How This Briefing Works
This dossier opens with key findings, then maps the gap between what Bionic Ads discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
Briefing
Bionic Advertising Systems (owned by NextMark, Inc.) is a media planning and buying software platform based in Hanover, NH. The company has been profitable for 20+ years and serves ad agencies and advertisers. Their own website deploys an extensive third-party vendor ecosystem (22+ vendors detected) including intent data providers like Intentdata, Rockerbox, and Semcasting, with 6 vendors loading pre-consent. Their privacy policy dates from 2019 and explicitly states they do not honor Do Not Track signals. The primary concern is the gap between their generic disclosure of third parties and the specific data brokers observed receiving visitor data.
What This Means For You
YOUR media planning data processed through Bionic may flow to intent data vendors detected on their own site. YOUR agency's campaign strategies and budget allocations could leak to competitive intelligence platforms through undisclosed vendor relationships. If YOUR team evaluates Bionic by visiting their site, YOUR corporate visit data flows to 4 intent data brokers — revealing YOUR evaluation activity to the broader data marketplace. Without a formal DPA covering GDPR/CCPA obligations, YOUR data processing through Bionic lacks the regulatory safeguards required for EU or California operations.
Risk Channel Breakdown
As a media planning platform, Bionic handles advertising campaign data and placement decisions. Their own site loads multiple attribution and analytics vendors that could leak competitive campaign intelligence to third parties who also serve competitors.
Intent data vendors detected (Intentdata, Rockerbox, Semcasting, TrenDemon) on their website may syndicate visitor behavior data to competitive intelligence platforms, potentially revealing which agencies and advertisers are evaluating or using Bionic.
Multiple ad tech vendors loading pre-consent (DoubleClick, GoogleAds, HubSpot, LinkedIn, Wistia, GA4) creates attack surface through third-party JavaScript. The 2019 privacy policy predates many current security and privacy regulations.
Privacy policy explicitly states DNT is not honored. 4.2% pre-consent tracking rate indicates consent bypass. No GDPR or CCPA specific compliance language despite serving global advertising industry. Outdated policy (2019) creates regulatory exposure.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Bionic Ads's public claims against observed runtime behavior and identified 3 contradictions.
"Privacy policy mentions generic third-party ad servers"
22+ specific vendors detected including intent data brokers, behavioral analytics, and programmatic advertising platforms
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 0, observed 3
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →
