How This Briefing Works
This dossier opens with key findings, then maps the gap between what Dealfront discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 2 sites
vendor fires before consent
1 HIGH
Briefing
Dealfront is a B2B go-to-market platform formed from the 2023 merger of German sales intelligence provider Echobot and Finnish web visitor tracking company Leadfeeder, backed by EUR 180M from Great Hill Partners. The company positions itself as "Europe-native" with heavy emphasis on GDPR compliance, ISO 27001/27701 certifications, and EU data sovereignty. However, runtime analysis reveals a significant disconnect: Dealfront exhibits an 81.8% pre-consent tracking rate across 20 monitored sites, meaning their technology fires before user consent is obtained in the vast majority of deployments. Additionally, 17+ third-party vendors detected on dealfront.com itself are not disclosed in their official subprocessor documentation, undermining their transparency claims.
What This Means For You
If Dealfront identifies visitors on your site, their technology fires before consent on 81.8% of observed deployments — directly contradicting their "Europe-native" GDPR compliance positioning. Under GDPR Art 7, this pre-consent rate means the vast majority of visitor identification occurs without valid consent, creating regulatory liability for you as the site operator. Dealfront's merged Leadfeeder+Echobot data pool covers 60M+ companies and 400M+ contacts — while they claim not to resell customer data, this aggregated intelligence pool creates competitive exposure. Their ISO 27001/27701 certifications do not address the 17+ undisclosed third-party vendors on dealfront.com or the pre-consent tracking pattern. As a European company marketing GDPR compliance, the gap between claims and behavior is particularly consequential for EU-based customers.
Risk Channel Breakdown
Dealfront corrupts measurement by identifying website visitors and resolving them to companies/contacts before consent is obtained. This pre-consent identification means attribution data is captured on users who never agreed to be tracked, inflating audience pools and creating phantom engagement signals.
As a web visitor identification and sales intelligence platform with access to 60M+ companies and 400M+ contacts, Dealfront aggregates demand signals across its customer base. While they claim not to resell customer data, the merged Leadfeeder+Echobot data pool creates significant competitive intelligence exposure for customers connecting CRM, website, and email systems.
Dealfront creates attack surface through its browser extension, website tracking scripts, and CRM integrations. The platform requires deep access to customer systems (email, calendar, contact directories) which they acknowledge as a security risk when critiquing competitors. Their bug bounty program on HackerOne indicates awareness of vulnerability risks.
Despite ISO 27701 privacy certification and aggressive GDPR compliance marketing, Dealfront demonstrates 81.8% pre-consent tracking. This creates substantial consent liability for customers deploying their scripts. The gap between their Legal Kit/DPA documentation and actual runtime behavior exposes customers to regulatory risk under GDPR Article 7 (conditions for consent) and ePrivacy Directive requirements.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Behavior contradicts marketing
False certification claims
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Dealfront's public claims against observed runtime behavior and identified 3 contradictions.
"GDPR Compliant with ISO 27701 Privacy Certification"
81.8% pre-consent tracking rate across monitored deployments
2 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 6, observed 6
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →