Grubhub

grubhub.com

Compare

https://grubhub.com

Scanned Apr 15, 2026 · 39.4s

Your website score is

0/100
Critical

Grade

F0

Banner

Yes

Regulatory Compliance

Multi-regulation overview — click any regulation for details

Technical scan only. A passing score does not equal legal compliance. Consult qualified legal counsel for your jurisdiction.

Tag Leak detected 171 user data leaks before consent on grubhub.com, including DataDog (Analytics Tracker), Tealium (Tracker Tracker), Braze and 41 more.

Security Headers

4/6 present

Strict-Transport-Security

max-age=31536000

Content-Security-Policy

frame-ancestors 'self' default-src 'self' *.grubhub.com grubhub.com *.dine.online *.datadog.hq cdn.contentful.com *.forter.com maps.googleapis.com six.cdn-net.com www.cdn-net.com pinpad.paysecure.acculynk.net; frame-src 'self' *.grubhub.com grubhub.com api.braintree.com *.braintreegateway.com *.braintree-api.com braintreegateway.com apay-us.amazon.com analytics.tiktok.com analytics.twitter.com analytics.churnzero.com apps.rokt.com apps.rokt-api.com apps-demo.rokt.com everestjs.net *.doubleclick.net accounts.google.com checkout.paypal.com googletagmanager.com www.googletagmanager.com insight.adsrvr.org match.adsrvr.org na.account.amazon.com prod.accdab.net six.cdn-net.com www.cdn-net.com https://*.js.stripe.com https://js.stripe.com https://hooks.stripe.com *.amazon-adsystem.com *.facebook.com *.kroger.com *.ispot.tv *.w55c.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: *.payments-amazon.com *.tags.tiqcdn.com redditstatic.com js.adsrvr.org *.grubhub.com grubhub.com api.braintree.com *.braintreegateway.com *.braintree-api.com braintreegateway.com apay-us.amazon.com *.forter.com *.rokt.com *.rokt-api.com *.cookielaw.org *.everestjs.net six.cdn-net.com www.cdn-net.com https://cdn.prod.uidapi.com https://*.js.stripe.com https://js.stripe.com https://maps.googleapis.com; script-src-elem 'self' 'unsafe-inline' *.grubhub.com grubhub.com api.braintree.com *.braintreegateway.com *.braintree-api.com braintreegateway.com apay-us.amazon.com analytics.churnzero.net analytics.tiktok.com analytics.twitter.com tags.tiqcdn.com www.google-analytics.com google-analytics.com *.forter.com *.cookielaw.org *.payments-amazon.com platform.twitter.com static.ads-twitter.com www.googletagmanager.com *.cdn-net.com apps.rokt.com apps.rokt-api.com apps-demo.rokt.com maps.googleapis.com cdn.branch.io www.googleadservices.com *.mountain.com app.link googleads.g.doubleclick.net connect.facebook.net assets.loginwithamazon.com accounts.google.com apis.google.com analytics.tiktok.com c.amazon-adsystem.com google-analytics.com google.com googleads.g.doubleclick.net googleadservices.com googletagmanager.com gstatic.com prod.accdab.net redditstatic.com s.pinimg.com everestjs.net d.impactradius-event.com tag.havasedge.com pixel.mathtag.com www.gstatic.com bat.bing.com px.airpr.com www.redditstatic.com js.adsrvr.org ext.chtbl.com www.google.com collector-21091.us.tvsquared.com innovid.com www.everestjs.net six.cdn-net.com www.cdn-net.com https://*.js.stripe.com https://js.stripe.com https://maps.googleapis.com analytics.tiktok.com bat.bing.com connect.facebook.net js.adsrvr.org sc-static.net www.redditstatic.com c.amazon-adsystem.com googleads.g.doubleclick.net platform.twitter.com; img-src 'self' *.cloudinary.com *.grubhub.com grubhub.com *.cloudfront.net *.instacart.com *.pinterest.com *.cookielaw.org cm.everesttech.net t.co www.google-analytics.com google-analytics.com analytics.twitter.com *.doubleclick.net maps.gstatic.com *.googleapis.com www.google.com data: www.facebook.com trkn.us event.havasedge.com grubhubimages-dev.s3.amazonaws.com tags.w55c.net data.adxcel-ec2.com b.videoamp.com ext.chtbl.com bat.bing.com px.airpr.com redditstatic.com js.adsrvr.org adservice.google.com alb.reddit.com b.videoamp.com www.googletagmanager.com insight.adsrvr.org s3.amazonaws.com collector-21091.us.tvsquared.com innovid.com analytics.tiktok.com pt.ispot.tv; style-src-elem 'self' 'unsafe-inline' *.grubhub.com grubhub.com fonts.googleapis.com accounts.google.com pixel.mathtag.com; style-src 'self' 'unsafe-inline' *.grubhub.com grubhub.com fonts.googleapis.com six.cdn-net.com www.cdn-net.com; font-src 'self' 'unsafe-inline' *.grubhub.com grubhub.com fonts.gstatic.com static.rakuten.com; connect-src 'self' *.grubhub.com grubhub.com browser-intake-datadoghq.com *.px-cloud.net preview.connectful.com *.braze.com *.google-analytics.com www.google.com google.com google-analytics.com *.rokt.com *.rokt-api.com *.cookielaw.org *.forter.com wss://cdn0.forter.com analytics.tiktok.com geolocation.onetrust.com preview.contentful.com stats.g.doubleclick.net privacyportal.onetrust.com *.googleapis.com sentry.io api2.branch.io *.facebook.com facebook.com bat.bing.com api.braintree.com *.braintreegateway.com *.braintree-api.com braintreegateway.com apay-us.amazon.com www.gstatic.com maps.gstatic.com data: cdn.contentful.com collect.tealiumiq.com b.px-cdn.net 44.238.122.172 100.20.58.101 35.85.84.151 44.228.85.26 34.215.155.61 35.160.46.251 52.71.121.170 18.210.229.244 44.212.189.233 3.212.39.155 52.22.50.55 54.156.2.105 prod.accdab.net trkn.us seamless.dcm9zy.net s3.amazonaws.com conversions-config.reddit.com pixel-config.reddit.com www.redditstatic.com web.chtbl.com grubhub.vdcy.net insight.adsrvr.org collector-21091.us.tvsquared.com innovid.com six.cdn-net.com www.cdn-net.com https://*.prod.uidapi.com https://prod.uidapi.com https://api.stripe.com https://maps.googleapis.com https://pinpad.paysecure.acculynk.net *.devcycle.com siteperformancetest.net *.doubleclick.net *.cloudfront.net ad.doubleclick.net;

X-Frame-Options

SAMEORIGIN

X-Content-Type-Options

nosniff

Referrer-Policy

Set a Referrer-Policy header to control how much referrer information is shared

Permissions-Policy

Add a Permissions-Policy header to restrict browser features like camera, microphone, and geolocation

Google Consent Mode

Not Detected

Google Consent Mode v2 was not found on this page. GCM v2 allows Google's tags to adjust their behavior based on user consent, and is required for compliant advertising measurement in the EU. Without it, your Google Ads and GA4 conversions may be impacted after consent is declined.

Post-Rejection Audit

Reject Button

Found

Post-Rejection Fires

2 vendors

Consent Mode

Basic

GTM Load

Not detected

Consent Mode V2: Basic

Basic Consent Mode — anonymised pings still fire after rejection. Permitted by Google but legally contested under PECR.

Vendors firing after rejection (2)

VendorCategoryTimingURL
Google — GA4Basic CM ping21971msregion1.google-analytics.com
TikTok — TikTok Pixeladvertising25004msanalytics.tiktok.com

Consent Record Audit

Issues detected

Consent record stored after interaction

GDPR Art. 7(1)

Found: OptanonConsent (OneTrust)

Record contains timestamp

Art. 7(1)

Timestamp field detected

Record contains consent state

Art. 7(1)

Accept/reject state detected

Record contains consent categories

Art. 7(1)

Consent categories (analytics, marketing, etc.) not found in record

Consent withdrawal mechanism accessible

GDPR Art. 7(3)

No way for users to withdraw consent found on page

No cookie settings link, footer link, or floating consent button was detected. GDPR requires users to withdraw consent as easily as they gave it.

Why this matters

Under GDPR Article 7, controllers must be able to demonstrate that consent was given (Art. 7(1)) and ensure users can withdraw consent at any time, as easily as giving it (Art. 7(3)). Sites with no consent record or no withdrawal mechanism cannot legally rely on consent as a lawful basis.

Tracker categories detected

Advertising24 vendors
Analytics7 vendors
Marketing10 vendors
Security2
Functional3 vendors
Critical80
TikTok Pixel
TikTok Pixel6 findingsID tracked

analytics.tiktok.com, _ttp, _tt_enable_cookie, tt_sessionId, tt_appInfo, tt_pixel_session_index

TikTok Pixel
criticalNetworkAdvertisingTikTok Pixel

TikTok Pixel (TikTok) loaded before consent: Sends event data to TikTok for ad measurement

ID: C3NJIPVB3D4L4OG53C80Host: analytics.tiktok.comFired: 4309ms after load
TikTok Pixel
criticalCookieAdvertisingTikTok Pixel

TikTok Pixel cookie "_ttp" set before consent

Cookie: _ttpDomain: .tiktok.com
TikTok Pixel
criticalCookieAdvertisingTikTok Pixel

TikTok Pixel cookie "_tt_enable_cookie" set before consent

Cookie: _tt_enable_cookieDomain: .grubhub.com
TikTok Pixel
criticalStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_sessionId" to sessionStorage before consent

Key: tt_sessionIdType: sessionStorageFired: 5481ms after load
TikTok Pixel
criticalStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_appInfo" to sessionStorage before consent

Key: tt_appInfoType: sessionStorageFired: 5493ms after load
TikTok Pixel
criticalStorageAdvertisingTikTok Pixel

TikTok Pixel (TikTok) wrote "tt_pixel_session_index" to sessionStorage before consent

Key: tt_pixel_session_indexType: sessionStorageFired: 5497ms after load
Pinterest Tag
criticalNetworkAdvertisingPinterest Tag

Pinterest Tag (Pinterest) loaded before consent: Pinterest conversion tracking

ID: 2620392384749Host: ct.pinterest.comFired: 4314ms after load
Twitter/X Pixel
Twitter/X Pixel2 findingsID tracked

t.co, static.ads-twitter.com

Twitter/X Pixel
criticalNetworkAdvertisingTwitter/X Pixel

Twitter/X Pixel (X (Twitter)) loaded before consent: Twitter/X ad conversion tracking endpoint

ID: twHost: t.coFired: 4779ms after load
Twitter/X Pixel
criticalNetworkAdvertisingTwitter/X Pixel

Twitter/X Pixel (X (Twitter)) loaded before consent: Loads Twitter/X conversion tracking script

Host: static.ads-twitter.comFired: 4398ms after load
Meta Pixel
Meta Pixel3 findingsID tracked

www.facebook.com, connect.facebook.net, _fbp

Meta Pixel
criticalNetworkAdvertisingMeta Pixel

Meta Pixel (Meta) loaded before consent: Meta Pixel tracking endpoint

ID: 1603408326647297Host: www.facebook.comFired: 5108ms after load
Meta Pixel
criticalNetworkAdvertisingMeta Pixel

Meta Pixel (Meta) loaded before consent: Sends user data to Meta for ad targeting and conversion tracking

Host: connect.facebook.netFired: 4305ms after load
Meta Pixel
criticalCookieAdvertisingMeta Pixel

Meta Pixel cookie "_fbp" set before consent

Cookie: _fbpDomain: .grubhub.com
Google Analytics
Google Analytics7 findingsID tracked

region1.google-analytics.com, www.google-analytics.com, www.googletagmanager.com, _ga, _gid, _gat_teal_grubhublabs_UniversalproductionStandard, _ga_S9CDL49TEQ

GA4
criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Sends pageview and event data to Google Analytics

ID: G-S9CDL49TEQHost: region1.google-analytics.comFired: 7396ms after load
GA4
criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Sends pageview and event data to Google Analytics

Host: www.google-analytics.comFired: 4305ms after load
GA4
criticalNetworkAnalyticsGA4

GA4 (Google) loaded before consent: Google Analytics gtag.js library

Host: www.googletagmanager.comFired: 4309ms after load
Google Analytics
criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga" set before consent

Cookie: _gaDomain: .www.grubhub.com
Google Analytics
criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_gid" set before consent

Cookie: _gidDomain: .www.grubhub.com
Google Analytics
criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_gat_teal_grubhublabs_UniversalproductionStandard" set before consent

Cookie: _gat_teal_grubhublabs_UniversalproductionStandardDomain: .www.grubhub.com
Google Analytics
criticalCookieAnalyticsGoogle Analytics

Google Analytics cookie "_ga_S9CDL49TEQ" set before consent

Cookie: _ga_S9CDL49TEQDomain: .grubhub.com
DataDog (Analytics Tracker)
criticalNetworkAnalyticsDataDog (Analytics Tracker)

DataDog (analytics) loaded before consent

Host: browser-intake-datadoghq.comFired: 1951ms after load
Tealium (Tracker Tracker)
criticalNetworkTealium (Tracker Tracker)

Tealium (tracker) loaded before consent

Host: tags.tiqcdn.comFired: 1984ms after load
Braze
criticalNetworkMarketingBraze

Braze (Braze) loaded before consent: Braze customer engagement and marketing automation

Host: sdk.iad-01.braze.comFired: 2053ms after load
HumanSecurity (Tracker Tracker)
HumanSecurity (Tracker Tracker)2 findings

tzm.px-cloud.net, b.px-cdn.net

HumanSecurity (Tracker Tracker)
criticalNetworkHumanSecurity (Tracker Tracker)

HumanSecurity (tracker) loaded before consent

Host: tzm.px-cloud.netFired: 3920ms after load
HumanSecurity (Tracker Tracker)
criticalNetworkHumanSecurity (Tracker Tracker)

HumanSecurity (tracker) loaded before consent

Host: b.px-cdn.netFired: 4205ms after load
Microsoft Ads
criticalNetworkAdvertisingMicrosoft Ads

Microsoft Ads (Microsoft) loaded before consent: Microsoft Ads (Bing) UET conversion tracking

Host: bat.bing.comFired: 4305ms after load
Innovid (Advertising Tracker)
criticalNetworkAdvertisingInnovid (Advertising Tracker)

Innovid (advertising) loaded before consent

Host: collector-21091.us.tvsquared.comFired: 4305ms after load
Branch
criticalNetworkAdvertisingBranch

Branch (Branch) loaded before consent: Branch deep linking and attribution

Host: cdn.branch.ioFired: 4305ms after load
STG (Advertising Tracker)
criticalNetworkAdvertisingSTG (Advertising Tracker)

STG (advertising) loaded before consent

Host: px.airpr.comFired: 4305ms after load
Infillion (Tracker Tracker)
criticalNetworkInfillion (Tracker Tracker)

Infillion (tracker) loaded before consent

Host: pixel.mathtag.comFired: 4305ms after load
Advertising Tracker
Advertising Tracker7 findings

tag.havasedge.com, dx.mountain.com, pt.ispot.tv, staging-pt.ispot.tv, bat.bing.net, event.havasedge.com, px.mountain.com

Advertising Tracker
criticalNetworkAdvertisingAdvertising Tracker

advertising tracker at tag.havasedge.com loaded before consent

Host: tag.havasedge.comFired: 4309ms after load
Advertising Tracker
criticalNetworkAdvertisingAdvertising Tracker

advertising tracker at dx.mountain.com loaded before consent

Host: dx.mountain.comFired: 4314ms after load
Advertising Tracker
criticalNetworkAdvertisingAdvertising Tracker

advertising tracker at pt.ispot.tv loaded before consent

Host: pt.ispot.tvFired: 4314ms after load
Advertising Tracker
criticalNetworkAdvertisingAdvertising Tracker

advertising tracker at staging-pt.ispot.tv loaded before consent

Host: staging-pt.ispot.tvFired: 4314ms after load
Advertising Tracker
criticalNetworkAdvertisingAdvertising Tracker

advertising tracker at bat.bing.net loaded before consent

Host: bat.bing.netFired: 5039ms after load
Advertising Tracker
criticalNetworkAdvertisingAdvertising Tracker

advertising tracker at event.havasedge.com loaded before consent

Host: event.havasedge.comFired: 5234ms after load
Advertising Tracker
criticalNetworkAdvertisingAdvertising Tracker

advertising tracker at px.mountain.com loaded before consent

Host: px.mountain.comFired: 6404ms after load
reddit (Advertising Tracker)
criticalNetworkAdvertisingreddit (Advertising Tracker)

reddit (advertising) loaded before consent

Host: www.redditstatic.comFired: 4309ms after load
The Trade Desk (Tracker Tracker)
The Trade Desk (Tracker Tracker)3 findings

js.adsrvr.org, insight.adsrvr.org, match.adsrvr.org

The Trade Desk (Tracker Tracker)
criticalNetworkThe Trade Desk (Tracker Tracker)

The Trade Desk (tracker) loaded before consent

Host: js.adsrvr.orgFired: 4309ms after load
The Trade Desk (Tracker Tracker)
criticalNetworkThe Trade Desk (Tracker Tracker)

The Trade Desk (tracker) loaded before consent

Host: insight.adsrvr.orgFired: 6326ms after load
The Trade Desk (Tracker Tracker)
criticalNetworkThe Trade Desk (Tracker Tracker)

The Trade Desk (tracker) loaded before consent

Host: match.adsrvr.orgFired: 6384ms after load
Tealium (Analytics Tracker)
criticalNetworkAnalyticsTealium (Analytics Tracker)

Tealium (analytics) loaded before consent

Host: collect.tealiumiq.comFired: 4310ms after load
Snapchat Pixel
Snapchat Pixel4 findings

sc-static.net, tr.snapchat.com, _scid, _scid_r

Snapchat Pixel
criticalNetworkAdvertisingSnapchat Pixel

Snapchat Pixel (Snapchat) loaded before consent: Loads Snapchat conversion tracking script

Host: sc-static.netFired: 4314ms after load
Snapchat Pixel
criticalNetworkAdvertisingSnapchat Pixel

Snapchat Pixel (Snapchat) loaded before consent: Snapchat pixel tracking endpoint

Host: tr.snapchat.comFired: 5566ms after load
Snapchat Pixel
criticalCookieAdvertisingSnapchat Pixel

Snapchat Pixel cookie "_scid" set before consent

Cookie: _scidDomain: .grubhub.com
Snapchat Pixel
criticalCookieAdvertisingSnapchat Pixel

Snapchat Pixel cookie "_scid_r" set before consent

Cookie: _scid_rDomain: .grubhub.com
Google (Tracker Tracker)
Google (Tracker Tracker)3 findings

pubads.g.doubleclick.net, ad.doubleclick.net, stats.g.doubleclick.net

Google (Tracker Tracker)
criticalNetworkGoogle (Tracker Tracker)

Google (tracker) loaded before consent

Host: pubads.g.doubleclick.netFired: 4314ms after load
Google (Tracker Tracker)
criticalNetworkGoogle (Tracker Tracker)

Google (tracker) loaded before consent

Host: ad.doubleclick.netFired: 4757ms after load
Google (Tracker Tracker)
criticalNetworkGoogle (Tracker Tracker)

Google (tracker) loaded before consent

Host: stats.g.doubleclick.netFired: 5003ms after load
Claritas (Advertising Tracker)
criticalNetworkAdvertisingClaritas (Advertising Tracker)

Claritas (advertising) loaded before consent

Host: trkn.usFired: 4314ms after load
Roku (Advertising Tracker)
criticalNetworkAdvertisingRoku (Advertising Tracker)

Roku (advertising) loaded before consent

Host: tags.w55c.netFired: 4314ms after load
ArtsAI (Advertising Tracker)
criticalNetworkAdvertisingArtsAI (Advertising Tracker)

ArtsAI (advertising) loaded before consent

Host: data.adxcel-ec2.comFired: 4314ms after load
VideoAmp (Advertising Tracker)
criticalNetworkAdvertisingVideoAmp (Advertising Tracker)

VideoAmp (advertising) loaded before consent

Host: b.videoamp.comFired: 4314ms after load
Reddit Pixel
Reddit Pixel2 findings

alb.reddit.com, _rdt_uuid

Reddit Pixel
criticalNetworkAdvertisingReddit Pixel

Reddit Pixel (Reddit) loaded before consent: Reddit conversion tracking pixel

Host: alb.reddit.comFired: 4701ms after load
Reddit Pixel
criticalCookieAdvertisingReddit Pixel

Reddit Pixel cookie "_rdt_uuid" set before consent

Cookie: _rdt_uuidDomain: .grubhub.com
Impact
criticalNetworkAdvertisingImpact

Impact (Impact) loaded before consent: Impact affiliate and partnership tracking

Host: d.impactradius-event.comFired: 4757ms after load
Amazon (Advertising Tracker)
Amazon (Advertising Tracker)2 findings

c.amazon-adsystem.com, s.amazon-adsystem.com

Amazon (Advertising Tracker)
criticalNetworkAdvertisingAmazon (Advertising Tracker)

Amazon (advertising) loaded before consent

Host: c.amazon-adsystem.comFired: 4759ms after load
Amazon (Advertising Tracker)
criticalNetworkAdvertisingAmazon (Advertising Tracker)

Amazon (advertising) loaded before consent

Host: s.amazon-adsystem.comFired: 5642ms after load
Branch (Advertising Tracker)
Branch (Advertising Tracker)2 findings

app.link, api2.branch.io

Branch (Advertising Tracker)
criticalNetworkAdvertisingBranch (Advertising Tracker)

Branch (advertising) loaded before consent

Host: app.linkFired: 5047ms after load
Branch (Advertising Tracker)
criticalNetworkAdvertisingBranch (Advertising Tracker)

Branch (advertising) loaded before consent

Host: api2.branch.ioFired: 6218ms after load
Rokt (Advertising Tracker)
criticalNetworkAdvertisingRokt (Advertising Tracker)

Rokt (advertising) loaded before consent

Host: apps.rokt.comFired: 5552ms after load
Impact (Advertising Tracker)
criticalNetworkAdvertisingImpact (Advertising Tracker)

Impact (advertising) loaded before consent

Host: www.ojrq.netFired: 6034ms after load
Stripe (Tracker Tracker)
criticalNetworkStripe (Tracker Tracker)

Stripe (tracker) loaded before consent

Host: m.stripe.networkFired: 6376ms after load
MNTN (Advertising Tracker)
criticalNetworkAdvertisingMNTN (Advertising Tracker)

MNTN (advertising) loaded before consent

Host: gs.mountain.comFired: 6736ms after load
criticalCookieMarketingAniview

Aniview cookie "version" set before consent — This cookie is used by the website's operator in context with multi-variate testing. This is a tool used to combine or change content on the website. This allows the website to find the best variation/edition of the site.

Cookie: versionDomain: www.grubhub.comRetention: Session
DoubleClick/Google Marketing
criticalCookieMarketingDoubleClick/Google Marketing

DoubleClick/Google Marketing cookie "ar_debug" set before consent — Store and track conversions

Cookie: ar_debugDomain: .pinterest.comRetention: Persistent
Pinterest
criticalCookieMarketingPinterest

Pinterest cookie "_pinterest_ct_ua" set before consent — This cookieis a third party cookie which groups actions for users who cannot be identified by Pinterest.

Cookie: _pinterest_ct_uaDomain: .ct.pinterest.comRetention: session
criticalCookieMarketingClaritas

Claritas cookie "barometric[cuid]" set before consent — This cookie is used to identify users for Veritone/Barometric Podcast Conversion.

Cookie: barometric[cuid]Domain: .trkn.usRetention: 1 year
criticalCookieMarketingRoku

Roku cookie "wfivefivec" set before consent — Collects data on the user's visits to the website, such as what pages have been loaded. The registered data is used for targeted ads.

Cookie: wfivefivecDomain: .w55c.netRetention: 13 months
X2 findings

personalization_id, muc_ads

criticalCookieMarketingX

X cookie "personalization_id" set before consent — Unique value with which users can be identified by X. Collected information is used to be personalize X services, including X trends, stories, ads and suggestions.

Cookie: personalization_idDomain: .twitter.comRetention: 2 years
criticalCookieMarketingX

X cookie "muc_ads" set before consent — These cookies are placed when you come to our website via X. A cookie from X is also placed on our website, with which we can later show a relevant offer on X

Cookie: muc_adsDomain: .t.coRetention: 24 months
LinkedIn
LinkedIn2 findings

brwsr, irld

LinkedIn
criticalCookieMarketingLinkedIn

LinkedIn cookie "brwsr" set before consent — This cookie is used to Affiliate Marketing Cookie for LinkedIn

Cookie: brwsrDomain: .vdcy.netRetention: 2 years
LinkedIn
criticalCookieMarketingLinkedIn

LinkedIn cookie "irld" set before consent — This cookie is used for Affiliate Marketing Cookie for LinkedIn

Cookie: irldDomain: grubhub.vdcy.netRetention: 2 years
criticalCookieAnalyticsShopify

Shopify cookie "_s" set before consent — Shopify analytics.

Cookie: _sDomain: .app.linkRetention: 2 years
Amazon
Amazon2 findings

ad-id, ad-privacy

Amazon
criticalCookieMarketingAmazon

Amazon cookie "ad-id" set before consent — Clickthroughs to Amazon websites: Noting how the user got to Amazon via this website

Cookie: ad-idDomain: .amazon-adsystem.comRetention: 190 days
Amazon
criticalCookieMarketingAmazon

Amazon cookie "ad-privacy" set before consent — Provided by amazon-adsystem.com for tracking user actions on other websites to provide targeted content to the users.

Cookie: ad-privacyDomain: .amazon-adsystem.comRetention: 5 years
TikTok
TikTok2 findings

ttcsid, ttcsid_C3NJIPVB3D4L4OG53C80

TikTok
criticalCookieMarketingTikTok

TikTok cookie "ttcsid" set before consent — The TikTok cookie ttcsid likely serves as a session identifier, helping to maintain user sessions and track interactions across the platform. Its purpose is probably to manage user authentication or personalize content based on activity, similar to other session-related cookies used by TikTok.

Cookie: ttcsidDomain: .grubhub.comRetention: 1 year
TikTok
criticalCookieMarketingTikTok

TikTok cookie "ttcsid_C3NJIPVB3D4L4OG53C80" set before consent — The TikTok cookie ttcsid likely serves as a session identifier, helping to maintain user sessions and track interactions across the platform. Its purpose is probably to manage user authentication or personalize content based on activity, similar to other session-related cookies used by TikTok.

Cookie: ttcsid_C3NJIPVB3D4L4OG53C80Domain: .grubhub.comRetention: 1 year
Marfeel
criticalCookieAnalyticsMarfeel

Marfeel cookie "_sc_cspv" set before consent — This cookie is used to store for temporary session

Cookie: _sc_cspvDomain: .grubhub.comRetention: Session
TikTok — TikTok Pixel
criticalPost-RejectionAdvertisingTikTok — TikTok Pixel

TikTok — TikTok Pixel fires after user rejected consent

Fired: 25004ms after load
criticalConsent Record

No recognizable consent withdrawal mechanism detected — GDPR Article 7(3) requires users can withdraw consent as easily as giving it (cookie settings link or floating button expected)

Warnings94
Twitter (Social Tracker)
Twitter (Social Tracker)2 findingsID tracked

analytics.twitter.com, platform.twitter.com

Twitter (Social Tracker)
warningNetworkTwitter (Social Tracker)

Twitter (social) loaded before consent

ID: l63tjHost: analytics.twitter.comFired: 4779ms after load
Twitter (Social Tracker)
warningNetworkTwitter (Social Tracker)

Twitter (social) loaded before consent

Host: platform.twitter.comFired: 4305ms after load
reddit (Social Tracker)
warningNetworkreddit (Social Tracker)

reddit (social) loaded before consent

Host: pixel-config.reddit.comFired: 4701ms after load
Analytics proxy
warningNetworkAnalytics proxy

Possible server-side tag proxy at api-gtm.grubhub.com — analytics data may be forwarded to third parties before consent. Browser scanning cannot verify downstream recipients; audit your GTM Server-side or CNAME configuration.

Host: api-gtm.grubhub.comFired: 1984ms after load
Google — GA4
warningPost-RejectionAnalyticsGoogle — GA4

Google — GA4 ping fires after rejection (Basic Consent Mode — anonymised, legal grey zone)

Fired: 21971ms after load
vendor logo
warningNetwork

Unknown third-party request to static-na.payments-amazon.com before consent

Host: static-na.payments-amazon.comFired: 287ms after load
vendor logo
warningNetwork

Unknown third-party request to sse.devcycle.com before consent

Host: sse.devcycle.comFired: 2376ms after load
vendor logo
warningNetwork

Unknown third-party request to apps.rokt-api.com before consent

Host: apps.rokt-api.comFired: 2497ms after load
vendor logo
warningNetwork

Unknown third-party request to ext.chtbl.com before consent

Host: ext.chtbl.comFired: 4373ms after load
vendor logo
warningNetwork

Unknown third-party request to www.google.com before consent

Host: www.google.comFired: 4977ms after load
vendor logo
warningNetwork

Unknown third-party request to 34.215.155.61 before consent

Host: 34.215.155.61Fired: 4990ms after load
vendor logo
warningNetwork

Unknown third-party request to grubhub.vdcy.net before consent

Host: grubhub.vdcy.netFired: 5305ms after load
warningStorage

localStorage key "clickstream2BrowserId" written before consent

Key: clickstream2BrowserIdType: localStorageFired: 593ms after load
warningStorage

sessionStorage key "grub.foundation.localStorage.enabled" written before consent

Key: grub.foundation.localStorage.enabledType: sessionStorageFired: 1136ms after load
warningStorage

localStorage key "ngStorage-test" written before consent

Key: ngStorage-testType: localStorageFired: 1784ms after load
warningStorage

localStorage key "ngStorage-storageExpirationDate" written before consent

Key: ngStorage-storageExpirationDateType: localStorageFired: 1789ms after load
warningStorage

localStorage key "isIncognito" written before consent

Key: isIncognitoType: localStorageFired: 1890ms after load
warningStorage

localStorage key "ngStorage-variantsCache" written before consent

Key: ngStorage-variantsCacheType: localStorageFired: 1899ms after load
warningStorage

localStorage key "ngStorage-session-blitz_header_operation_id" written before consent

Key: ngStorage-session-blitz_header_operation_idType: localStorageFired: 1956ms after load
warningStorage

localStorage key "__ghsdk_data-sdk.settings" written before consent

Key: __ghsdk_data-sdk.settingsType: localStorageFired: 1963ms after load
warningStorage

localStorage key "grub-api:anonymousSessionPersisted" written before consent

Key: grub-api:anonymousSessionPersistedType: localStorageFired: 1973ms after load
warningStorage

localStorage key "grub-api:authenticatedSessionPersisted" written before consent

Key: grub-api:authenticatedSessionPersistedType: localStorageFired: 1974ms after load
warningStorage

localStorage key "ab.test" written before consent

Key: ab.testType: localStorageFired: 2000ms after load
warningStorage

localStorage key "ab.storage.events.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.events.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2011ms after load
warningStorage

localStorage key "ab.storage.sessionId.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.sessionId.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2011ms after load
warningStorage

localStorage key "ab.storage.messagingSessionStart.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.messagingSessionStart.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2012ms after load
warningStorage

localStorage key "ab.storage.deviceId.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.deviceId.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2013ms after load
warningStorage

localStorage key "ab.storage.lastSdkReq.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.lastSdkReq.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2024ms after load
warningStorage

localStorage key "ab.storage.lastReqToEndpoint.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.lastReqToEndpoint.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2024ms after load
warningStorage

localStorage key "ab.storage.brazeSyncRetryCount.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.brazeSyncRetryCount.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2027ms after load
warningStorage

localStorage key "ab.storage.globalRateLimitCurrentTokenCount.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.globalRateLimitCurrentTokenCount.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2035ms after load
warningStorage

localStorage key "ab.storage.serverConfig.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.serverConfig.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2345ms after load
warningStorage

localStorage key "ab.storage.device.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.device.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2347ms after load
warningStorage

localStorage key "ab.storage.sdk_metadata.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.sdk_metadata.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2348ms after load
warningStorage

localStorage key "ab.storage.session_id_for_cached_metadata.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.session_id_for_cached_metadata.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2348ms after load
warningStorage

localStorage key "ab.storage.requestAttempts.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.requestAttempts.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2348ms after load
warningStorage

localStorage key "dvc:identified_config.a3523e93-4e41-4836-9157-dbe8eba260a6" written before consent

Key: dvc:identified_config.a3523e93-4e41-4836-9157-dbe8eba260a6Type: localStorageFired: 2357ms after load
warningStorage

localStorage key "dvc:identified_config.a3523e93-4e41-4836-9157-dbe8eba260a6.expiry_date" written before consent

Key: dvc:identified_config.a3523e93-4e41-4836-9157-dbe8eba260a6.expiry_dateType: localStorageFired: 2359ms after load
warningStorage

sessionStorage key "grub.cs.tabId" written before consent

Key: grub.cs.tabIdType: sessionStorageFired: 2392ms after load
warningStorage

localStorage key "grub.cs.f4c171c5-75f1-416a-a66f-478c096d1157.default.standard.destinationInfo" written before consent

Key: grub.cs.f4c171c5-75f1-416a-a66f-478c096d1157.default.standard.destinationInfoType: localStorageFired: 2393ms after load
warningStorage

localStorage key "grub.cs.sessionMutex.mutexA" written before consent

Key: grub.cs.sessionMutex.mutexAType: localStorageFired: 2506ms after load
warningStorage

localStorage key "grub.cs.sessionMutex.mutexB" written before consent

Key: grub.cs.sessionMutex.mutexBType: localStorageFired: 2506ms after load
warningStorage

sessionStorage key "grub.cs.sessionReported" written before consent

Key: grub.cs.sessionReportedType: sessionStorageFired: 2506ms after load
warningStorage

localStorage key "grub.cs.sessionCount" written before consent

Key: grub.cs.sessionCountType: localStorageFired: 2506ms after load
warningStorage

localStorage key "grub.cs.session" written before consent

Key: grub.cs.sessionType: localStorageFired: 2506ms after load
warningStorage

localStorage key "ab.storage.triggers.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.triggers.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2535ms after load
warningStorage

localStorage key "ab.storage.triggers.ts.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.triggers.ts.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 2535ms after load
warningStorage

localStorage key "grub.cs.sessionIdentifiers.mutexA" written before consent

Key: grub.cs.sessionIdentifiers.mutexAType: localStorageFired: 2618ms after load
warningStorage

localStorage key "grub.cs.sessionIdentifiers.mutexB" written before consent

Key: grub.cs.sessionIdentifiers.mutexBType: localStorageFired: 2618ms after load
warningStorage

localStorage key "grub.cs.browserId" written before consent

Key: grub.cs.browserIdType: localStorageFired: 2619ms after load
warningStorage

localStorage key "grub.cs.appInstance" written before consent

Key: grub.cs.appInstanceType: localStorageFired: 2619ms after load
warningStorage

sessionStorage key "grub.cs.appInstance.default" written before consent

Key: grub.cs.appInstance.defaultType: sessionStorageFired: 2619ms after load
warningStorage

localStorage key "grub.cs.f4c171c5-75f1-416a-a66f-478c096d1157.default.standard" written before consent

Key: grub.cs.f4c171c5-75f1-416a-a66f-478c096d1157.default.standardType: localStorageFired: 2620ms after load
warningStorage

localStorage key "ngStorage-session-pageHistory" written before consent

Key: ngStorage-session-pageHistoryType: localStorageFired: 3133ms after load
warningStorage

localStorage key "ngStorage-sQ_Obs" written before consent

Key: ngStorage-sQ_ObsType: localStorageFired: 3147ms after load
warningStorage

localStorage key "ab.storage.sdkVersion.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.sdkVersion.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 3233ms after load
warningStorage

localStorage key "ab.storage.ccClicks.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.ccClicks.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 3233ms after load
warningStorage

localStorage key "ab.storage.ccImpressions.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.ccImpressions.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 3233ms after load
warningStorage

localStorage key "ab.storage.ccDismissals.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.ccDismissals.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 3233ms after load
warningStorage

localStorage key "ab.storage.cc.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.cc.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 3233ms after load
warningStorage

localStorage key "ab.storage.ccLastFullSync.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.ccLastFullSync.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 3233ms after load
warningStorage

localStorage key "ab.storage.ccLastCardUpdated.456f6687-7c17-4725-a9f3-7a851ca4b0b0" written before consent

Key: ab.storage.ccLastCardUpdated.456f6687-7c17-4725-a9f3-7a851ca4b0b0Type: localStorageFired: 3233ms after load
warningStorage

localStorage key "marketing_segmentationgrouping" written before consent

Key: marketing_segmentationgroupingType: localStorageFired: 3676ms after load
warningStorage

localStorage key "grub.cs.activeLoggers.mutexA" written before consent

Key: grub.cs.activeLoggers.mutexAType: localStorageFired: 3692ms after load
warningStorage

localStorage key "grub.cs.activeLoggers.mutexB" written before consent

Key: grub.cs.activeLoggers.mutexBType: localStorageFired: 3693ms after load
warningStorage

localStorage key "grub.cs.activeLoggers" written before consent

Key: grub.cs.activeLoggersType: localStorageFired: 3693ms after load
warningStorage

sessionStorage key "grub.cs.f4c171c5-75f1-416a-a66f-478c096d1157.default.reclaimedLoggers" written before consent

Key: grub.cs.f4c171c5-75f1-416a-a66f-478c096d1157.default.reclaimedLoggersType: sessionStorageFired: 3693ms after load
warningStorage

sessionStorage key "grub-api:anonymousSessionRecordTime" written before consent

Key: grub-api:anonymousSessionRecordTimeType: sessionStorageFired: 3735ms after load
warningStorage

localStorage key "tk_1776286330642" written before consent

Key: tk_1776286330642Type: localStorageFired: 3903ms after load
warningStorage

localStorage key "PXO97ybH4J_px-ff" written before consent

Key: PXO97ybH4J_px-ffType: localStorageFired: 3912ms after load
warningStorage

sessionStorage key "pxsid" written before consent

Key: pxsidType: sessionStorageFired: 4154ms after load
warningStorage

localStorage key "PXO97ybH4J_px_hvd" written before consent

Key: PXO97ybH4J_px_hvdType: localStorageFired: 4155ms after load
warningStorage

sessionStorage key "px_tk_1776286330914" written before consent

Key: px_tk_1776286330914Type: sessionStorageFired: 4175ms after load
warningStorage

sessionStorage key "px_tk_1776286330915" written before consent

Key: px_tk_1776286330915Type: sessionStorageFired: 4176ms after load
warningStorage

sessionStorage key "px_cd277742" written before consent

Key: px_cd277742Type: sessionStorageFired: 4176ms after load
warningStorage

localStorage key "tealium_timing" written before consent

Key: tealium_timingType: localStorageFired: 4264ms after load
warningStorage

localStorage key "px_22j9f8hlau2f5" written before consent

Key: px_22j9f8hlau2f5Type: localStorageFired: 4369ms after load
warningStorage

localStorage key "px_33df3rmnerrf5" written before consent

Key: px_33df3rmnerrf5Type: localStorageFired: 4369ms after load
warningStorage

localStorage key "mparticle" written before consent

Key: mparticleType: localStorageFired: 4411ms after load
warningStorage

localStorage key "mprtcl-v4_A58C8D9E-id-cache" written before consent

Key: mprtcl-v4_A58C8D9E-id-cacheType: localStorageFired: 4412ms after load
warningStorage

localStorage key "mprtcl-v4_A58C8D9E" written before consent

Key: mprtcl-v4_A58C8D9EType: localStorageFired: 4429ms after load
warningStorage

localStorage key "mprtcl-tos-A58C8D9E" written before consent

Key: mprtcl-tos-A58C8D9EType: localStorageFired: 4447ms after load
warningStorage

localStorage key "storage_test" written before consent

Key: storage_testType: localStorageFired: 5031ms after load
warningStorage

sessionStorage key "test" written before consent

Key: testType: sessionStorageFired: 5038ms after load
warningStorage

localStorage key "lastExternalReferrer" written before consent

Key: lastExternalReferrerType: localStorageFired: 5066ms after load
warningStorage

localStorage key "u_sclid" written before consent

Key: u_sclidType: localStorageFired: 5197ms after load
warningStorage

sessionStorage key "u_scsid" written before consent

Key: u_scsidType: sessionStorageFired: 5197ms after load
warningStorage

localStorage key "u_sclid_r" written before consent

Key: u_sclid_rType: localStorageFired: 5198ms after load
warningStorage

sessionStorage key "u_scsid_r" written before consent

Key: u_scsid_rType: sessionStorageFired: 5198ms after load
warningStorage

sessionStorage key "mprtcl-v4_A58C8D9E-events" written before consent

Key: mprtcl-v4_A58C8D9E-eventsType: sessionStorageFired: 5248ms after load
warningStorage

localStorage key "RoktDualSendBucket" written before consent

Key: RoktDualSendBucketType: localStorageFired: 6304ms after load
warningStorage

localStorage key "RoktRecogniser" written before consent

Key: RoktRecogniserType: localStorageFired: 6381ms after load
warningStorage

sessionStorage key "branch_session" written before consent

Key: branch_sessionType: sessionStorageFired: 6704ms after load
warningStorage

localStorage key "branch_session_first" written before consent

Key: branch_session_firstType: localStorageFired: 6704ms after load
Info9
OneTrust
OneTrust2 findings

cdn.cookielaw.org, OptanonConsent

OneTrust
infoNetworkConsent MgmtOneTrust

OneTrust (OneTrust) loaded before consent: OneTrust cookie consent management

Host: cdn.cookielaw.orgFired: 291ms after load
OneTrust
infoCookieConsent MgmtOneTrust

OneTrust cookie "OptanonConsent" set before consent

Cookie: OptanonConsentDomain: .grubhub.com
Stripe (Cdn)
infoNetworkStripe (Cdn)

Stripe (cdn) loaded before consent

Host: js.stripe.comFired: 1770ms after load
OneTrust CMP
infoNetworkConsent MgmtOneTrust CMP

OneTrust CMP (OneTrust) loaded before consent: OneTrust geo-lookup — determines which consent banner to show based on user location

Host: geolocation.onetrust.comFired: 1926ms after load
Contentful (Cdn)
infoNetworkContentful (Cdn)

Contentful (cdn) loaded before consent

Host: cdn.contentful.comFired: 3182ms after load
Snapchat
infoCookieFunctionalSnapchat

Snapchat cookie "X-AB" set before consent — This cookie is used by the website’s operator in context with multi-variate testing. This is a tool used to combine or change content on the website. This allows the website to find the best variation/edition of the site.

Cookie: X-ABDomain: sc-static.netRetention: 1 day
DoubleClick/Google Marketing
infoCookieFunctionalDoubleClick/Google Marketing

DoubleClick/Google Marketing cookie "test_cookie" set before consent — This cookie is set by DoubleClick (which is owned by Google) to determine if the website visitor's browser supports cookies.

Cookie: test_cookieDomain: .doubleclick.netRetention: 1 year
infoCookieFunctionalTripadvisor

Tripadvisor cookie "rt" set before consent — This cookie is used to identify the visitor through an application. This allows the visitor to login to a website through their LinkedIn application for example.

Cookie: rtDomain: .mountain.comRetention: 399 days
infoCookieFunctional

AWS Application Load Balancer — necessary for infrastructure

Cookie: AWSALBCORSDomain: grubhub.vdcy.net
Compliant3
Google Ads
Google Ads2 findings

www.google.com, _gcl_ls

Google Ads
CompliantNetworkAdvertisingGoogle Ads

Google Ads (Google) loaded correctly after consent

Host: www.google.comFired: 5744ms after load
Google Ads
CompliantStorageAdvertisingGoogle Ads

Google Ads (Google) wrote "_gcl_ls" to localStorage correctly after consent

Key: _gcl_lsType: localStorageFired: 5694ms after load
OneTrust
CompliantCookieConsent MgmtOneTrust

OneTrust cookie "OptanonAlertBoxClosed" set correctly after consent

Cookie: OptanonAlertBoxClosedDomain: .grubhub.com

Is this your site?

Run a full multi-page scan with monitoring and get detailed remediation steps

Scan grubhub.com

This audit is based on publicly observable website behavior. To request removal from the index, email support@tagleak.com