The core of everything we do. A manufacturer says one thing. Their product does another. We document the gap.
A contradiction is when a company's privacy policy, marketing, or public statements say one thing — but their product's actual behaviour proves something different. We don't guess. We cross-reference five independent evidence layers and only flag a contradiction when the evidence directly conflicts with the claim.
1. Privacy policy — what the company says it does with your data. 2. App permissions — what the companion app actually requests access to on your phone. 3. Firmware and security — the device's hardware capabilities, encryption strength, and known vulnerabilities (CVEs). 4. Regulatory filings — FCC filings, security audits, court settlements, and government certifications. 5. Network traffic — what the device actually sends over the internet, captured via packet analysis. When two or more layers tell different stories, that's a contradiction.
Every other privacy review reads the privacy policy and reports what it says. That's claims about claims. We check whether the claims are true. Mozilla's *Privacy Not Included reads the policy. Surfshark reads the app store label. Neither checks if the policy is actually honest. We do.
Critical — the contradiction involves proven deception, active security vulnerabilities, or documented harm to users. Example: LastPass claimed 'zero-knowledge' but stored URLs, email addresses, and company names unencrypted. Attackers stole $438M from cracked vaults. High — the contradiction is significant and creates real risk, but may not have caused documented harm yet. Medium — the contradiction exists but the practical risk is moderate. Low — minor inconsistency or a design trade-off with limited impact.
Every device gets a grade based on its contradictions. B+ (minor concerns): no critical findings, 2 or fewer high, 9 or fewer total. B (some concerns): 1 or fewer critical, 10 or fewer total. C (notable issues): 2 or fewer critical. D (serious concerns): 3 or fewer critical. F (fail): everything worse. The grade tells you at a glance how honest a manufacturer is being about their product.
TP-Link Tapo P100: the privacy policy claims 'local processing' — but the device contacts 5 cloud endpoints in 3 countries on every power cycle. Google Password Manager: presented as secure — but Google holds the encryption keys by default. They can read your passwords unless you find an opt-in toggle buried in settings. Apple Passwords: marketed as private — but without Advanced Data Protection (which almost nobody enables), Apple holds the keys and complied with 12,043 US government data requests in just 6 months.
We don't speculate. Every contradiction is backed by at least two evidence sources. We don't grade on vibes or brand reputation — Apple and Google both got F grades on their operating systems. We don't accept marketing claims at face value, and we don't penalise products for things that are true and disclosed. If a company is honest about collecting your data, that's not a contradiction — it might still be bad, but it's not deceptive.