How This Briefing Works
This report opens with key findings, then maps the gaps between what Bannerflow discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
29 detections across 26 sites17% pre-consent activity
MEDIUM
Pre-Consent Activity
Bannerflow was observed loading and executing before user consent was obtained on 17% of sites where it was detected.
GDPRePrivacy
HIGH
Consent Compliance
17.9% of detections show pre-consent tracking
GDPR Art 6GDPR Art 7ePrivacy Directive
HIGH
Undisclosed Party
Not in privacy policy
HIGH
Undisclosed Sharing
Hidden data recipients
HIGH
Compliance Claim Mismatch
False certification claims
Disclosure Gaps
Claims vs. Observed Behavior
2 gaps
1 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05
Consent Compliance
GDPR Art 6 · GDPR Art 7 · ePrivacy DirectiveHIGH
They Claim
“GDPR compliant, IAB TCF participant (ID 273)”
Observed Behavior
17.9% of detections show pre-consent tracking
Runtime scans show Emerse, Gravite, and HubSpot loading before consent obtained
Disclosure Gap
GDPR Art 13 · GDPR Art 28MEDIUM
They Claim
“Privacy policy discloses data processors”
Observed Behavior
Emerse and Gravite not mentioned despite active tracking
Runtime detection of Emerse and Gravite on bannerflow.com not disclosed in privacy policy
Customer Impact
What This Means For You
YOUR display ad creatives published through Bannerflow reach 100+ networks where undisclosed vendor dependencies may introduce tracking YOUR privacy policy does not account for. YOUR campaign data flows through a platform that fires Emerse and Gravite pre-consent while claiming IAB TCF compliance — YOUR consent framework may be undermined at the creative delivery layer. YOUR DPA with Bannerflow must account for data flows across 100+ publishing networks, each with their own vendor ecosystems. YOUR regulatory exposure extends to every network where Bannerflow publishes YOUR ads with undisclosed tracking.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Bannerflow
- →Audit your CMP configuration to ensure Bannerflow scripts only fire after valid consent
- →Request updated subprocessor list directly from Bannerflow and compare against runtime detections
- →Verify your DPA covers Emerse and Gravite as potential subprocessors
- →Review data flows across the 100+ publishing networks for undisclosed vendor exposure
If You're Evaluating Bannerflow
- →Request complete vendor and subprocessor list before any engagement
- →Verify IAB TCF compliance against 17.9% pre-consent detection rate
- →Compare with other creative management platforms on vendor transparency
- →Require contractual guarantees on consent enforcement across all publishing destinations
Negotiation Leverage
- →IAB TCF vs pre-consent: TCF participant (ID 273) yet 17.9% of detections show pre-consent tracking — use this contradiction to negotiate enhanced consent enforcement guarantees
- →Undisclosed vendors: Emerse and Gravite fire pre-consent on bannerflow.com — require named vendor disclosure and DPA coverage for all detected vendors
- →100+ network exposure: Publishing ads across 100+ networks multiplies undisclosed vendor risk — negotiate vendor disclosure requirements for each publishing destination
- →Creative data sensitivity: Display ad creatives and performance data reveal campaign strategy — negotiate restrictions on campaign intelligence sharing across the network
Runtime Detections
Runtime Detections
5 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C08Cross-Domain Sync
Identity stitching
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
IOC Manifest
IOC Manifest
142 INDICATORS
Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.bannerflow.com/hs/hsstatic/jquery-libs/static-1.1/jquery/jquery-1.7.1.js*
Tracking script
TRACK
*www.bannerflow.com/hs/cta/cta/current.js*
Tracking script
TRACK
*www.bannerflow.com/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js*
Tracking script
TRACK
*www.bannerflow.com/hs/hsstatic/content-cwv-embed/static-1.*/embed.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/hub_generated/template_assets/1/*/*/template_aos.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/hub_generated/module_assets/1/*/*/module_Text_animation_v2.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/hub_generated/module_assets/1/*/*/module_Homepage_only_-_video_v2.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/hub_generated/module_assets/1/*/*/module_Homepage_testimonial.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/hub_generated/module_assets/1/*/*/module_footer-section.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/hub_generated/template_assets/1/*/*/template_main.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/hub_generated/template_assets/1/*/*/template_parallax.js*
Tracking script
TRACK
*www.bannerflow.com/hs/hsstatic/HubspotToolsMenu/static-1.636/js/index.js*
Tracking script
TRACK
*www.bannerflow.com/hs/scriptloader/*.js*
Tracking script
TRACK
*www.bannerflow.com/script.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/Header-CNEHZSM-.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/lottie-react.esm-L0dPdX8Y.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/motion-BYFwtbHg.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/Icon-C-FQJsoL.js*
Tracking script
TRACK
*www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/virtual_clientRenderIsland-BO7GzHAG.js*
Tracking script
TRACK
*www.bannerflow.com/hs/cta/ctas/v2/public/cs/cta-loaded.js*
Tracking script
TRACK
www.bannerflow.com/hs/hsstatic/jquery-libs/static-1.1/jquery/jquery-1.7.1.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hs/cta/cta/current.js
Auto-extracted from scan
TRACK
www.bannerflow.com/script.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/hub_generated/template_assets/1/108428198765/1770993091474/template_aos.min.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/hub_generated/module_assets/1/182972397746/1741799785592/module_Text_animation_v2.min.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/hub_generated/module_assets/1/181685321296/1740785866642/module_Homepage_only_-_video_v2.min.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/hub_generated/module_assets/1/181870226095/1741799780774/module_Homepage_testimonial.min.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/hub_generated/template_assets/1/108425471752/1770993087971/template_parallax.min.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/hub_generated/template_assets/1/108428526857/1770993086214/template_main.min.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/hub_generated/module_assets/1/108428198750/1741799620017/module_footer-section.min.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hs/scriptloader/1906005.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hs/hsstatic/HubspotToolsMenu/static-1.636/js/index.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/Header-CNEHZSM-.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/virtual_clientRenderIsland-BO7GzHAG.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/lottie-react.esm-L0dPdX8Y.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/Icon-C-FQJsoL.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hubfs/build_assets/bannerflow-project/239/js_client_assets/assets/motion-BYFwtbHg.js
Auto-extracted from scan
TRACK
www.bannerflow.com/hs/cta/ctas/v2/public/cs/cta-loaded.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Bannerflow operates as a creative management platform in the display advertising ecosystem. It receives customer creative assets and publishes to 100+ ad networks including Google Marketing Platform, Meta, TikTok, The Trade Desk, Criteo, and others. The platform is typically loaded indirectly via tag managers (most common load method: indirect). On their own property, Bannerflow loads Google Analytics, Google Tag Manager, HubSpot, and undisclosed partners Emerse and Gravite. The company received majority investment from Tenzing in July 2024, signaling growth focus toward UK and US markets.
Loads (1)
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
163 detection signatures across scripts, domains, cookies, and network endpoints