QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
advertising
Bannerflow

Bannerflow

Bannerflow publishes ads to 100+ networks while firing undisclosed vendors Emerse and Gravite pre-consent — a creative management platform with 17.9% pre-consent tracking that undermines its IAB TCF participation and GDPR compliance claims.

142 IOCs observed2 detections100% pre-consent1 sites
80
Vendor Risk Score
Tier: HOSTILE
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Bannerflow discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
2

across 1 sites

Pre-Consent Rate
100%

vendor fires before consent

Disclosure Gaps
2

1 HIGH

Claims-vs-Reality Classified
BTI-X01BTI-X02BTI-X05
Summary

Briefing

Bannerflow is a Stockholm-based creative management platform (CMP) founded in 2010 that enables marketing teams to create and publish HTML5 display ads across 100+ networks. While the company claims GDPR compliance and participates in IAB TCF (ID 273), runtime analysis reveals a 17.9% pre-consent tracking rate with undisclosed third-party vendors (Emerse, Gravite) loading before consent is obtained. This creates compliance liability for customers deploying Bannerflow creatives, as the gap between stated compliance posture and observed behavior undermines GDPR consent requirements.

Customer Impact

What This Means For You

YOUR display ad creatives published through Bannerflow reach 100+ networks where undisclosed vendor dependencies may introduce tracking YOUR privacy policy does not account for. YOUR campaign data flows through a platform that fires Emerse and Gravite pre-consent while claiming IAB TCF compliance — YOUR consent framework may be undermined at the creative delivery layer. YOUR DPA with Bannerflow must account for data flows across 100+ publishing networks, each with their own vendor ecosystems. YOUR regulatory exposure extends to every network where Bannerflow publishes YOUR ads with undisclosed tracking.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
40

As an ad creative platform, Bannerflow does not directly corrupt measurement. However, undisclosed tracking partners (Emerse, Gravite) may create attribution conflicts for customers by introducing untracked data flows that fragment the measurement chain.

Broker
Control Collapse
100

Bannerflow publishes ads to 100+ networks including competitors' DSPs. The undisclosed tracking vendors create potential demand signal leakage - customer campaign data may flow to parties not covered by data processing agreements, enabling competitive intelligence gathering.

Reaper
Safety Collapse
0

Pre-consent tracking creates regulatory attack surface. Customers using Bannerflow creatives inherit the compliance gap, exposing them to GDPR enforcement risk. The 17.9% pre-consent rate represents measurable non-compliance evidence.

Counselor
Legitimacy Collapse
100

The company claims GDPR compliance and IAB TCF participation but loads tracking scripts before consent. This creates consent divergence - the legal position (compliant) does not match the technical reality (pre-consent tracking). Customers face vicarious liability for Bannerflow's consent violations.

BTI Codes

Threat Indicators

Runtime-observed (BTI-C)

BTI-C01
Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06
Behavioral Biometrics

Keystroke/mouse tracking

BTI-C08
Cross-Domain Sync

Identity stitching

BTI-C09
Consent Bypass

Ignoring CMP signals

BTI-C10
Fingerprinting

Device identification

Claims-vs-Reality (BTI-X)

BTI-X01
Undisclosed Party

Not in privacy policy

BTI-X02
Undisclosed Sharing

Hidden data recipients

BTI-X05
Compliance Claim Mismatch

False certification claims

3
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

2
Gaps Observed
1 HIGH1 MEDIUM

BLACKOUT analyzed Bannerflow's public claims against observed runtime behavior and identified 2 contradictions.

BTI-X01BTI-X02BTI-X05
Featured Gap
Consent Compliance
HIGH
They Claim

"GDPR compliant, IAB TCF participant (ID 273)"

BLACKOUT Observed

17.9% of detections show pre-consent tracking

1 more gap — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
8

4 for current users · 4 for evaluators

Negotiation Leverage
4

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Subprocessor Disclosure Gap
0undisclosed

Claims 4, observed 4

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: bannerflowFirst Seen: 2026-01-22Last Updated: 2026-02-24