracking pixels: no Google, Meta, TikTok, or other advertising or analytics tracking pixels are placed on the site. No data regarding user browsing behavior enters external advertising systems.
- Zero third-party cookies: cookies placed on the site are strictly necessary for operation and originate only from our own domain. There are no long-lifespan tracking cookies or identifiers placed by external companies.
- Zero Local Storage trackers: the browser's Local Storage does not contain identifiers serving tracking purposes.
- Minimal or zero external domain connections: the site's resources (JavaScript, CSS, fonts, images) are served from our own server. We do not load Google Fonts or link to external CDNs that log the user's IP address.
- Exclusively available via HTTPS: the site is not available over HTTP, thus the fundamental -50 penalty points do not even apply to the site.
- Valid, accessible privacy policy: the site is also entitled to the +10 bonus points, which is necessary for a true A+ result above 100 points.
- No XHR-based data leakage: the site's JavaScript code does not send user data to external servers without the user's knowledge and consent.
At the time of the test (June 6, 2026, 22:08 GMT+2), ImmuniWeb localized our server to Germany (IP: 178.105.168.4), which is consistent with our Hetzner VPS placement in Nuremberg. This in itself is an important fact for GDPR compliance: data processing and data storage within the EU is a fundamental requirement for the protection of European users, and the server location measured by ImmuniWeb confirms this.
6. Why is this rating special alongside the others?
Our four achieved ratings – the MDN Observatory's 130/100 A+, SSL Labs' A+, Internet.nl's 100%, and the ImmuniWeb Privacy Test's A+ – cover different, complementary dimensions. None can replace the other:
- MDN Observatory: measures the configuration of the server's HTTP response headers – what the server tells the browser about how it should behave.
- SSL Labs: measures the cryptographic quality of TLS encryption – how strong and modern the data channel through which communication flows is.
- Internet.nl: measures the infrastructure as a whole – IPv6, DNSSEC, DANE, RPKI, i.e., the entire layer stack of the server's internet connection.
- ImmuniWeb Privacy Test: measures the site from the perspective of the user's browser – what the user sees and experiences, what data goes to third parties, and what tracking technologies are present.
This last dimension is perhaps the one most valued by knowledgeable users and privacy professionals: it is not enough for the server to be well-configured if the site itself is full of invisible tracking pixels, third-party analytics, and data sent to targeted ad networks. The ImmuniWeb A+ proves that this site truly does what a privacy-focused website promises: it does not sell its users.
7. The limitations of the ImmuniWeb Privacy Test
For the sake of objectivity, it is important to point out that the ImmuniWeb Privacy Test is an automated, one-time snapshot with its own limitations:
- Static analysis: the tool examines the landing page and the resources directly connected to it. It does not extend to post-login content, dynamically loaded elements, and the examination of other pages.
- Not a legal audit: the A+ grade does not substitute for a legal due diligence of GDPR compliance. Privacy regulations contain many requirements (data processing agreements, data protection impact assessments, handling of data subject rights) that cannot be measured automatically.
- Does not examine back-end data processing: it only sees what is visible from the user's browser. The handling of data stored on the server, the retention period of logs, and data processing agreements with third parties all fall outside the scope of the test.
These limitations do not diminish the value of the result – in the technical layer, the ImmuniWeb Privacy Test is one of the most reliable and comprehensive tools for measuring the actual state of user privacy. The A+ grade verifies that the technical implementation operates with the smallest possible privacy footprint.
8. Summary
The ImmuniWeb® Privacy Test is the most comprehensive, freely available testing tool for a website's privacy implementation: it dynamically analyzes what data leaks from users' browsers to third parties through tracking pixels, cookies, XHR requests, and external resource loads.
Our A+ rating – achieved on the test run on June 6, 2026, for our site hosted in Nuremberg (Hetzner, Germany) – verifies that:
- not a single tracking pixel can be found on the site;
- no third-party cookies are placed in the users' browsers;
- the site's resources are served from our own server, without using external CDN and analytics services;
- data processing takes place exclusively on an infrastructure located within the EU, in Germany;
- and the site truly provides what a privacy-focused service promises: zero third-party data collection, zero user profiling, and zero data transmission for advertising purposes.
Our four achieved ratings together – MDN Observatory, Qualys SSL Labs, Internet.nl, and ImmuniWeb® Privacy Test – provide the most comprehensive, independent technical verification available that our website and infrastructure meet the strictest security and privacy expectations in every measurable dimension.
Source: ImmuniWeb® Community Edition – immuniweb.com/privacy · Scoring methodology: immuniweb.com/privacy/scoring
Test date: June 6, 2026, 22:08 GMT+2 · Server IP: 178.105.168.4 · Location: Germany (Hetzner, Nuremberg)