It might be not sending any extra data - which can be verified via packet sniffing like Wireshark - but how do you confirm they are not saving the legit requests you do and collect it silently at the backend? It cannot be proven (beyond reasonable doubt).