How This Briefing Works
This report opens with key findings, then maps the gaps between what Buyercaddy discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
27 detections across 24 sites4% pre-consent activity
MEDIUM
Pre-Consent Activity
Buyercaddy was observed loading and executing before user consent was obtained on 4% of sites where it was detected.
GDPRePrivacy
HIGH
Pending Analysis
6 BTI behavioral codes detected across 27 deployments with 50-script footprint. Full claims extraction required for gap analysis.
Disclosure Gaps
Claims vs. Observed Behavior
1 gaps
1 HIGH
Pending Analysis
HIGH
They Claim
“Claims analysis pending”
Observed Behavior
6 BTI behavioral codes detected across 27 deployments with 50-script footprint. Full claims extraction required for gap analysis.
Customer Impact
What This Means For You
If BuyerCaddy is deployed on your site, your shoppers are being profiled through 50 distinct scripts that capture behavioral biometrics and session recordings under the guise of a shopping experience. The zero-cookie architecture means your consent management platform likely does not gate BuyerCaddy's tracking — their data collection may operate entirely outside your consent framework. Identity resolution means your customers' shopping behavior is being deanonymized and that identity-linked purchase intent data may flow across BuyerCaddy's 24-site network. Your DPA almost certainly does not account for this scope of data processing.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Buyercaddy
- →Audit whether your CMP actually gates BuyerCaddy's 50-script deployment — zero cookies does not mean zero consent obligations
- →Request a complete data flow audit from BuyerCaddy documenting what each of their 50 scripts collects and where data is transmitted
- →Review your DPA for coverage of script-based tracking, not just cookie-based collection
- →Verify BuyerCaddy's identity resolution data is not being used for cross-site targeting beyond your property
If You're Evaluating Buyercaddy
- →Require BuyerCaddy to provide a technical manifest of all 50 scripts and their data collection purposes before deployment
- →Demand contractual prohibition on using identity-resolved data from your site across their network
- →Establish performance impact testing — 50 scripts carries significant page load implications
- →Benchmark against shopping assistance tools that do not perform identity resolution or behavioral biometrics
Negotiation Leverage
- →50-script footprint is the highest in VRS 90 tier — use as leverage to demand full technical disclosure and script-by-script justification
- →Zero-cookie architecture bypassing cookie consent is a novel regulatory risk — require BuyerCaddy to indemnify against ePrivacy enforcement actions
- →Identity resolution (C14) on shopping/purchase intent data is among the most sensitive data categories — demand explicit data use limitations in your DPA
- →Maximum legal tail risk score (100) justifies requiring enhanced contractual protections including audit rights and breach notification within 24 hours
- →6 behavioral threat codes on a shopping tool far exceeds reasonable data minimization — cite GDPR Art. 5(1)(c) as basis for scope reduction
Runtime Detections
Runtime Detections
6 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
Impact: Evasion infrastructure means BuyerCaddy may present a reduced footprint during compliance audits, making it difficult to verify the actual scope of their 50-script deployment during vendor assessments.
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
Impact: Keystroke and mouse tracking through a shopping tool captures granular behavioral data — how users browse products, hesitate on pricing, and interact with purchase flows — creating behavioral profiles far beyond what shopping assistance requires.
BTI-C07Session Recording
Full session replay
Impact: Full session replay means complete shopping journeys are captured including product comparisons, cart abandonment patterns, and potentially payment page interactions adjacent to BuyerCaddy's presence.
BTI-C09Consent Bypass
Ignoring CMP signals
Impact: 4% pre-consent rate combined with a zero-cookie, 50-script architecture suggests BuyerCaddy's tracking operates outside traditional cookie consent flows, creating consent obligation gaps your CMP may not address.
BTI-C10Fingerprinting
Device identification
Impact: Device fingerprinting enables persistent identification without cookies — the zero-cookie footprint paired with fingerprinting indicates a deliberate strategy to maintain tracking capability while avoiding cookie-based consent requirements.
BTI-C14Identity Resolution
PII deanonymization
Impact: PII deanonymization means your shoppers' identities are resolved and potentially available across BuyerCaddy's 24-site deployment network. Purchase intent data linked to real identities is among the most valuable — and most regulated — categories of personal data.
IOC Manifest
IOC Manifest
190 INDICATORS
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*buyercaddy.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/uploads/dynamic_avia/avia-head-scripts-*---*.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/gs-logo-slider/assets/js/gs-logo.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/gs-logo-slider/assets/libs/images-loaded/images-loaded.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/underscore.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/gs-logo-slider/assets/libs/tippyjs/tippy-bundle.umd.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/gs-logo-slider/assets/libs/swiper-js/swiper.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/vendor/react.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/vendor/react-jsx-runtime.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/autop.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/blob.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/block-serialization-default-parser.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/deprecated.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/dom.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/escape-html.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/element.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/vendor/react-dom.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/is-shallow-equal.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/keycodes.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/priority-queue.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/compose.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/redux-routine.js*
Tracking script
EXFIL
*buyercaddy.com/wp-includes/js/dist/private-apis.js*
Data collection endpoint
EXFIL
*buyercaddy.com/wp-includes/js/dist/data.js*
Data collection endpoint
TRACK
*buyercaddy.com/wp-includes/js/dist/html-entities.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/a11y.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/dom-ready.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/shortcode.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/rich-text.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/warning.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-sidebar.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-editor-common.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/dist/blocks.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-toolbar.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-editor.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/layout1/fca-ept-layout1.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/layout2/fca-ept-layout2.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/contact-form-7/includes/js/index.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/hoverIntent.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/plugins/megamenu/js/maxmegamenu.js*
Tracking script
EXFIL
*buyercaddy.com/wp-content/plugins/wp-consent-api/assets/js/wp-consent-api.js*
Data collection endpoint
TRACK
*buyercaddy.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-events-provider-contact-form-7-*.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/themes/enfold/config-lottie-animations/assets/lottie-player/dotlottie-player.js*
Tracking script
TRACK
*buyercaddy.com/wp-content/uploads/dynamic_avia/avia-footer-scripts-*---*.js*
Tracking script
TRACK
*buyercaddy.com/wp-includes/js/wp-emoji-release.js*
Tracking script
TRACK
buyercaddy.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/uploads/dynamic_avia/avia-head-scripts-070366f63d82c41a8edf227fc9d22909---699cc56057afb.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/gs-logo-slider/assets/libs/swiper-js/swiper.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/gs-logo-slider/assets/libs/tippyjs/tippy-bundle.umd.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/gs-logo-slider/assets/libs/images-loaded/images-loaded.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/gs-logo-slider/assets/js/gs-logo.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/underscore.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/vendor/react.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/vendor/react-jsx-runtime.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/autop.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/blob.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/block-serialization-default-parser.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/deprecated.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/dom.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/vendor/react-dom.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/escape-html.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/element.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/is-shallow-equal.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/keycodes.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/priority-queue.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/compose.min.js
Auto-extracted from scan
EXFIL
buyercaddy.com/wp-includes/js/dist/private-apis.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/redux-routine.min.js
Auto-extracted from scan
EXFIL
buyercaddy.com/wp-includes/js/dist/data.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/html-entities.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/dom-ready.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/a11y.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/rich-text.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/shortcode.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/warning.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/dist/blocks.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-editor-common.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-sidebar.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-toolbar.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/editor/fca-ept-editor.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/layout1/fca-ept-layout1.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/easy-pricing-tables/assets/blocks/layout2/fca-ept-layout2.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/contact-form-7/includes/js/index.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-events-provider-contact-form-7-83c32a029ed2cf5b6a82.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-includes/js/hoverIntent.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/plugins/megamenu/js/maxmegamenu.js
Auto-extracted from scan
EXFIL
buyercaddy.com/wp-content/plugins/wp-consent-api/assets/js/wp-consent-api.min.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/themes/enfold/config-lottie-animations/assets/lottie-player/dotlottie-player.js
Auto-extracted from scan
TRACK
buyercaddy.com/wp-content/uploads/dynamic_avia/avia-footer-scripts-7f29863a1ad016e203d790842da13493---699cc560bb966.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
BuyerCaddy operates in the e-commerce advertising ecosystem, typically deployed on retail and shopping sites alongside other conversion optimization tools. Their presence across 24 distinct sites suggests integration with major e-commerce platforms. The zero-cookie, 50-script architecture is architecturally distinctive — most advertising platforms rely on cookies for persistence, while BuyerCaddy appears to achieve equivalent tracking through script-based mechanisms. The identity resolution capability (C14) positions BuyerCaddy as a data enrichment layer within the shopping journey, not merely a UX tool.
Loads (1)
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
190 detection signatures across scripts, domains, cookies, and network endpoints