How This Briefing Works
This dossier opens with key findings, then maps the gap between what Apify discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
Apify is a Prague-based web scraping and automation platform (founded 2015, ~155 employees) that enables data extraction at scale. Despite GDPR compliance claims and a stated commitment to "maximum security and privacy," BLACKOUT's runtime analysis reveals 100% pre-consent tracking with 26+ third-party vendors firing before any consent interaction. Only 7 of these vendors are disclosed in their cookie policy. The presence of B2B identification vendors (Leadfeeder, TrenDemon) directly contradicts their privacy policy claim that "aggregate data does not contain any personal data." Their subprocessor list is gated behind NDA, making independent verification impossible.
What This Means For You
YOUR web scraping and automation workflows through Apify route through a platform with 19 undisclosed vendor dependencies. YOUR scraping targets and automation patterns — competitive intelligence about your data strategy — flow through a vendor that runs Leadfeeder and TrenDemon on its own site. If YOUR development team visits apify.com for documentation, YOUR corporate identity is captured by B2B identification vendors before consent. YOUR compliance posture is affected: claiming "maximum security and privacy" while underdisclosing vendors by nearly 4x calls into question Apify's data handling for your scraping payloads.
Risk Channel Breakdown
Heavy Google Analytics, HubSpot, and Segment deployment creates measurement dependency. Multiple overlapping analytics vendors (Hotjar, Clarity, GA4) suggest fragmented data infrastructure that could produce conflicting attribution.
B2B identification vendors Leadfeeder and TrenDemon are present, actively identifying visitor companies. G2 integration signals intent data capture. These vendors aggregate demand signals across their customer base, potentially exposing Apify's prospect intelligence to competitors also using these platforms.
26+ third-party scripts create substantial attack surface. Pre-consent loading of ad networks (DoubleClick, BingAds, TikTok, Twitter, Reddit, LinkedIn) exposes visitors to cross-site tracking before any consent. Cheq presence suggests awareness of bot/fraud issues but doesn't mitigate the vendor sprawl risk.
100% pre-consent tracking rate with GDPR compliance claims creates direct regulatory exposure. Undisclosed vendors (19 observed vs 7 disclosed) violates GDPR Art 13 transparency requirements. NDA-gated subprocessor list makes due diligence impossible for prospective customers.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
Long-lived identifiers
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Security claims vs evidence
Gated or missing due diligence docs
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Apify's public claims against observed runtime behavior and identified 4 contradictions.
"Cookie policy discloses 7 vendors"
26+ vendors detected at runtime
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 7, observed 8
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →