All Vendors
deanon

CANDDi

CANDDi is a visitor deanonymization vendor that combines IP tracking with persistent first-party cookies and email campaign tracking to build individual-level visitor profiles, escalating from company identification to personal identification through progressive data collection.

0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what CANDDi discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps

data_collection

MEDIUM
They Claim

Uses only first-party cookies with no third-party data sources

Observed Behavior

AI-powered enrichment features pull company news, social media, and product launches from external sources, expanding data collection beyond first-party interactions

pending

UNKNOWN
They Claim

Fully GDPR compliant

Observed Behavior

Awaiting scanner verification. Progressive identification from email click to persistent tracking may not satisfy GDPR Article 6 informed consent requirements. Runtime analysis needed to verify pre-consent data collection timing.

Customer Impact

What This Means For You

Organizations deploying CANDDi face three primary risk vectors. First, compliance exposure: the progressive identification model may not satisfy consent requirements in GDPR jurisdictions, particularly when email click-throughs trigger persistent tracking without explicit opt-in for behavioral monitoring. A single regulatory complaint or audit finding could force immediate removal, disrupting sales pipeline intelligence. Second, data leakage through CRM integration: visitor behavioral data pushed into Salesforce or HubSpot becomes subject to those platforms' access controls and retention policies. Sales team members, contractors, and integration partners gain access to detailed prospect browsing histories that extend well beyond what the prospect knowingly shared. Third, competitive intelligence risk: detailed buyer intent signals (which product pages were viewed, how many times a prospect returned, what content they downloaded) are valuable competitive intelligence that, once in CRM systems, can leak through employee turnover, shared CRM instances, or integration middleware.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for CANDDi

  • - Audit CANDDi cookie persistence settings and verify actual cookie lifetimes match your privacy policy disclosures - Review email marketing integration to ensure recipients are informed that clicking links enables persistent website tracking - Verify that your cookie consent mechanism fires BEFORE CANDDi's JavaScript tracker initializes — test with consent denied - Restrict CRM integration permissions so CANDDi visitor data is only accessible to authorized sales personnel - Conduct a Data Protection Impact Assessment (DPIA) covering the progressive identification workflow from email click to persistent tracking

Negotiation Leverage

  • When negotiating with CANDDi, demand explicit documentation of their data retention periods for visitor profiles, including how long identification persists after last visit. Request contractual guarantees that their JavaScript tracker does not collect or transmit data before cookie consent is granted on your website. Ask for a complete list of sub-processors and third-party data sources used for company enrichment features.
  • Key leverage points: CANDDi's claim of first-party-only cookies should be verifiable through runtime analysis. If their tracker collects any data before consent, or if cookies persist beyond declared lifetimes, this creates immediate contractual and compliance remediation obligations. Request the right to conduct independent technical audits of the tracker's behavior on your properties, and ensure your DPA includes specific provisions for data deletion upon visitor request that cascade through all CRM integrations where CANDDi data has been synced.
Ecosystem

Ecosystem & Supply Chain

CANDDi integrates directly with major CRM platforms including Salesforce and HubSpot, where it pushes real-time visitor activity, form submissions, and identification data. The platform also integrates with email marketing tools, creating a bidirectional data flow: outbound email campaigns embed CANDDi tracking links, and click-throughs generate identified visitor profiles that flow back into the CRM. This ecosystem creates a data supply chain where visitor behavioral data moves from the website tracker through CANDDi's servers into CRM databases, email platforms, and potentially downstream integrations connected to those CRMs. CANDDi operates as a data processor (not controller), meaning the customer's data governance policies determine how the collected visitor intelligence is ultimately used, retained, and shared. The AI-powered enrichment features — which pull in company news, social media activity, and product launches — introduce additional third-party data sources into the visitor profile, expanding the data supply chain beyond what the website visitor directly generated.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

Vendor Details