How This Briefing Works
This dossier opens with key findings, then maps the gap between what Appcues discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 2 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
Appcues is a Boston-based product-led growth platform providing no-code user onboarding and in-app messaging. Despite claiming SOC2 Type II, GDPR, and CCPA compliance, analysis of their own website reveals 22 third-party vendors loading pre-consent (50% pre-consent rate), including identity resolution vendors Clearbit, Leadfeeder, and Dealfront, plus advertising trackers like Criteo, MetaPixel, and DoubleClick. This creates significant disclosure gaps where observed data collection substantially exceeds what is documented in their privacy policy.
What This Means For You
YOUR product onboarding flows powered by Appcues may be loading third-party scripts before your users consent. YOUR user behavior data — which features they explore, where they drop off, what they click — flows through Appcues to analytics and identity resolution vendors. If you use Appcues alongside Segment or GTM, YOUR data pipeline includes undisclosed vendor connections that YOUR DPA with Appcues does not cover. Under SOC2 trust principles, YOUR audit trail has gaps that Appcues' own compliance certifications fail to address.
Risk Channel Breakdown
Appcues enables product analytics and user onboarding flows. When deployed, it captures detailed user behavior data that can affect attribution accuracy. Their use of identity resolution vendors (Clearbit, Leadfeeder) on their own site indicates potential for visitor identification capabilities that could distort measurement.
Identity resolution vendors detected on appcues.com (Clearbit, Leadfeeder, Dealfront) represent demand signal leakage. Visitor intent data flowing to these platforms feeds competitive intelligence ecosystems that can be accessed by competitors.
22 third-party scripts loading creates substantial attack surface. Pre-consent loading of tracking pixels and identity resolution tools bypasses consent gates, creating security exposure through unmandated code execution.
50% pre-consent tracking rate with SOC2/GDPR/CCPA claims creates regulatory exposure. CookieYes CMP detected but bypassed by majority of vendors. Privacy policy states no data sale but advertising/identity resolution vendors observed indicate potential data sharing gaps.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Ignoring CMP signals
Device identification
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
False certification claims
Collection exceeds disclosed scope
CMP vendor list vs runtime
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Appcues's public claims against observed runtime behavior and identified 3 contradictions.
"GDPR/CCPA compliance with CookieYes CMP"
22 vendors loading pre-consent (50% rate)
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
bing-ads, intercom, amplitude…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →