B84%
Quality Score
6
Pages
139
Issues
7.4
Avg Confidence
7.7
Avg Priority
44 Critical64 High29 Medium2 Low
>_ Testers.AI
AI Analysis
The Perfume Shop scored B (84%) with 139 issues across 7 tested pages, ranking #13 of 20 UK retail sites. That's 9 more than the 130.2 category average (40th percentile).
Top issues to fix immediately: "Critical Resource Loading Failures Affecting Page Functionality" โ Investigate and resolve the DNS/resource loading issues; "Precise Geolocation Data Transmitted to Third-Party Analytics Service" โ 1) Implement geolocation data minimization - only transmit country/region level data instead of precise coordinates a...; "Pervasive Missing Cache Headers on Critical Resources" โ Implement Cache-Control headers with appropriate max-age values for all resources: Static assets (JS, CSS, fonts) sho....
Weakest area โ accessibility (5/10): Limited visible accessibility features. Text contrast issues in some areas, lack of clear alt text indicators, and footer text ...
Quick wins: Improve text contrast throughout, especially in the footer section, to meet WCAG standards. Add skip navigation links and improve keyboard navigation support.
Qualitative Quality
The Perfume Shop
Category Avg
Best in Category
Pages Tested ยท 6 screenshots
Homepage
theperfumeshop.com
theperfumeshop.com
theperfumeshop.com
theperfumeshop.com
theperfumeshop.com
Detected Issues ยท 139 total
1
Precise Geolocation Data Transmitted to Third-Party Analytics Service
CRIT P10
Prompt to Fix
Our application is transmitting precise geolocation data (latitude, longitude, postal code, city, region, metro code) to the third-party Evolv.ai service without explicit user consent. This violates GDPR and CCPA. Please implement the following: 1) Modify the code that sends data to participants.evolv.ai to exclude latitude, longitude, and postal code fields. 2) Keep only country and region-level data for legitimate business purposes. 3) Ensure a privacy consent check is in place before any location data is transmitted - specifically check that the user has explicitly opted in to location tracking. 4) Add a configuration flag to allow disabling geolocation transmission entirely. 5) Document this change in our privacy impact assessment.
Why it's a bug
The network requests to participants.evolv.ai contain highly precise geolocation data including latitude (47.38450), longitude (-122.05820), postal code (98038), city (Maple Valley), region (WA), and metro code (819). This granular location information is being transmitted to a third-party service (Evolv.ai) for A/B testing and experimentation purposes. Such precise location data constitutes personal data under GDPR and CCPA regulations. The requests show this data is sent without explicit evidence of user consent being obtained first, violating privacy regulations.
Why it might not be a bug
Location data transmission could be considered necessary for regional content personalization or compliance testing. However, the level of granularity (postal code + exact coordinates) far exceeds what is needed for such purposes and should require explicit user consent.
Suggested Fix
1) Implement geolocation data minimization - only transmit country/region level data instead of precise coordinates and postal codes. 2) Obtain explicit user consent before transmitting any location data to third parties. 3) Add privacy controls in consent management platform to allow users to opt-out of location tracking. 4) Review Evolv.ai's data processing agreement to ensure GDPR/CCPA compliance.
Why Fix
Precise geolocation data transmission violates GDPR Article 6 (lawful basis requirement) and CCPA requirements for explicit consent. This exposes users to re-identification risks and enables invasive profiling. Regulators view this as a high-severity violation that can result in substantial fines.
Route To
Privacy Engineer / Data Protection Officer
Page
Tester
Pete ยท Privacy Networking AnalyzerTechnical Evidence
Console:
Location data including precise coordinates and postal code being sent to third-party analyticsNetwork:
GET https://participants.evolv.ai/v1/2bd5277bbe/data?uid=27737820_1773680650821&client=asset-manager&messages=%5B...%7B%22key%22%3A%22geo.lat%22%2C%22value%22%3A%2247.38450%22%7D...%7B%22key%22%3A%22geo.lon%22%2C%22value%22%3A%22-122.05820%22%7D...%7B%22key%22%3A%22geo.postal%22%2C%22value%22%3A%2298038%22%7D2
AI/LLM Endpoints Called Without Explicit Consent Disclosure
CRIT P9
Prompt to Fix
The application is calling AI/optimization service endpoints (evolv.ai) without explicit user consent disclosure. This violates privacy regulations. Implement proper consent handling: 1) Add privacy policy language explaining Evolv AI usage 2) Create consent banner that explicitly mentions 'AI-powered personalization' 3) Defer all evolv.ai endpoint calls until after user consent 4) Implement cookie/localStorage tracking of user consent choice 5) Add 'Do Not Personalize' option to cookie preferences. Provide the complete consent flow implementation with event handlers.
Why it's a bug
The network logs show multiple calls to AI/LLM endpoints (evolv.ai, participants.evolv.ai) marked with 'โ ๏ธ AI/LLM ENDPOINT DETECTED'. These include: media.evolv.ai (webloader.min.js), participants.evolv.ai (multiple calls for assets, config, allocations). There is no visible user consent mechanism, privacy policy disclosure, or opt-out option for these AI services. This violates privacy expectations and potentially GDPR/CCPA regulations. This is a critical GenAI integration issue.
Why it might not be a bug
These services may be legitimate A/B testing or optimization platforms with proper backend consent handling. However, the absence of visible consent UI is problematic.
Suggested Fix
1) Add explicit privacy policy language disclosing use of AI/LLM services 2) Implement user consent banner before loading any AI endpoints 3) Provide easy opt-out mechanism 4) Add to cookie consent/preference center 5) Document in privacy policy which data is sent to AI services 6) Implement consent tracking before first AI API call
Why Fix
Undisclosed use of AI services for user tracking/optimization violates privacy regulations (GDPR, CCPA) and erodes user trust. Companies face significant fines for unauthorized data processing.
Route To
Privacy/Compliance Officer + Frontend Engineer
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
GET https://media.evolv.ai/asset-manager/releases/latest/webloader.min.js - Status: N/A
โ ๏ธ AI/LLM ENDPOINT DETECTED
GET https://participants.evolv.ai/v1/2bd5277bbe/27737820_1773680650821/assets.js - Status: N/A
โ ๏ธ AI/LLM ENDPOINT DETECTED
GET https://participants.evolv.ai/v1/2bd5277bbe/27737820_1773680650821/allocations - Status: N/A
โ ๏ธ AI/LLM ENDPOINT DETECTEDNetwork:
GET https://media.evolv.ai/asset-manager/releases/latest/webloader.min.js
GET https://participants.evolv.ai/v1/2bd5277bbe/27737820_1773680650821/assets.js
GET https://participants.evolv.ai/v1/2bd5277bbe/27737820_1773680650821/configuration.json
GET https://participants.evolv.ai/v1/2bd5277bbe/27737820_1773680650821/allocations3
Precise Geolocation Data Transmitted to Third-Party Analytics Service
CRIT P9
Prompt to Fix
A critical privacy issue has been detected: the application is transmitting precise geolocation data (latitude 47.38450, longitude -122.05820, postal code 98038, city Maple Valley, region WA) to the third-party service participants.evolv.ai in network requests to /v1/2bd5277bbe/data. This precise location information can identify and track individuals and violates GDPR/CCPA. Please: 1) Remove the geo.lat, geo.lon, and geo.postal fields from all messages sent to participants.evolv.ai. 2) If location data is needed for functionality, use only geo.country data. 3) Implement user consent collection before any location data is transmitted to third parties. 4) Update the privacy policy to disclose that Evolv.ai receives location data. 5) Add user privacy settings allowing users to opt-out of location sharing with third-party services.
Why it's a bug
The network requests to participants.evolv.ai contain precise geolocation coordinates (latitude: 47.38450, longitude: -122.05820), postal code (98038), city (Maple Valley), region (WA), and metro code (819) being transmitted to a third-party experimentation platform. This precise location data constitutes sensitive personal information that can be used to identify or track individuals. The data is being sent in URL parameters without apparent user consent disclosure, which violates privacy regulations like GDPR and CCPA. This level of granular location detail enables re-identification and tracking of specific users.
Why it might not be a bug
Location data could be considered necessary for geo-targeted personalization features or localization services. However, this does not justify transmitting precise coordinates to a third-party service without explicit user consent.
Suggested Fix
1) Remove precise latitude/longitude coordinates from all third-party service requests. 2) If geolocation is necessary for functionality, use only country-level or city-level data at maximum. 3) Implement explicit user consent collection for location data sharing before transmitting to Evolv.ai or any third-party service. 4) Add location data to the privacy policy with clear disclosure of which third parties receive it. 5) Provide users with granular controls to opt-out of location data sharing.
Why Fix
Transmitting precise geolocation data to third parties without consent violates user privacy expectations and data protection regulations. Users should have explicit control over their location data, especially the precise coordinates that enable individual tracking and identification.
Route To
Privacy Engineer / Data Protection Officer
Page
Tester
Pete ยท Privacy Networking AnalyzerTechnical Evidence
Console:
Location data transmission to third-party analyticsNetwork:
GET https://participants.evolv.ai/v1/2bd5277bbe/data?uid=27737820_1773680650821&client=asset-manager&messages=%5B...%7B%22key%22%3A%22geo.lat%22%2C%22value%22%3A%2247.38450%22%7D%2C%7B%22key%22%3A%22geo.lon%22%2C%22value%22%3A%22-122.05820%22%7D%2C%7B%22key%22%3A%22geo.postal%22%2C%22value%22%3A%2298038%22%7D...