All Vendors
deanon
ChiliPiper B2B Email Intelligence

ChiliPiper B2B Email Intelligence

ChiliPiper lists only 2 subprocessors — AWS and Google Cloud — while running 48 third-party vendors on its website including RB2B, ZoomInfo, and LeadRocket identity resolution tools.

39 IOCs23 detections4% pre-consent20 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what ChiliPiper B2B Email Intelligence discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

23 detections across 20 sites4% pre-consent activity1 critical disclosure gap
CRITICAL

Subprocessor Disclosure

Runtime scan detected 48 third-party vendors loading on chilipiper.com

GDPR Art 28 - Processor contracts and disclosureGDPR Art 13 - Information to data subjects
MEDIUM

Pre-Consent Activity

ChiliPiper B2B Email Intelligence was observed loading and executing before user consent was obtained on 4% of sites where it was detected.

GDPRePrivacy
HIGH

Pre-Consent Tracking

19 vendors fire before consent is obtained (4.5% pre-consent rate)

GDPR Art 6 - Lawful basis required before processingePrivacy Directive - Consent before tracking cookies
HIGH

Undisclosed Party

Not in privacy policy

HIGH

Undisclosed Sharing

Hidden data recipients

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps
1 CRIT1 HIGH1 MED
Classified:BTI-X01BTI-X02BTI-X05

Subprocessor Disclosure

GDPR Art 28 - Processor contracts and disclosure · GDPR Art 13 - Information to data subjectsCRITICAL
They Claim

Trust center lists 2 subprocessors: AWS and Google Cloud Platform

Observed Behavior

Runtime scan detected 48 third-party vendors loading on chilipiper.com

BLACKOUT scan 2026-01-23 detected Clarity, HubSpot, MetaPixel, GoogleAds, ZoomInfo, RB2B, LinkedIn, and 40+ others

Identity Resolution Undisclosed

GDPR Art 13-14 - Transparency about processing purposesMEDIUM
They Claim

No disclosure of identity resolution/deanonymization capabilities

Observed Behavior

RB2B, ZoomInfo, LeadRocket, and other identity resolution vendors detected

These vendors specialize in identifying anonymous website visitors and linking to contact databases

Customer Impact

What This Means For You

YOUR meeting scheduling and routing data processed through ChiliPiper flows through a vendor ecosystem 24x larger than disclosed. YOUR prospect data — who books meetings, from which companies, at what stage — passes through a platform running RB2B, ZoomInfo, and LeadRocket on its own site. If ChiliPiper embeds load on YOUR site, YOUR visitors may be exposed to undisclosed identity resolution vendors. YOUR compliance documentation citing ChiliPiper's 2-vendor subprocessor list dramatically underrepresents actual data flows, creating regulatory exposure under GDPR Article 28.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use ChiliPiper B2B Email Intelligence

  • Audit the vendors ChiliPiper loads on YOUR site — their 48-vendor footprint may indicate what loads in their embeds
  • Review your consent mechanism — ensure ChiliPiper components respect your CMP before loading third-party scripts
  • Update your subprocessor documentation — citing only AWS and GCP dramatically understates actual vendor relationships
  • Request data flow documentation for your meeting and routing data through ChiliPiper's vendor ecosystem

If You're Evaluating ChiliPiper B2B Email Intelligence

  • Request complete subprocessor list — the 2-vendor trust center listing is not credible given 48 detected vendors
  • Test ChiliPiper embeds in a staging environment and audit all network requests
  • Compare with Calendly and other scheduling tools on vendor disclosure transparency
  • Require contractual restrictions on identity resolution and competitive intelligence derived from your booking data

Negotiation Leverage

  • Subprocessor disclosure gap: 48 vendors detected vs. 2 disclosed (AWS, Google Cloud) — a 24x undercount that undermines trust center credibility; require complete disclosure as a contract condition
  • Identity resolution vendors: RB2B, ZoomInfo, and LeadRocket detected on chilipiper.com — use this to negotiate restrictions on visitor identification within your ChiliPiper implementation
  • Pre-consent rate: 4.5% pre-consent rate detected — while lower than many vendors, verify this behavior does not extend to ChiliPiper embeds on your properties
  • Meeting data sensitivity: Scheduling and routing data reveals sales pipeline intelligence — negotiate data usage restrictions preventing competitive insights from your booking patterns
Runtime Detections

Runtime Detections

5 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

39 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*calendar.chilipiper.com/chat/embed/assets/index.js*
Tracking script
TRACK
*calendar.chilipiper.com/chat/embed/assets/masterChefUrl-DhXpWMkn.js*
Tracking script
TRACK
*calendar.chilipiper.com/concierge-js/cjs/concierge.js*
Tracking script
TRACK
*calendar.chilipiper.com/chat/embed/env-config.js*
Tracking script
TRACK
*calendar.chilipiper.com/env-config.js*
Tracking script
TRACK
*calendar.chilipiper.com/chat/widget/assets/index-BOShyvQT.js*
Tracking script
TRACK
getemailsb2b.chilipiper.com
Tracking script
TRACK
calendar.chilipiper.com/chat/embed/assets/index.js
Auto-extracted from scan
TRACK
calendar.chilipiper.com/chat/embed/assets/masterChefUrl-DhXpWMkn.js
Auto-extracted from scan
TRACK
calendar.chilipiper.com/concierge-js/cjs/concierge.js
Auto-extracted from scan
TRACK
calendar.chilipiper.com/chat/embed/env-config.js
Auto-extracted from scan
TRACK
calendar.chilipiper.com/chat/widget/assets/index-BOShyvQT.js
Auto-extracted from scan
TRACK
calendar.chilipiper.com/env-config.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

ChiliPiper occupies the demand conversion/scheduling layer of the B2B GTM stack. They are typically loaded by marketing automation platforms, CRM systems, and directly embedded via GTM. On their own website, they load a significant surveillance stack including: identity resolution (RB2B, ZoomInfo, LeadRocket), analytics (GoogleAnalytics4, Clarity, HockeyStack), advertising (MetaPixel, GoogleAds, LinkedInAds, TwitterPixel), and enrichment tools (Clay, Pitchbook, Hunter). This positions ChiliPiper as both a participant in and subject to the GTM surveillance ecosystem. Their detection rate of 4.5% pre-consent across 22 sites where they are deployed suggests relatively controlled deployment compared to more aggressive vendors.
Loads (1)
Metapixel
Loaded By (5)
Apollo IoCheqHeapGoogletagmanagerLogrocket
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

39 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details