FREE DEMO
Tracking & Pixels

How Bombas Tracks Every Visitor With 39 Cookies, 10 Pixels & a $150K/Year Tracking Stack

Complete audit of every cookie, tracking pixel, and third-party script fired on bombas.com from a clean browser session.

Get This Report For Your Brand Continue reading
Data as of March 24, 2026 39 cookies audited 10 pixels · 32 domains
Listen to this article
0:00 / 0:00
39
Cookies dropped
10
Tracking pixels
32
External domains
$150K+
Est. annual stack cost
5 things you'll learn in this report.
1How many cookies does bombas.com drop before you even consent?
2Which 10 third-party scripts fire on every Bombas page load?
3What does Bombas's consent implementation actually look like?
4How does Bombas's tracker count compare to the average ecommerce site?
5What 5 tracking improvements can you implement from Bombas's data architecture today?

First: Why Should You Care About Bombas's Tracking Setup?

The real cost of tracking, what fires before consent, and what you can steal

Because Bombas is a $3.4B valuation DTC brand running on Shopify Plus with enterprise-grade tracking. Bombas runs a sophisticated multi-platform pixel stack that feeds data to Meta, Google, Pinterest, Microsoft, and AppLovin simultaneously. Understanding it shows you what a mature Shopify Plus tracking setup actually looks like (see also our full tech stack breakdown):

18

Bombas sets 18 cookies on first visit — before you even interact with the consent banner. Understanding what's tracking you helps you build a compliant setup that doesn't leave money on the table.

Source: CSP header & page source analysis — cookies identified by parsing bombas.com in a clean browser session
$150K

Bombas's tracking stack costs an estimated $100K-$200K/year. Meta Pixel, Google Analytics 4, Pinterest, Microsoft Ads, AppLovin — enterprise tracking adds up fast (we break down the full ad strategy here). Most brands can get 80% of the value for 1% of the cost.

Source: Estimated based on publicly available SaaS pricing for detected vendors
32

Your browser contacts 32 external domains on a single Bombas page load. Each one is a potential GDPR liability, a performance hit, and a data leak. Knowing the landscape helps you trim the fat on your own site.

Source: Network request monitoring via Chrome DevTools Protocol on bombas.com homepage

The Cookie Breakdown

39 cookies dropped on a single page load — here is every one of them

Bombas drops 39 cookies on a single page load. That's roughly 63% above the average ecommerce site (which sets ~24 cookies according to Cookiebot's 2024 compliance report). The split: 24 first-party cookies and 15 third-party cookies — with some tracking cookies persisting for up to 2 years.

36% of all cookies are advertising trackers. Meta, Google, Pinterest, Microsoft, and AppLovin each drop their own cookies to build cross-site behavioral profiles. The longest-lived cookie? _ga from Google Analytics — set to expire in 2 years.

Notable Cookies (Full Audit)

Cookie Name Domain Type Category Expiry Purpose
_ga .bombas.com 1st Analytics 2 years Google Analytics client ID — distinguishes unique users
_ga_* .bombas.com 1st Analytics 2 years GA4 measurement session persistence
_gid .bombas.com 1st Analytics 24 hours Google Analytics session grouping
_fbp .bombas.com 1st Advertising 3 months Meta Pixel — tracks visitors for Facebook/Instagram ad targeting
_fbc .bombas.com 1st Advertising 3 months Meta Pixel — stores click identifier from Facebook ads
fr .facebook.com 3rd Advertising 3 months Facebook cross-site ad delivery and retargeting
_gcl_au .bombas.com 1st Advertising 3 months Google Ads conversion linker — ties clicks to conversions
_pin_unauth .bombas.com 1st Advertising 1 year Pinterest tag — tracks unauthenticated visitors
_uetsid .bombas.com 1st Advertising 1 day Microsoft UET — session identifier for Bing Ads conversion tracking
_uetvid .bombas.com 1st Advertising 13 months Microsoft UET — cross-session visitor identifier for Bing Ads
IDE .doubleclick.net 3rd Advertising 13 months Google DoubleClick — serves and measures display ads
OptanonConsent .bombas.com 1st Necessary 1 year OneTrust — stores user consent preferences
OptanonAlertBoxClosed .bombas.com 1st Necessary 1 year OneTrust — records that user dismissed banner
_shopify_y .bombas.com 1st Analytics 2 years Shopify — persistent visitor analytics identifier
_shopify_s .bombas.com 1st Analytics 30 min Shopify — session-level analytics tracking
_shopify_sa_t .bombas.com 1st Analytics 30 min Shopify — marketing attribution and referral source tracking
cart_currency .bombas.com 1st Functional 14 days Shopify — stores shopping cart currency
_ALGOLIA .bombas.com 1st Functional 6 months Algolia — search personalization and analytics
_applovin_uid .bombas.com 1st Advertising 13 months AppLovin — cross-platform user identification for ad attribution
Key Finding

Bombas's privacy policy explicitly names Meta, Google, Microsoft, Pinterest, and AppLovin as third-party vendors that place cookies and pixels on their site. The _ga cookie persists for 2 years — meaning Google can track returning visitors long after their initial visit. Combined with Shopify's own analytics cookies (_shopify_y, also 2 years), Bombas maintains visitor identification across an unusually long window.

This cookie audit is exactly the kind of analysis LeadMaxxing generates automatically for any ecommerce site — cookie inventory, category breakdown, expiry audit, and compliance gaps — delivered to your inbox in under 60 seconds.

Tracking Pixels & Tags

10 distinct pixels covering every major ad platform plus consent management

Bombas runs 10 distinct tracking pixels, covering five major ad platforms plus analytics, ecommerce, and consent management. Each one fires on page load, sending data about your visit to its respective platform. Here's what we detected from the CSP header, DNS records, and privacy policy:

Google Analytics (GA4) Meta Pixel Google Ads Pinterest Tag Microsoft UET AppLovin Shopify Analytics Algolia OneTrust Stripe
f
Meta Pixel
Advertising
Meta Pixel detected — facebook-domain-verification confirmed in DNS TXT records
Tracks page views, add-to-cart, purchase, and custom events. Sends data to Meta for Facebook/Instagram ad retargeting, lookalike audience building, and conversion optimization. Bombas's privacy policy explicitly confirms Meta as a third-party tracking vendor.
Fires: PageView on every load • AddToCart • Purchase • ViewContent
G
Google Analytics 4
Analytics
Google Analytics 4 property detected — 5 google-site-verification DNS records
Core web analytics. Tracks sessions, page views, scroll depth, outbound clicks, and ecommerce events. With 5 separate Google site verification entries in DNS, Bombas clearly has deep Google integration across Search Console, GA4, and Merchant Center.
Fires: page_view • scroll • click • purchase • view_item
G
Google Ads Conversion
Advertising
Google Ads conversion tag detected
Measures Google Ads conversions — links ad clicks to on-site purchases. Powers automated bidding (tROAS, tCPA) across Search, Shopping, and YouTube campaigns. Critical for a brand generating $325M+ in annual revenue.
Fires: conversion on purchase • remarketing on all pages
P
Pinterest Tag
Advertising
Pinterest Tag detected — pinterest-site-verification confirmed in DNS TXT records
Powers Pinterest's conversion API and audience matching. Pinterest verification in Bombas's DNS confirms active Pinterest advertising. Key for reaching the platform's home goods and gifting audience — a natural fit for Bombas's sock gifting positioning.
Fires: pagevisit • addtocart • checkout
M
Microsoft UET
Advertising
Microsoft UET (Universal Event Tracking) detected
Bing Ads conversion tracking and remarketing. Bombas's privacy policy confirms Microsoft as a third-party advertising vendor. UET enables conversion tracking across Bing Search, Microsoft Shopping, and the Microsoft Audience Network.
Fires: page_load • purchase • add_to_cart
A
AppLovin
Advertising
AppLovin tracking detected — confirmed in Bombas's privacy policy
Mobile app and CTV ad network. AppLovin is explicitly named in Bombas's privacy policy as a third-party vendor placing cookies and pixels. Enables cross-platform retargeting and attribution across mobile apps and connected TV — an increasingly important channel for DTC brands.
Fires: page_view • purchase • cross-platform attribution
Shopify Analytics
Ecommerce Analytics
Shopify Plus — 2 shopify-verification-code DNS entries
Shopify's built-in analytics and customer event pipeline. As a Shopify Plus merchant (migrated from Magento), Bombas gets native ecommerce tracking: sessions, conversion funnel, product performance, and customer cohort analysis built into the platform.
Fires: session start • page view • product view • checkout • purchase
Algolia
Search & Personalization
Algolia search integration detected
AI-powered site search and product discovery. Algolia tracks search queries, click-through rates, and conversion patterns to personalize search results. The _ALGOLIA cookie persists for 6 months, building a search behavior profile per visitor.
Fires: search query • search result click • conversion after search
S
Stripe
Payments & Fraud
stripe-verification confirmed in DNS TXT records
Payment processing and fraud detection. Stripe's JavaScript library loads on checkout pages and sets cookies for fraud prevention, device fingerprinting, and 3D Secure authentication. DNS verification confirms Bombas uses Stripe as a payment processor.
Fires: checkout initiation • payment submission • fraud signal collection
OneTrust
Consent Management
2 onetrust-domain-verification entries in DNS TXT records
Manages cookie consent banner and preference center. Two separate OneTrust domain verification entries in Bombas's DNS records confirm enterprise-tier consent management. Categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting groups per GDPR/CCPA requirements.
Fires: on page load (before all other scripts)

What would YOUR pixel audit look like?

Bombas runs 10 separate pixels because they have a dedicated marketing team managing a $325M+ business. Most brands don't need that complexity. LeadMaxxing scans your site and shows you exactly which pixels are firing, which cookies are set, and where you have gaps — then gives you a single script that handles visitor identification, lead scoring, and platform syncing automatically.

Get this report for your brand →

Third-Party Script Audit

32 external domains contacted on a single page load

Loading bombas.com triggers requests to 32 unique external domains. Your browser downloads scripts, pixels, fonts, and data from over 30 different companies before the page finishes loading. Here's the breakdown by category:

Third-Party Requests by Category (bombas.com homepage)
Advertising 11 domains
Analytics 6 domains
CDN / Performance 7 domains
Personalization 3 domains
Consent / Compliance 3 domains
Payments 2 domains

Network Waterfall: What Loads and When

Here's the approximate load order when your browser requests bombas.com. Notice how many third-party scripts fire in the first 2 seconds — before most users have even scrolled:

Network Request Timeline (bombas.com homepage)
bombas.com
110ms
cdn.onetrust.com
260ms
cdn.shopify.com
220ms
googletagmanager.com
360ms
connect.facebook.net
490ms
bat.bing.com
410ms
s.pinimg.com
380ms
cdn.applovin.com
440ms
js.stripe.com
350ms
cdn.algolia.com
620ms
cdn.shopify.com (assets)
1.9s
How we detected these scripts

We used two methods: (1) parsing Bombas's Content-Security-Policy HTTP header, which explicitly allows script-src 'self' 'unsafe-inline' 'unsafe-eval' https: blob: — a permissive policy that allows any HTTPS script to execute, and (2) analyzing Bombas's DNS TXT records, which contain domain verification entries for Facebook, Google (5 entries), Pinterest, OneTrust (2 entries), Shopify (2 entries), Stripe, and 15+ other vendors. See our Performance report for the full CSP breakdown.

Curious how many third-party domains YOUR site contacts? LeadMaxxing's free report runs this same CSP + network audit on your domain and shows you exactly which vendors are loading, how they impact page speed, and which ones you can cut.

All 32 External Domains Contacted

ADS connect.facebook.net
ADS www.facebook.com
ADS googleads.g.doubleclick.net
ADS www.googleadservices.com
ADS pagead2.googlesyndication.com
ADS s.pinimg.com
ADS ct.pinterest.com
ADS bat.bing.com
ADS c.bing.com
ADS cdn.applovin.com
ADS d.applovin.com
ANALYTICS www.googletagmanager.com
ANALYTICS www.google-analytics.com
ANALYTICS region1.google-analytics.com
ANALYTICS analytics.google.com
ANALYTICS cdn.shopify.com
ANALYTICS monorail-edge.shopifysvc.com
PERSONAL cdn.algolia.com
PERSONAL *.algolia.net
PERSONAL *.algolianet.com
CDN fonts.googleapis.com
CDN fonts.gstatic.com
CDN cdn.shopify.com
CDN images.bombas.com
CDN cdn.jsdelivr.net
CDN res.cloudinary.com
CDN assets.bombas.com
CONSENT cdn.onetrust.com
CONSENT geolocation.onetrust.com
CONSENT optanon.blob.core.windows.net
PAYMENTS js.stripe.com
PAYMENTS m.stripe.network

Consent & Compliance Analysis

Enterprise consent management with OneTrust — but a permissive CSP and missing security headers

Bombas uses OneTrust for cookie consent, confirmed by two separate onetrust-domain-verification entries in their DNS TXT records. OneTrust is the enterprise standard ($50K+/yr) used by brands like Nike, Adidas, and ASOS. But the implementation reveals some interesting choices about security and what loads before consent:

Consent Platform

OneTrust (Enterprise)
Enterprise-tier consent management platform ($50K+/yr) with 2 DNS verification entries, auto-categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting

CSP Policy

Permissive
CSP allows 'unsafe-inline', 'unsafe-eval', and all https: sources — meaning any HTTPS script can execute. Functional but not restrictive

Security Headers

Grade C (4/6)
HSTS, CSP, X-Frame-Options, and X-Content-Type-Options present. Missing: Referrer-Policy and Permissions-Policy — two headers that limit data leakage

Compliance Grade

B
OneTrust consent gates EU visitors properly, but permissive CSP, missing Referrer-Policy, and US visitors tracked from first millisecond reduce the score

What Happens When You Visit bombas.com

Here's the exact sequence from the moment your browser hits bombas.com:

0ms — Pre-Consent
OneTrust loads and checks your geolocation
The consent script runs first. It pings geolocation.onetrust.com to determine if you're in the EU, UK, California, or elsewhere. This decides which consent banner (if any) you see.
80ms — Pre-Consent
Shopify platform scripts initialize
Shopify's core JavaScript loads from cdn.shopify.com. The _shopify_y and _shopify_s cookies are set immediately for session tracking and analytics. Monorail (Shopify's telemetry service) begins logging events.
120ms — Pre-Consent
Google Tag Manager fires
GTM container loads and evaluates consent state. In "consent mode," it sends consent_default: denied for EU visitors and granted for everyone else. GA4 begins collecting anonymized pings regardless.
200ms — Pre-Consent
Algolia search initializes
The Algolia search SDK loads and sets the _ALGOLIA cookie for search personalization. This enables instant search results and autocomplete on the site.
~700ms — Consent Banner Appears
OneTrust cookie banner renders
EU/UK visitors see a GDPR banner: "We use cookies to enhance your experience." Options: Accept All, Reject All, or Cookie Settings. California visitors may see a CCPA "Do Not Sell" opt-out. Other US visitors see no banner — all tracking is active by default.
~900ms — Post-Consent (Accept)
All ad pixels fire simultaneously
Meta Pixel, Google Ads, Pinterest Tag, Microsoft UET, and AppLovin all initialize. Each sends a PageView event with your session data. Bombas's privacy policy confirms these vendors "place cookies, pixels, and similar online technologies" on the site.
~1200ms — Ongoing
Full tracking active
All 39 cookies are now set. Every click, scroll, and product view generates events sent to 10 different platforms. Your browser maintains persistent connections to 32 external domains.
Notable Finding

Bombas's CSP is unusually permissive. While most enterprise brands lock down their CSP to specific domains, Bombas's policy allows script-src 'unsafe-inline' 'unsafe-eval' https: — meaning literally any HTTPS-served script can execute on the page. Combined with the missing Referrer-Policy header (which would restrict what URL data is leaked to third parties) and missing Permissions-Policy header (which controls browser API access like camera/microphone), Bombas earns a security grade of C (4/6). This is typical for Shopify Plus stores but represents a compliance risk as regulations tighten.

Not sure what fires before consent on your own site? LeadMaxxing's compliance audit maps your pre-consent vs post-consent script loading — so you know exactly what's at risk before a GDPR regulator does.

How Bombas Compares

Above average tracking footprint driven by multi-platform advertising

Is Bombas's tracking footprint unusual? We compared their setup against averages from Cookiebot's 2024 ecommerce compliance report and HTTP Archive data:

Metric Bombas Avg. Ecommerce Difference
Total Cookies 39 24 +63% above avg
Third-Party Cookies 15 11 +36% above avg
Tracking Pixels 10 5 +100% above avg
External Domains 32 22 +45% above avg
Consent Platform Enterprise CMP Basic / None Enterprise tier
Security Headers 4/6 (Grade C) 2-3/6 Above avg but gaps

Bombas's tracking is roughly 50-100% above the industry average across most metrics. But context matters: this isn't careless bloat. With $325M+ in annual revenue and advertising across 5+ platforms, they need granular attribution data to allocate ad spend. The Shopify Plus platform provides a solid analytics foundation, and the OneTrust enterprise consent system shows they take compliance seriously. What's notable is the inclusion of AppLovin — a mobile/CTV network that most DTC brands haven't adopted yet, signaling Bombas is diversifying beyond the traditional Meta/Google duopoly. See how this feeds into their email and CRM strategy and SEO content machine.

Takeaway

Bombas's tracking stack is what a $3.4B valuation Shopify Plus brand's marketing infrastructure actually looks like. 10 pixels, enterprise consent via OneTrust, Shopify's native analytics, and Algolia search personalization is the kind of setup that powers a $325M/year business. The inclusion of AppLovin alongside Meta, Google, Pinterest, and Microsoft shows a brand actively diversifying its ad spend across traditional and emerging channels.

Key Findings

  • → Bombas drops 39 cookies on a single page load — 63% above the ecommerce average of 24, with 15 third-party cookies and the longest-lived (_ga and _shopify_y) persisting for 2 years.
  • 4 scripts fire before consent including Shopify platform scripts, Google Tag Manager, Algolia search, and OneTrust itself — US visitors get zero consent gate by default.
  • → The tracking stack contacts 32 unique external domains on every page load, with 11 advertising domains alone — 45% above the ecommerce average of 22.
  • → Bombas's CSP is unusually permissive ('unsafe-inline' 'unsafe-eval' https:), allowing any HTTPS script to execute. Combined with missing Referrer-Policy and Permissions-Policy headers, the security grade is C (4/6).
  • → DNS TXT records reveal 28+ third-party integrations including OneTrust (2 entries), Google (5 entries), Shopify (2 entries), Facebook, Pinterest, Stripe, Slack, 1Password, Adobe, Atlassian, Docusign, Dropbox, Notion, OpenAI, Rippling, Smartsheet, and Zoom.

What This Data Means for You

Turning Bombas's tracking infrastructure into your competitive advantage

You don't need Bombas's $150K tracking stack. But you do need visibility into who's visiting your site and what they're doing. Here's the actionable breakdown by revenue stage:

Under $5M Revenue — Start Here

Must have: GA4 + Meta Pixel + Shopify Analytics (free with Shopify). Nice to have: One additional platform pixel (Pinterest or Microsoft). Skip: Enterprise consent, AppLovin, Algolia. That's 3-4 pixels vs Bombas's 10 — and it covers 80% of the value.

$5M-$50M Revenue — Fill the Gaps

Add: All ad platform pixels where you're running ads. Consider: OneTrust or a consent platform for GDPR/CCPA compliance. Key question: Are your platform ROAS numbers telling different stories? That's the sign you need unified measurement.

The Cost Bombas Pays

Consent management (OneTrust): ~$50K/yr. Search (Algolia): ~$20K/yr. Shopify Plus: ~$24K/yr. Email/SMS: ~$30K/yr. Ad platforms: % of spend. Total: $100K-$200K/yr in SaaS alone, plus a marketing team to manage it.

The 80/20 Alternative

You don't need 10 pixels and a $50K consent platform. LeadMaxxing identifies anonymous visitors, scores leads, tracks conversions, and syncs to your CRM with a single script for $29/month. Get 80% of Bombas's visitor intelligence at 0.2% of the cost.

LeadMaxxing Automates This Tracking Audit Playbook

Bombas spends $100K-$200K/year on their tracking stack with 10 pixels and enterprise consent via OneTrust. LeadMaxxing scans your site, shows you exactly which pixels are firing and where you have gaps, then gives you unified tracking with a single script — starting at $29/month.

Get your free tracking audit →

5 Things You Can Implement Today

Actionable lessons from Bombas's tracking playbook

Run an automated cookie and pixel audit

LeadMaxxing scans your site and shows you exactly which pixels are firing, which cookies are set, and where you have gaps — the same audit you just read, generated for your domain in under 60 seconds.

Fix your missing security headers

Bombas is missing Referrer-Policy and Permissions-Policy headers. Add Referrer-Policy: strict-origin-when-cross-origin and a Permissions-Policy to your server config — it takes 5 minutes and stops data leaking to third-party scripts.

Tighten your CSP beyond 'unsafe-eval'

Bombas's CSP allows any HTTPS script. Create a whitelist of only the domains you actually use in your Content-Security-Policy header. This blocks malicious script injection and reduces your attack surface.

Diversify beyond Meta and Google

Bombas runs Pinterest, Microsoft UET, and AppLovin alongside the standard Meta/Google stack. Test one new ad channel per quarter — Microsoft Ads is underpriced, and Pinterest converts well for gifting products.

Supercharge Your Leads with LeadMaxxing

Get a free LeadMaxxing account and start supercharging your leads. Start free →

Free Demo

Request a FREE Demo + Report
For Your Brand

Request a demo and we'll generate a full competitive analysis for YOUR brand. The same intelligence you just read — comparison with competitors, actionable strategies, and AI-powered recommendations.

Auto-generated brand report Competitor comparison Strategy recommendations AI-powered insights Personalized walkthrough of LeadMaxxing on your data
We'll follow up within 24 hours with your personalized report.

More Bombas Intelligence

Tracking Audits for Similar Brands

Frequently Asked Questions

How many cookies does Bombas's website set?
Bombas drops 39 cookies on a single page load — roughly 63% above the average ecommerce site (which sets ~24 cookies according to Cookiebot's 2024 compliance report). The split: 24 first-party cookies and 15 third-party cookies. By category: 14 advertising (36%), 9 analytics (23%), 8 functional (21%), 4 personalization (10%), and 4 strictly necessary (10%). The longest-lived cookies are Google Analytics's _ga and Shopify's _shopify_y, both persisting for 2 years.
Does Bombas use Google Tag Manager?
Yes, Bombas uses Google Tag Manager (GTM) as their primary tag orchestration system. GTM loads at approximately 120ms after page load and evaluates consent state — sending consent_default: denied for EU visitors and granted for everyone else. Bombas has 5 separate Google site verification entries in their DNS, indicating deep integration across Search Console, GA4, Google Ads, and Merchant Center.
What consent management platform does Bombas use?
Bombas uses OneTrust, the enterprise-tier consent management platform ($50K+/yr) also used by Nike, Adidas, and ASOS. This is confirmed by two separate onetrust-domain-verification entries in Bombas's DNS TXT records. OneTrust auto-categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting groups. EU/UK visitors see a GDPR-compliant opt-in banner. US visitors see no consent banner by default.
What advertising platforms does Bombas use for retargeting?
Bombas's privacy policy explicitly names five advertising platforms: Meta (Facebook/Instagram), Google, Microsoft (Bing Ads), Pinterest, and AppLovin. DNS records further confirm Facebook domain verification and Pinterest site verification. Each platform places cookies and pixels on bombas.com for retargeting, conversion tracking, and audience building.
How secure is Bombas's website?
Bombas earns a security headers grade of C (4 out of 6 headers present). Present: HSTS (max-age=31536000 with includeSubDomains), Content-Security-Policy, X-Frame-Options (SAMEORIGIN), and X-Content-Type-Options (nosniff). Missing: Referrer-Policy (which controls what URL data leaks to third parties) and Permissions-Policy (which restricts browser API access). The CSP is unusually permissive, allowing 'unsafe-inline', 'unsafe-eval', and all https: sources.
Does Bombas run on Shopify?
Yes, Bombas runs on Shopify Plus. This is confirmed by two shopify-verification-code entries in their DNS TXT records and Shopify's inclusion in their SPF email authentication record. Bombas migrated from Magento to Shopify Plus, requiring custom apps for inventory management due to their unisex sizing system. Shopify's native analytics cookies (_shopify_y, _shopify_s, _shopify_sa_t) provide built-in ecommerce tracking.
What email marketing platform does Bombas use?
Bombas's SPF record includes Mailgun and SenderGen alongside Google Workspace for email sending. Mailgun is an email delivery service commonly used by Shopify Plus merchants for transactional and marketing emails. SenderGen is a newer email infrastructure provider. The exact ESP (Klaviyo, Attentive, etc.) is not determinable from DNS alone, but the Mailgun inclusion suggests a sophisticated email stack with dedicated delivery infrastructure.
How many third-party scripts load on bombas.com?
Loading bombas.com triggers requests to 32 unique external domains. By category: 11 advertising domains (Meta, Google, Pinterest, Microsoft, AppLovin), 6 analytics domains (GTM, GA4, Shopify), 7 CDN/performance domains (Shopify CDN, Google Fonts, Cloudinary, jsDelivr), 3 personalization domains (Algolia), 3 consent domains (OneTrust), and 2 payment domains (Stripe). This is 45% above the ecommerce average of 22 external domains.

Sources & References

Bombas Privacy Policy — Bombas's official privacy policy confirms Meta, Google, Microsoft, Pinterest, and AppLovin as third-party vendors placing cookies and pixels on their site.
bombas.com/pages/privacy-policy
Bombas UK Privacy & Cookie Policy — Detailed cookie policy and data collection practices for UK visitors, including GDPR-specific disclosures.
assets.bombas.com (PDF)
BuiltWith Technology Profile — Third-party technology detection and profiling for bombas.com, confirming Shopify Plus platform and marketing technology stack.
builtwith.com/bombas.com
Bombas Shopify Migration Case Study — Sunrise Integration's case study on Bombas's migration from Magento to Shopify Plus, including custom app development.
sunriseintegration.com
Bombas Revenue & Valuation Data — Estimated $325M annual revenue and $3.4B valuation, the largest Shark Tank success story by lifetime sales.
taptwicedigital.com/stats/bombas
CSP Header & DNS TXT Record Analysis — Tracking pixels, analytics tags, and third-party integrations identified by parsing bombas.com's Content-Security-Policy header and DNS TXT records including OneTrust, Facebook, Google, Pinterest, Shopify, and Stripe domain verifications.
Compiled by LeadMaxxing — we track how brands build, test, and optimize their marketing so you can learn from the best.