How This Briefing Works
This report opens with key findings, then maps the gaps between what Dealfront discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Key Findings
22 detections across 20 sites82% pre-consent activity
CRITICAL
Pre-Consent Activity
Dealfront was observed loading and executing before user consent was obtained on 82% of sites where it was detected.
GDPRePrivacy
HIGH
Consent Compliance
81.8% pre-consent tracking rate across monitored deployments
GDPR Article 7ePrivacy Directive Article 5(3)ISO 27701 Section 7.2.3
HIGH
Undisclosed Party
Not in privacy policy
HIGH
Marketing Mismatch
Behavior contradicts marketing
HIGH
Compliance Claim Mismatch
False certification claims
Disclosure Gaps
Claims vs. Observed Behavior
3 gaps
1 HIGH2 MED
Classified:BTI-X01BTI-X04BTI-X05
Consent Compliance
GDPR Article 7 · ePrivacy Directive Article 5(3) · ISO 27701 Section 7.2.3HIGH
They Claim
“GDPR Compliant with ISO 27701 Privacy Certification”
Observed Behavior
81.8% pre-consent tracking rate across monitored deployments
22 detections across 20 sites show tracking fires before consent in majority of cases
Subprocessor Disclosure
GDPR Article 28(2) · GDPR Article 28(4)MEDIUM
They Claim
“Full transparency on data sources and formal agreements with all sub-processors”
Observed Behavior
17+ third-party vendors on dealfront.com not listed in subprocessor documentation
Runtime scan shows ActiveCampaign, HubSpot, Intercom, LinkedIn, and others not in official list
Marketing Claims
GDPR Recital 42 · GDPR Article 5(1)(a) - FairnessMEDIUM
They Claim
“Born in Europe with compliance, transparency, and privacy in its DNA”
Observed Behavior
US-based AI subprocessors (OpenAI, Perplexity) and high pre-consent tracking contradict European privacy positioning
Subprocessor list shows US data transfers; runtime shows pre-consent behavior
Customer Impact
What This Means For You
If Dealfront identifies visitors on your site, their technology fires before consent on 81.8% of observed deployments — directly contradicting their "Europe-native" GDPR compliance positioning. Under GDPR Art 7, this pre-consent rate means the vast majority of visitor identification occurs without valid consent, creating regulatory liability for you as the site operator. Dealfront's merged Leadfeeder+Echobot data pool covers 60M+ companies and 400M+ contacts — while they claim not to resell customer data, this aggregated intelligence pool creates competitive exposure. Their ISO 27001/27701 certifications do not address the 17+ undisclosed third-party vendors on dealfront.com or the pre-consent tracking pattern. As a European company marketing GDPR compliance, the gap between claims and behavior is particularly consequential for EU-based customers.
Recommended Actions
What To Do About It
Role-specific actions based on observed behavior
If You Use Dealfront
- →Audit your CMP configuration — ensure Dealfront scripts are blocked until explicit consent is obtained, given 81.8% pre-consent rate across the industry
- →Review your GDPR Article 30 records — pre-consent visitor identification may expose you to regulatory action as the data controller
- →Update privacy policy to disclose Dealfront as a third-party data processor with visitor identification capabilities
- →Request updated subprocessor list — their official list is incomplete based on 17+ undisclosed vendors on their own site
- →Consider contractual protections — ensure your DPA covers the pre-consent tracking liability and indemnification requirements
If You're Evaluating Dealfront
- →Note the gap between 'Europe-native' GDPR positioning and 81.8% pre-consent rate — this contradiction is material for EU-based procurement decisions
- →Request ISO 27001/27701 certificates and verify scope covers visitor identification technology, not just internal operations
- →Ask specifically how they reconcile GDPR compliance claims with pre-consent visitor identification across 20+ monitored sites
- →Require pre-deployment consent architecture verification — test in your environment with consent denied to verify tracking cessation
- →Compare against alternatives with demonstrable consent-first behavior and transparent subprocessor documentation
Negotiation Leverage
- →Pre-consent SLA: 81.8% pre-consent rate contradicts 'Europe-native' GDPR positioning. Require contractual guarantee of 0% pre-consent visitor identification on your property with independent audit verification.
- →Subprocessor transparency: 17+ vendors on dealfront.com undisclosed in subprocessor documentation. Require complete enumeration of all third-party vendors with data flow documentation and 30-day advance notice before additions.
- →Data pool isolation: Merged Leadfeeder+Echobot data covering 60M+ companies and 400M+ contacts. Require contractual guarantee that your visitor identification data is not pooled with other customers' data or used to enrich the shared intelligence database.
- →GDPR compliance verification: As a European company marketing GDPR compliance, their 81.8% pre-consent rate requires explanation. Require documented evidence of GDPR-compliant consent architecture for deployments on your property.
- →ISO certification scope: Request ISO 27001/27701 certificates and verify scope covers their visitor identification technology deployed on customer sites, not just internal infrastructure.
Runtime Detections
Runtime Detections
6 BTI-C CODES
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
BTI-C01Defeat Device
Evasion infrastructure, auditor bypass
BTI-C06Behavioral Biometrics
Keystroke/mouse tracking
BTI-C09Consent Bypass
Ignoring CMP signals
BTI-C10Fingerprinting
Device identification
BTI-C14Identity Resolution
PII deanonymization
BTI-C15Tag Manager
Container/loader (neutral)
IOC Manifest
IOC Manifest
95 INDICATORS
Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
TRACK
*www.dealfront.com/webpack-runtime-*.js*
Tracking script
TRACK
*www.dealfront.com/framework-*.js*
Tracking script
TRACK
*www.dealfront.com/app-*.js*
Tracking script
EXFIL
*www.dealfront.com/page-data/app-data.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/index/page-data.json*
Data collection endpoint
TRACK
*www.dealfront.com/*-*.js*
Tracking script
TRACK
*www.dealfront.com/commons-*.js*
Tracking script
TRACK
*www.dealfront.com/component---src-pages-index-js-*.js*
Tracking script
TRACK
*www.dealfront.com/lottie-react-*.js*
Tracking script
EXFIL
*www.dealfront.com/page-data/sq/d/*.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/solutions/marketing/target-icp-leads/page-data.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/platform/features/page-data.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/connect/page-data.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/our-data/page-data.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/security/page-data.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/platform/features/icp-insights/page-data.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/blog/page-data.json*
Data collection endpoint
EXFIL
*www.dealfront.com/page-data/solutions/buying-intent-signals/page-data.json*
Data collection endpoint
TRACK
www.dealfront.com/webpack-runtime-ec7b93d2ad753b71abb6.js
Auto-extracted from scan
TRACK
www.dealfront.com/framework-bf2f737b7170ba0be446.js
Auto-extracted from scan
TRACK
www.dealfront.com/app-eb2c557150ab4240b0f0.js
Auto-extracted from scan
TRACK
www.dealfront.com/commons-c50472cc8dbbb25d5886.js
Auto-extracted from scan
TRACK
www.dealfront.com/81454d33cd9f41213a7592841acb0d7f6aee33c5-358b17e4fc32ebe7ca33.js
Auto-extracted from scan
TRACK
www.dealfront.com/0863283a0f802f005693ba2d9c6959725ef65820-b7f72abefe311db479d0.js
Auto-extracted from scan
TRACK
www.dealfront.com/9091edb6f8d2423be67ad851f38caa956944e493-6c5e5fe3e3bd8d52aaac.js
Auto-extracted from scan
TRACK
www.dealfront.com/a249cc3f4f1400ff1dc63305aa5ddb735e1a677f-b5b91594895bedb6af69.js
Auto-extracted from scan
TRACK
www.dealfront.com/04edc1fa5e3f9942be8bb1463b6e0b4d92fc6fad-416d04891f397858f5ce.js
Auto-extracted from scan
TRACK
www.dealfront.com/component---src-pages-index-js-0950e526a9c265cc4303.js
Auto-extracted from scan
TRACK
www.dealfront.com/1108-5bd085bb5a94435fdc43.js
Auto-extracted from scan
TRACK
www.dealfront.com/ea88be26-eab685df38aafa76cf9b.js
Auto-extracted from scan
TRACK
www.dealfront.com/lottie-react-26fb35ddbfbea26842bc.js
Auto-extracted from scan
TRACK
www.dealfront.com/9934-d7f8a4daf121535f385a.js
Auto-extracted from scan
TRACK
www.dealfront.com/5606-f07b497be647162965e4.js
Auto-extracted from scan
TRACK
www.dealfront.com/b6a814aae79b23f9ce8055d21fb46f7fc4a20fa7-71c555d8e9155e14af4e.js
Auto-extracted from scan
TRACK
www.dealfront.com/5709-21cdafbd37086a6d47eb.js
Auto-extracted from scan
TRACK
www.dealfront.com/64c9693078b86e1cbe6a7b7f5152865676617045-777a3af1effa4d272f9e.js
Auto-extracted from scan
TRACK
www.dealfront.com/69a2a63efebf9424999d6a954b4603ec77198982-0efb3f6b0f61615ebbb7.js
Auto-extracted from scan
TRACK
www.dealfront.com/1877-238fe9bb4995390dc24a.js
Auto-extracted from scan
Ecosystem
Ecosystem & Supply Chain
Dealfront operates as a consolidated B2B go-to-market platform combining web visitor identification (Leadfeeder heritage) with sales intelligence data (Echobot heritage). The platform is typically loaded via GTM or direct script inclusion, often alongside Google Analytics 4, HubSpot, and other marketing automation tools. Dealfront loads its own Leadfeeder tracking on sites where deployed. On their own website, Dealfront loads 17+ third-party vendors including marketing (ActiveCampaign, HubSpot, LinkedIn, G2), analytics (Google Analytics 4, Clarity, VWO), and advertising (Google Ads, BingAds, DoubleClick). The company positions as the "GDPR-compliant" alternative to US-based competitors like ZoomInfo and Clearbit, though runtime behavior shows similar pre-consent tracking patterns.
Loads (1)
Evidence
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
HAR Capture
Complete network capture with all requests and responses
IOC Manifest
104 detection signatures across scripts, domains, cookies, and network endpoints