All Vendors
marketing_automation

CleverTap

CleverTap is a mobile-first engagement and retention platform that deploys SDKs directly into mobile applications to capture granular user behavior, device attributes, and engagement patterns. The SDK collects four categories of data by default: product interactions, user profiles, device information, and session data. CleverTap uses IDFV (Identifier for Vendors) on iOS to track anonymous users across sessions and maintains persistent user profiles that aggregate behavioral data across push notifications, in-app messages, email, SMS, and WhatsApp. While CleverTap has invested significantly in privacy engineering (PII tokenization, AES-256 encryption, Privacy by Design defaults), the platform's core value proposition depends on deep behavioral observation at the application layer — making it one of the most data-intensive engagement platforms in the mobile ecosystem.

89 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what CleverTap discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

Signature-only assessment pending runtime observation

Customer Impact

What This Means For You

If CleverTap's SDK is integrated into your mobile application, every user interaction is being captured and transmitted to CleverTap's infrastructure. Screen views, taps, purchases, and any custom events your development team has instrumented are recorded and attributed to persistent user profiles identified via device identifiers (IDFV on iOS). This data feeds segmentation, campaign targeting, and engagement analytics. For privacy-conscious organizations, the critical assessment is the scope of custom event tracking your developers have configured — while CleverTap's defaults have improved (location/network auto-collection now opt-in), the platform's value depends on capturing detailed behavioral data. Your users may not understand that their in-app behavior is being profiled at this granularity, particularly if your app's privacy disclosure does not specifically describe behavioral analytics and cross-channel engagement tracking.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for CleverTap

  • Audit the custom events your development team has configured in the CleverTap SDK to understand exactly what behavioral data is being collected. Review whether CleverTap's Privacy by Design defaults are properly configured (location and network auto-collection should remain disabled unless explicitly justified). Verify that your app's privacy policy and App Store/Play Store privacy labels accurately reflect the scope of data CleverTap collects. Assess whether PII tokenization is enabled for sensitive user attributes to prevent personally identifiable information from entering CleverTap's environment. Review attribution partner integrations to understand what third-party data is flowing into CleverTap user profiles. Establish data retention policies within CleverTap that align with your data minimization requirements.

Negotiation Leverage

  • CleverTap's deep SDK integration gives it privileged access to application-layer behavioral data that is difficult to replicate with alternative tools, creating significant switching costs. When negotiating: (1) Demand a detailed data processing inventory listing every data point the SDK collects by default versus what is custom-configured. (2) Negotiate data isolation guarantees — confirm that your user behavioral data is not used for CleverTap's own product improvement, benchmarking, or aggregate analytics shared with other customers. (3) Request contractual data retention limits with automated purging for behavioral event data. (4) Clarify sub-processor arrangements, particularly for attribution partner data that enters CleverTap via integrations you may not have directly authorized. (5) For HIPAA-regulated applications, ensure the BAA explicitly covers SDK-collected behavioral data, not just messaging delivery infrastructure.
IOC Manifest

IOC Manifest

89 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*clevertap.com/_static/*
Tracking script
TRACK
*clevertap.com/wp-content/plugins/link-whisper-premium/js/frontend.js*
Tracking script
TRACK
*clevertap.com/wp-content/themes/clevertap*/js/country.json*
Tracking script
TRACK
clevertap.com/_static/
Auto-extracted from scan
TRACK
clevertap.com/wp-content/plugins/link-whisper-premium/js/frontend.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

CleverTap integrates with major attribution platforms (AppsFlyer, Adjust, Branch, Airbridge, Singular) to connect install attribution with post-install behavioral data. It also integrates with customer data platforms, data warehouses (Snowflake, BigQuery), and messaging infrastructure. The platform's SDK co-exists with other analytics SDKs (Firebase, Mixpanel, Amplitude) within mobile applications, contributing to the cumulative data collection surface of the app. CleverTap's webhook and API infrastructure enables bidirectional data flow with CRM systems, support platforms, and internal tooling. The attribution partner ecosystem is particularly significant — it means CleverTap receives acquisition channel data from third parties and combines it with its own behavioral observations to build full-funnel user profiles.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

89 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details