All Vendors
data_enrichment
Adplexity

Adplexity

100% pre-consent tracking with zero named subprocessors in their 2017-dated privacy policy. Hong Kong-based ad intelligence company deploying 8 tracking vendors including Microsoft Clarity, Meta Pixel, and LinkedIn before any consent mechanism. Privacy policy predates GDPR.

58 IOCs102 detections3% pre-consent100 sites
85
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Adplexity discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

102 detections across 100 sites3% pre-consent activity1 critical disclosure gap
CRITICAL

Subprocessor Disclosure

8 specific vendors (Clarity, DoubleClick, GA4, Google Ads, Intercom, LinkedIn, Mapbox, MetaPixel) load pre-consent with zero named

GDPR Art 13GDPR Art 14GDPR Art 28
MEDIUM

Pre-Consent Activity

Adplexity was observed loading and executing before user consent was obtained on 3% of sites where it was detected.

GDPRePrivacy
HIGH

Jurisdiction Disclosure

Data transmitted to US-based vendors (Google, Meta, Microsoft, LinkedIn) without disclosure

GDPR Art 44GDPR Art 45GDPR Art 46
HIGH

Policy Currency

Policy predates GDPR enforcement (May 2018), unchanged for 8+ years

GDPR Art 12 (transparency)GDPR Art 5(1)(a) (fairness)
HIGH

Undisclosed Party

Not in privacy policy

Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT2 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05BTI-X06

Subprocessor Disclosure

GDPR Art 13 · GDPR Art 14 · GDPR Art 28CRITICAL
They Claim

Privacy policy Section 4 mentions disclosure to 'third party service providers' generically

Observed Behavior

8 specific vendors (Clarity, DoubleClick, GA4, Google Ads, Intercom, LinkedIn, Mapbox, MetaPixel) load pre-consent with zero named

Runtime scan of adplexity.com shows all 8 vendors fire on page load before consent

Jurisdiction Disclosure

GDPR Art 44 · GDPR Art 45 · GDPR Art 46HIGH
They Claim

Section 5 states data stored in Hong Kong

Observed Behavior

Data transmitted to US-based vendors (Google, Meta, Microsoft, LinkedIn) without disclosure

Network analysis shows requests to google-analytics.com, facebook.com, linkedin.com, clarity.ms

Policy Currency

GDPR Art 12 (transparency) · GDPR Art 5(1)(a) (fairness)HIGH
They Claim

Policy effective Nov 29, 2017

Observed Behavior

Policy predates GDPR enforcement (May 2018), unchanged for 8+ years

Policy footer states 'effective as of 29 Nov 2017'

Customer Impact

What This Means For You

If you use AdPlexity for competitive intelligence, your research patterns flow through 8 pre-consent vendors including Microsoft Clarity (session recording), Meta Pixel, LinkedIn, and Google Ads. Under GDPR Art 28, AdPlexity's privacy policy names zero subprocessors while 8 are detected at runtime. The 2017-dated policy predates GDPR entirely, containing no modern privacy framework references. As a Hong Kong entity, enforcement mechanisms are limited. Your competitive research activity — which pages you analyze, which advertisers you monitor — becomes demand signal inventory for the same ad networks you're researching.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Adplexity

  • Audit your privacy policy — AdPlexity's undisclosed vendors may affect your compliance posture if their tools process your data
  • Request their subprocessor list — they have none published despite 8 vendors detected at runtime
  • Document that their 2017 privacy policy predates GDPR — this creates compliance uncertainty for EU usage
  • Consider that their ad network relationships may expose your competitive research patterns to the platforms you monitor
  • Implement your own consent mechanism — do not rely on AdPlexity's non-existent compliance infrastructure

If You're Evaluating Adplexity

  • Note the 2017-dated privacy policy with zero GDPR references — this is a fundamental compliance gap
  • Request SOC2 or any security certification — expect none to exist for a Hong Kong-based ad spy tool
  • Assess whether competitive intelligence gathered through AdPlexity creates data processing obligations under GDPR Art 14
  • Factor in that your research activity becomes demand signal data for the same ad networks being monitored
  • Consider alternatives with modern privacy compliance infrastructure before committing

Negotiation Leverage

  • Privacy policy modernization: AdPlexity's privacy policy dates from 2017, predating GDPR. Require updated privacy policy with GDPR/CCPA language and named subprocessor list as a contract precondition.
  • Subprocessor disclosure: Zero vendors named while 8 detected at runtime. Require complete enumeration of all third-party data recipients.
  • Pre-consent remediation: 100% pre-consent rate. Require contractual guarantee that tracking fires only after consent on their properties where your data is processed.
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

55 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*adplexity.com/cdn-cgi/scripts/*/cloudflare-static/email-decode.js*
Tracking script
TRACK
*adplexity.com/index/script.*.js*
Tracking script
TRACK
*adplexity.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*adplexity.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
*adplexity.com/index/splide.esm.*.js*
Tracking script
TRACK
adplexity.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
Auto-extracted from scan
TRACK
adplexity.com/index/script.90367ac3.js
Auto-extracted from scan
TRACK
adplexity.com/index/splide.esm.fb937d05.js
Auto-extracted from scan
TRACK
adplexity.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
adplexity.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/d251aa49a8a3/main.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

AdPlexity operates as an ad intelligence/spy tool for affiliate marketers. Supply chain position: END-USER TOOL with significant third-party dependencies. Their site loads: Microsoft Clarity (session recording), Google Analytics 4 (analytics), Google Ads + DoubleClick (advertising), Meta Pixel (social advertising), LinkedIn (B2B advertising), Intercom (customer chat), Mapbox (mapping). They are detected on 98 sites in our scan corpus, typically loaded indirectly. As a surveillance tool vendor, their own surveillance practices create recursive risk - they monitor ad campaigns while being monitored by the same ad networks. STM Ventures Partners is their investor. No known acquisitions or parent company beyond the AdIntelligence Limited legal shell in Hong Kong.
Loads (2)
LinkedinMetapixel
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

58 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details