All Vendors
marketing_automation

Brevo

Brevo (formerly Sendinblue) is a multi-channel marketing automation platform that deploys a persistent JavaScript tracker on customer websites. The Brevo tracker monitors page views, form submissions, and custom behavioral events in real time, feeding data back to Brevo's segmentation and automation engines. A visitor_id cookie is placed by default, enabling cross-session identification and behavioral profiling. While Brevo provides GDPR consent tooling and offers first-party cookie configuration, the tracker's default behavior begins collecting behavioral data immediately upon installation — meaning the gap between deployment and proper consent gating depends entirely on the customer's implementation discipline.

287 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Brevo discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

Signature-only assessment pending runtime observation

Customer Impact

What This Means For You

If Brevo's tracker is deployed on your website, every visitor's browsing behavior is being captured and transmitted to Brevo's infrastructure in real time. Page views, form interactions, and custom events are linked to individual contact profiles and used to trigger automated marketing campaigns. The visitor_id cookie identifies returning visitors across sessions without requiring them to log in or self-identify. For privacy-conscious organizations, the critical question is whether your consent management platform properly gates the Brevo tracker — if it fires before consent is obtained, you have a pre-consent data collection exposure. The multi-channel data aggregation (web behavior + email engagement + SMS interactions) means Brevo holds a comprehensive behavioral profile of your contacts that extends well beyond what visitors may expect from a single website visit.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Brevo

  • Audit your consent management configuration to confirm the Brevo tracker only fires after explicit visitor consent. Verify that the visitor_id cookie is classified correctly in your cookie policy and consent categories. Review which custom events are being tracked and whether they capture sensitive behavioral data. Assess whether Brevo's data retention settings align with your organization's data minimization requirements. If using Brevo's automation workflows triggered by website behavior, document these data flows in your privacy impact assessment. Consider implementing first-party cookie configuration to reduce third-party tracking exposure.

Negotiation Leverage

  • Brevo's $1B+ valuation and aggressive multi-channel expansion mean the platform is incentivized to maximize data collection across touchpoints. When negotiating terms, focus on: (1) Data processing agreement scope — ensure it covers website behavioral tracking, not just email delivery. (2) Data retention and deletion timelines for visitor behavioral data collected via the tracker. (3) Sub-processor transparency — Brevo's infrastructure spans multiple data centers, and behavioral data may traverse jurisdictions. (4) Right to audit the scope of data collected by the tracker versus what is disclosed in their processing documentation. (5) Contractual guarantees that the tracker respects consent signals before activating, rather than relying solely on customer-side implementation.
IOC Manifest

IOC Manifest

287 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.brevo.com/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*www.brevo.com/_next/static/chunks/app/%5Blang%5D/error-*.js*
Tracking script
TRACK
*www.brevo.com/_next/static/chunks/*-*.js*
Tracking script
TRACK
*www.brevo.com/_next/static/chunks/app/%5Blang%5D/layout-*.js*
Tracking script
TRACK
*www.brevo.com/_next/static/chunks/main-app-*.js*
Tracking script
TRACK
*www.brevo.com/_next/static/chunks/app/%5Blang%5D/not-found-*.js*
Tracking script
TRACK
*www.brevo.com/_next/static/chunks/app/%5Blang%5D/page-*.js*
Tracking script
TRACK
*assets.brevo.com/js/fingerprint.js*
Tracking script
TRACK
*www.brevo.com/_next/static/chunks/*.*.js*
Tracking script
TRACK
*metrics.brevo.com/dt.js*
Tracking script
EXFIL
*assets.brevo.com/data/tapfiliate.js*
Data collection endpoint
TRACK
*assets.brevo.com/js/fingerprint-source.js*
Tracking script
EXFIL
*assets.brevo.com/data/sha256.js*
Data collection endpoint
TRACK
*get.brevo.com/pr/js*
Tracking script
EXFIL
*assets.brevo.com/data/userpilot-latest.js*
Data collection endpoint
TRACK
www.brevo.com/_next/static/chunks/webpack-f64ad664288e2d97.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/fd9d1056-a07975a04e514552.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/3526-a2f2ef44e1290d15.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/main-app-8cba1d0f8dc5a560.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/6185-6a785aed53f443c3.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/4935-33e6b4dc0857f7b2.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/2731-6ae82f2a7c0ede03.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/app/%5Blang%5D/layout-6a63d489182fa74a.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/6276-af1eb7cf06c3cdd8.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/app/%5Blang%5D/error-487f33f4f3fcd24e.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/6192-8cbfeada0ed612d8.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/4380-dde338f57cf280ac.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/2709-87e325ed32a83b94.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/6648-415c6f39befce609.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/8267-72e57f5324dcd9d3.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/5232-22531f98bb306908.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/7336-72c014aed03ba00a.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/2081-88f0c8c18f8b69bd.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/2408-955b6fb34416076d.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/9664-91e067091d4fe69f.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/app/%5Blang%5D/page-923e8cd833a339b4.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/app/%5Blang%5D/not-found-a9c085491123f216.js
Auto-extracted from scan
TRACK
assets.brevo.com/js/fingerprint.js
Auto-extracted from scan
TRACK
metrics.brevo.com/dt.js
Auto-extracted from scan
TRACK
assets.brevo.com/js/fingerprint-source.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/3415.ad60c354bd94a31d.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/9240.266204963c105e18.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/4138.91cfbcf4314d7c58.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/7007.9bf0cc7b40e29940.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/1945.1aa731588e096030.js
Auto-extracted from scan
TRACK
get.brevo.com/pr/js
Auto-extracted from scan
EXFIL
assets.brevo.com/data/tapfiliate.js
Auto-extracted from scan
EXFIL
assets.brevo.com/data/sha256.min.js
Auto-extracted from scan
EXFIL
assets.brevo.com/data/userpilot-latest.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/f58c171e.fd8334a947e927e4.js
Auto-extracted from scan
TRACK
www.brevo.com/_next/static/chunks/6968.737d4d309c04e547.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Brevo integrates with major tag managers (Google Tag Manager), e-commerce platforms (Shopify, PrestaShop, WooCommerce, WordPress), CRM systems (Salesforce, HubSpot, Pipedrive), and consent management platforms (Cookiebot). It commonly co-deploys alongside Google Analytics, Facebook Pixel, and other advertising trackers within tag management containers. The platform's plugin-based installation (two-click activation for WordPress, Shopify, PrestaShop) lowers the deployment barrier significantly. Brevo's API also enables server-side event forwarding, expanding the data flow surface beyond the client-side tracker.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

287 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details