QA mode · Tier:PUBLIC(override via ?tier=paid | premium)
← All Vendors
deanon

Identity Matrix

Claims GDPR and CCPA compliance while its core product resolves 70% of anonymous US web traffic to named individuals via device fingerprinting and identity graph matching. Both primary domains are now offline following Springbot acquisition, with no accessible privacy policy, opt-out mechanism, or data broker registration in any US state.

3 IOCs observed1 detections1 sites
65
Vendor Risk Score
Tier: GRAY
Observation Coverage

BLACKOUT observes runtime behavior in the browser. This dossier reflects browser-side execution, which is one of five vendor data-egress classes. Server-to-server transfers, backend integrations, and offline data flows are outside this observation boundary.

BLACKOUT observes runtime behavior and cites the regulations that address that behavior pattern. Legal determinations are the customer's counsel's call.

How This Briefing Works

This dossier opens with key findings, then maps the gap between what Identity Matrix discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.

Key Findings

At a Glance

Detections
1

across 1 sites

Pre-Consent Rate
0%

vendor fires before consent

Disclosure Gaps
5

3 CRIT · 2 HIGH

Claims-vs-Reality Classified
BTI-X04BTI-X05BTI-X08BTI-X09
Summary

Briefing

Identity Matrix is a visitor de-anonymization platform that resolves anonymous website traffic to person-level PII including name, email, mobile phone, and LinkedIn profiles. Founded in 2023 out of Revenue Institute in Novi, Michigan, the company was acquired by Springbot in September 2025. Uses composite identification methods: IP matching, digital fingerprinting, device ID correlation, hashed email matching, and first-party cookie linking. Both identitymatrix.ai and identity-matrix.com domains are now offline.

Customer Impact

What This Means For You

If Identity Matrix is deployed on your site, you are exposed to GDPR Art 5(3) violations for device fingerprinting without valid consent, and CCPA §1798.140 violations for undisclosed sale of personal information. The vendor's consent basis -- that all visitors have opted in to partner marketing at some point in their lifetime -- does not constitute valid consent for identity resolution on your website under any major privacy framework. Under GDPR Art 26 and CCPA §1798.100, you as the site operator bear joint liability for this processing. With both vendor domains offline and no accessible privacy documentation, you cannot demonstrate to regulators that your data processing agreements are current or that data subject rights can be exercised. The tracking script continues to execute on your visitors' browsers with no verified security maintenance since the Springbot acquisition.

Collapse Engine

Risk Channel Breakdown

Oracle
Truth Collapse
0

Identity Matrix resolves anonymous visitors to named individuals, collapsing the distinction between anonymous traffic and identified leads. Attribution data becomes unreliable because the same visitor can be identified through multiple methods (device ID, hashed email, cookie) and appear as separate conversions in different systems. Marketing teams make spend decisions based on artificially inflated lead counts.

Broker
Control Collapse
95

Visitor identification data is the raw material for competitor targeting. When Identity Matrix resolves your website visitors to named individuals with contact details, that same identity graph powers identification for other customers. Your demand signals -- which pages visitors view, how long they stay, what they download -- become available through a shared identity resolution infrastructure. The founder explicitly describes partner marketing networks as the data source, meaning your visitor data feeds back into the same ecosystem.

Reaper
Safety Collapse
0

Client-side tracking script (trackingScript.js) executes JavaScript in visitor browsers to perform device fingerprinting, cookie reading, and identity resolution. This creates a direct attack surface on your website. The script has access to the DOM and can read any first-party data. With the company acquired and domains going offline, there is no guarantee of ongoing security maintenance for deployed scripts.

Counselor
Legitimacy Collapse
100

Identity Matrix claims all visitors have opted in to partner marketing, but treats generic email newsletter consent from unrelated services as blanket authorization for cross-site identity resolution. This fails GDPR Art 6 specificity requirements. Not registered as a data broker in any US state despite meeting statutory definitions in Texas, California, and Vermont. Incorporated in Anguilla, creating jurisdictional complexity for data subject requests. Post-acquisition, data practices under Springbot ownership are undisclosed.

BTI Codes

Threat Indicators

Claims-vs-Reality (BTI-X)

BTI-X04
Marketing Mismatch

Behavior contradicts marketing

BTI-X05
Compliance Claim Mismatch

False certification claims

BTI-X08
Scope Creep

Collection exceeds disclosed scope

BTI-X09
Data Security Discrepancy

Security claims vs evidence

4
BTI Consequences Identified

Per-code narrative explanations of what each detected behavior means for your organization

Available in VIDB Subscription

Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →

Disclosure Gaps

Claims vs. Reality

5
Gaps Observed
3 CRITICAL2 HIGH

BLACKOUT analyzed Identity Matrix's public claims against observed runtime behavior and identified 5 contradictions.

BTI-X04BTI-X05BTI-X08BTI-X09
Featured Gap
Data Broker Registration
CRITICAL
They Claim

"Operates as compliant data processor"

BLACKOUT Observed

Not registered as a data broker in any US state (Texas, California, Vermont) despite meeting every statutory definition. Resolves anonymous web traffic to named individuals with contact information -- the textbook definition of a data broker. Incorporated in Anguilla, creating jurisdictional opacity.

4 more gaps — with regulatory citations and evidence pointers — available with subscription.

Available in VIDB Subscription

Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →

Recommended Actions

What To Do

Recommended Actions
8

4 for current users · 4 for evaluators

Negotiation Leverage
5

contractual leverage points

Available in VIDB Subscription

Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →

Ecosystem

Supply Chain & Pairings

Available in VIDB Subscription

Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →

Profile: identity-matrixFirst Seen: 2026-01-22Last Updated: 2026-01-22