All Vendors
deanon

Identity Matrix

Claims GDPR and CCPA compliance while its core product resolves 70% of anonymous US web traffic to named individuals via device fingerprinting and identity graph matching. Both primary domains are now offline following Springbot acquisition, with no accessible privacy policy, opt-out mechanism, or data broker registration in any US state.

3 IOCs1 detections1 sites
65
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Identity Matrix discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

1 detection across 1 site3 critical disclosure gaps
CRITICAL

Consent Basis

Partner marketing opt-in from unrelated email services does not constitute valid consent for cross-site identity resolution via device fingerprinting. GDPR Art 6 requires specific, informed consent for each processing purpose. A generic email newsletter opt-in cannot authorize identity resolution on unrelated websites.

GDPR Art 6GDPR Art 7ePrivacy Directive Art 5(3)CCPA §1798.140(ad)
CRITICAL

Data Broker Registration

Not registered as a data broker in any US state (Texas, California, Vermont) despite meeting every statutory definition. Resolves anonymous web traffic to named individuals with contact information -- the textbook definition of a data broker. Incorporated in Anguilla, creating jurisdictional opacity.

Texas Data Broker ActCalifornia Delete Act (SB 362)Vermont Act 171
CRITICAL

Privacy Policy Accessibility

Both primary domains (identitymatrix.ai and identity-matrix.com) are offline. No privacy policy, terms of service, or data processing agreement is accessible. Help center (help.identitymatrix.ai) is also unreachable. Customers deploying the tracking script have no reference documentation for data practices.

GDPR Art 13-14CCPA §1798.100
HIGH

Identity Resolution Scope

Actual scope includes device fingerprinting, identity graph resolution, cross-device tracking, hashed email matching from browser sessions (Gmail/Yahoo), and first/third-party cookie correlation. Resolves 50-70% of US web traffic to named individuals with name, email, phone, and LinkedIn. This is surveillance infrastructure, not lead generation.

GDPR Art 5(1)(b) purpose limitationCCPA §1798.140(v) sale definition
HIGH

Post-Acquisition Data Governance

Both domains offline, no updated privacy documentation, no communication about data handling post-acquisition. Springbot domain (springbot.com) also unreachable. Customers with deployed tracking scripts have no visibility into current data processing, ownership, or retention practices.

GDPR Art 13(1)(a) controller identityGDPR Art 44-49 international transfers
Disclosure Gaps

Claims vs. Observed Behavior

5 gaps
3 CRIT2 HIGH
Classified:BTI-X04BTI-X05BTI-X08BTI-X09

Data Broker Registration

Texas Data Broker Act · California Delete Act (SB 362) · Vermont Act 171CRITICAL
They Claim

Operates as compliant data processor

Observed Behavior

Not registered as a data broker in any US state (Texas, California, Vermont) despite meeting every statutory definition. Resolves anonymous web traffic to named individuals with contact information -- the textbook definition of a data broker. Incorporated in Anguilla, creating jurisdictional opacity.

No registration found in Texas SOS data broker registry, California CPPA registry, or Vermont registry. Company incorporated in Anguilla per TechBuzzNews funding report.

Privacy Policy Accessibility

GDPR Art 13-14 · CCPA §1798.100CRITICAL
They Claim

Operational vendor with customer-facing data practices

Observed Behavior

Both primary domains (identitymatrix.ai and identity-matrix.com) are offline. No privacy policy, terms of service, or data processing agreement is accessible. Help center (help.identitymatrix.ai) is also unreachable. Customers deploying the tracking script have no reference documentation for data practices.

Direct verification: identitymatrix.ai returns 404, identity-matrix.com shows GoDaddy parked page, help.identitymatrix.ai ECONNREFUSED. Verified Feb 22, 2026.

Identity Resolution Scope

GDPR Art 5(1)(b) purpose limitation · CCPA §1798.140(v) sale definitionHIGH
They Claim

ABM and lead generation platform

Observed Behavior

Actual scope includes device fingerprinting, identity graph resolution, cross-device tracking, hashed email matching from browser sessions (Gmail/Yahoo), and first/third-party cookie correlation. Resolves 50-70% of US web traffic to named individuals with name, email, phone, and LinkedIn. This is surveillance infrastructure, not lead generation.

Founder podcast: first-party cookies, device IDs, hashed emails in your browser, third-party cookie matching. Dimmo review: 50-70% of anonymous traffic identified.

Post-Acquisition Data Governance

GDPR Art 13(1)(a) controller identity · GDPR Art 44-49 international transfersHIGH
They Claim

Acquired by Springbot September 2025

Observed Behavior

Both domains offline, no updated privacy documentation, no communication about data handling post-acquisition. Springbot domain (springbot.com) also unreachable. Customers with deployed tracking scripts have no visibility into current data processing, ownership, or retention practices.

BusinessWire press release Sept 25, 2025. Springbot.com DNS resolution failure verified Feb 22, 2026.

Customer Impact

What This Means For You

If Identity Matrix is deployed on your site, you are exposed to GDPR Art 5(3) violations for device fingerprinting without valid consent, and CCPA §1798.140 violations for undisclosed sale of personal information. The vendor's consent basis -- that all visitors have opted in to partner marketing at some point in their lifetime -- does not constitute valid consent for identity resolution on your website under any major privacy framework. Under GDPR Art 26 and CCPA §1798.100, you as the site operator bear joint liability for this processing. With both vendor domains offline and no accessible privacy documentation, you cannot demonstrate to regulators that your data processing agreements are current or that data subject rights can be exercised. The tracking script continues to execute on your visitors' browsers with no verified security maintenance since the Springbot acquisition.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Identity Matrix

  • Immediately audit whether the Identity Matrix tracking script (trackingScript.js from app.identitymatrix.ai) is still loading on your properties -- with the vendor domain offline, the script may be failing silently or routing data to unknown endpoints
  • Remove the tracking pixel pending confirmation of post-acquisition data handling practices from Springbot -- no privacy policy, DPA, or subprocessor list is currently accessible
  • Review your GDPR Art 28 processor agreements and CCPA service provider agreements for Identity Matrix -- with the company acquired and domains offline, existing contracts may be void or unenforceable
  • Request written confirmation from Springbot regarding data retention, deletion, and subject access request procedures for data collected via Identity Matrix deployments

If You're Evaluating Identity Matrix

  • Do not deploy until Springbot provides clear documentation of data practices, consent mechanisms, and privacy policy for the Identity Matrix product line
  • Require proof of data broker registration in applicable US states (Texas, California, Vermont) before any agreement
  • Demand independent third-party audit of the partner marketing opt-in claim -- generic email consent does not authorize cross-site identity resolution
  • Consider alternatives with transparent privacy documentation and accessible opt-out mechanisms (e.g., Clearbit, ZoomInfo) that maintain operational websites and current compliance documentation

Negotiation Leverage

  • The consent basis gap: Identity Matrix claims all visitors opted in via partner marketing, but GDPR Art 7 requires specific, informed consent for each processing purpose. Generic email newsletter opt-in cannot authorize cross-site identity resolution via device fingerprinting. This is your strongest leverage point -- the entire consent architecture fails under regulatory scrutiny.
  • The data broker registration gap: Identity Matrix is not registered as a data broker in any US state despite resolving anonymous web traffic to named individuals with PII -- the statutory definition of a data broker. Under Texas Data Broker Act and California Delete Act (SB 362), failure to register carries penalties up to $100,000 per violation.
  • The post-acquisition documentation gap: Both vendor domains are offline, no privacy policy is accessible, and Springbot has not published updated data processing documentation. Under GDPR Art 13, you must inform data subjects of the controller identity and processing purposes. With no verifiable documentation, you cannot fulfill this obligation.
  • The offshore incorporation gap: Identity Matrix was incorporated in Anguilla, a British Overseas Territory. This creates jurisdictional complexity for data subject access requests, regulatory enforcement, and contractual remedies. Require Springbot (US entity) to assume all contractual obligations.
  • The scope creep gap: Marketed as ABM lead generation, but technical scope includes device fingerprinting, identity graph resolution, cross-device tracking, and hashed email correlation from browser sessions. Require explicit scope limitation in any DPA to match disclosed functionality only.
IOC Manifest

IOC Manifest

3 INDICATORS

Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

No indicators in this category

Ecosystem

Ecosystem & Supply Chain

Identity Matrix deploys via a client-side JavaScript tracking script (trackingScript.js) loaded directly or through tag managers. The script is served from app.identitymatrix.ai with a unique pixel ID parameter (IM_[alphanumeric]). Detected on sites alongside other visitor identification vendors, confirming the vendor stacking pattern common in the de-anonymization space. The company was acquired by Springbot in September 2025, which also acquired other marketing technology assets. Both Identity Matrix domains (identitymatrix.ai and identity-matrix.com) and Springbot's domain (springbot.com) are currently offline, raising questions about ongoing script maintenance and data handling for sites that still have the tracking pixel deployed.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

3 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details