How This Briefing Works
This dossier opens with key findings, then maps the gap between what Antvoice discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
Antvoice is a Paris-based programmatic advertising platform founded in 2011, specializing in "hybrid AI" that combines cookie-based and cookieless targeting. While the company claims GDPR compliance, IAB TCF participation, and explicitly states they do not use fingerprinting or collect PII, runtime analysis of their own website reveals 37 third-party vendors including identity resolution platforms (Clearbit, HubSpot) that directly contradict their anonymous-only positioning. With 12 vendors loading pre-consent and 25+ vendors undisclosed in their privacy policy, Antvoice represents a significant disclosure gap between privacy claims and operational reality.
What This Means For You
YOUR programmatic campaigns through Antvoice flow through a vendor ecosystem nearly 5x larger than disclosed. YOUR audience targeting data — which segments you activate, which creatives perform, which sites drive conversions — passes through a platform with undisclosed connections to HubSpot, LinkedIn, and multiple advertising networks. YOUR trust in Antvoice's "no personal data" claim may be misplaced: 37 detected vendors include analytics and identity platforms that process personal data by definition. Under GDPR, YOUR records of processing must account for Antvoice's actual vendor chain, not the 8 they disclose.
Risk Channel Breakdown
Antvoice deploys identity resolution vendors (Clearbit, HubSpot) while claiming anonymous-only data collection. This creates measurement corruption as their stated cookieless/anonymous positioning conflicts with actual visitor identification occurring on their platform, making attribution claims unreliable.
The presence of HubSpot, LinkedIn, and multiple advertising networks on Antvoice properties means demand signals and visitor intelligence flow to platforms that aggregate cross-site behavior. Competitors and clients using these same platforms gain visibility into Antvoice site visitors.
37 third-party scripts create substantial attack surface. Each vendor represents a potential supply chain compromise vector. The gap between disclosed (8) and detected (37) vendors means security teams cannot accurately assess or monitor the actual threat surface.
With 4.2% pre-consent tracking, 12 pre-consent vendors, and 25+ undisclosed third parties, Antvoice faces significant GDPR Article 28 (processor disclosure) and Article 7 (valid consent) exposure. Their IAB TCF registration (#155) creates additional liability if consent mechanisms do not cover all detected vendors.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Data to undisclosed regions
Collection exceeds disclosed scope
CMP vendor list vs runtime
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Antvoice's public claims against observed runtime behavior and identified 4 contradictions.
"Privacy policy lists 8 partners/processors"
37 third-party vendors detected at runtime
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 8, observed 8
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →