Searchflex has a critical and urgent data privacy breach that requires immediate attention: credit card data is being transmitted to Meta Pixel, which represents a serious violation of payment card industry standards, privacy regulations, and Meta's own terms of service, and must be remediated today before it causes regulatory or reputational damage. The overall audit score is 0 out of 100, reflecting the severity of the issues found across just the single URL reviewed. Beyond the PII exposure, 21 high-severity issues were identified, including tags continuing to fire after a user selects "Reject All," which constitutes a likely breach of GDPR and ePrivacy consent requirements. Compounding the problem are duplicate installations of both GA4 and Google Tag Manager, which will be corrupting analytics data and inflating reported metrics across the site. We strongly recommend convening a cross-functional response immediately involving legal, development, and marketing teams to halt the PII leak, fix the consent mechanism, and clean up the duplicate tag configurations.
Searchflex (GA4 property 475597986) has recorded 3,756 sessions but zero measurable conversion events of any kind — no form submissions, no lead events, no click-to-call, and no email clicks — meaning the business is operating entirely blind to whether any of that traffic is generating leads. With a trust score of 75 and full session data flowing, the instrumentation gap is almost certainly a tracking configuration issue rather than a traffic or form problem. Resolving this is the single highest-leverage action available: until conversions are measured, no channel, campaign, or landing page can be optimised with confidence.
Searchflex's mobile Core Web Vitals are failing at a speed score of 52, creating direct Google ranking risk across all 100 audited URLs; the single biggest revenue-adjacent issue is that GTM, Facebook Pixel, and Hotjar are collectively blocking the main thread for over 57 seconds in aggregate on mobile alone, meaning visitors — especially those on paid campaigns driven by that very Facebook Pixel — are waiting several seconds before they can interact with the page. Fixing just the tag-loading strategy is projected to lift desktop scores by up to 7 points and cut Total Blocking Time nearly in half, with mobile gains expected to be at least equivalent.
Detected credit_card in params ['post_body'] of https://www.facebook.com/tr/
Fix: Hash, redact, or remove PII before sending. Use Enhanced Conversions / CAPI with hashed values where required.
GA4 has zero events for any of: generate_lead, form_submit, contact, phone_call, email_click. For a lead-gen site this means there's no measurable conversion happening — either the tracking isn't wired up, or the events are named differently and need standardising.
Fix: Wire up `generate_lead` (Google's recommended event) on every form submit and key conversion action. If you already track a custom event name, add `generate_lead` alongside it for Google Ads / GA4 conversion modelling consistency.
Google Tag Manager appears on 98/100 pages (98%). Mean blocking per page: 237ms. Total main-thread time: 43724ms. Transfer: 37248KB sitewide. Fires BEFORE consent on pages with a CMP — degrading experience even for users who reject cookies.
Fix: Because Google Tag Manager is on most of the site, fixing it once yields a sitewide lift. Move it behind a consent trigger, defer until user interaction, or switch to server-side tagging if it supports it.
Google Tag Manager appears on 96/100 pages (96%). Mean blocking per page: 238ms. Total main-thread time: 42924ms. Transfer: 36308KB sitewide. Fires BEFORE consent on pages with a CMP — degrading experience even for users who reject cookies.
Fix: Because Google Tag Manager is on most of the site, fixing it once yields a sitewide lift. Move it behind a consent trigger, defer until user interaction, or switch to server-side tagging if it supports it.
Facebook appears on 96/100 pages (96%). Mean blocking per page: 232ms. Total main-thread time: 41999ms. Transfer: 22057KB sitewide. Fires BEFORE consent on pages with a CMP — degrading experience even for users who reject cookies.
Fix: Because Facebook is on most of the site, fixing it once yields a sitewide lift. Move it behind a consent trigger, defer until user interaction, or switch to server-side tagging if it supports it.
Facebook appears on 98/100 pages (98%). Mean blocking per page: 225ms. Total main-thread time: 41751ms. Transfer: 22519KB sitewide. Fires BEFORE consent on pages with a CMP — degrading experience even for users who reject cookies.
Fix: Because Facebook is on most of the site, fixing it once yields a sitewide lift. Move it behind a consent trigger, defer until user interaction, or switch to server-side tagging if it supports it.
Hotjar appears on 96/100 pages (96%). Mean blocking per page: 127ms. Total main-thread time: 25266ms. Transfer: 6096KB sitewide. Fires BEFORE consent on pages with a CMP — degrading experience even for users who reject cookies.
Fix: Because Hotjar is on most of the site, fixing it once yields a sitewide lift. Move it behind a consent trigger, defer until user interaction, or switch to server-side tagging if it supports it.
Hotjar appears on 98/100 pages (98%). Mean blocking per page: 125ms. Total main-thread time: 25318ms. Transfer: 6223KB sitewide. Fires BEFORE consent on pages with a CMP — degrading experience even for users who reject cookies.
Fix: Because Hotjar is on most of the site, fixing it once yields a sitewide lift. Move it behind a consent trigger, defer until user interaction, or switch to server-side tagging if it supports it.
Cloudflare CDN appears on 96/100 pages (96%). Mean blocking per page: 34ms. Total main-thread time: 10232ms. Transfer: 2666KB sitewide.
Fix: Because Cloudflare CDN is on most of the site, fixing it once yields a sitewide lift. Move it behind a consent trigger, defer until user interaction, or switch to server-side tagging if it supports it.
Cloudflare CDN appears on 98/100 pages (98%). Mean blocking per page: 32ms. Total main-thread time: 10198ms. Transfer: 2722KB sitewide.
Fix: Because Cloudflare CDN is on most of the site, fixing it once yields a sitewide lift. Move it behind a consent trigger, defer until user interaction, or switch to server-side tagging if it supports it.
Rank #1 by blocking time on this page. Google Tag Manager transfers 295 KB and keeps the main thread busy for 2863ms, delaying INP and TBT.
Fix: GTM's own weight usually means a lot of tags. Run GTM Preview and look for tags firing on every page that could be scoped to specific events or URLs.
Rank #1 by blocking time on this page. Calendly transfers 1700 KB and keeps the main thread busy for 2241ms, delaying INP and TBT.
Fix: Load Calendly with `async defer`, push it as late as safely possible, and if it's tag-manager-loaded, add a consent trigger. If it's not strictly needed for functionality, lazy-load on first interaction.
+ 791 more findings — see the detailed dashboards.