How This Briefing Works
This dossier opens with key findings, then maps the gap between what Identity Matrix discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 1 sites
vendor fires before consent
3 CRIT · 2 HIGH
Briefing
Identity Matrix is a visitor de-anonymization platform that resolves anonymous website traffic to person-level PII including name, email, mobile phone, and LinkedIn profiles. Founded in 2023 out of Revenue Institute in Novi, Michigan, the company was acquired by Springbot in September 2025. Uses composite identification methods: IP matching, digital fingerprinting, device ID correlation, hashed email matching, and first-party cookie linking. Both identitymatrix.ai and identity-matrix.com domains are now offline.
What This Means For You
If Identity Matrix is deployed on your site, you are exposed to GDPR Art 5(3) violations for device fingerprinting without valid consent, and CCPA §1798.140 violations for undisclosed sale of personal information. The vendor's consent basis -- that all visitors have opted in to partner marketing at some point in their lifetime -- does not constitute valid consent for identity resolution on your website under any major privacy framework. Under GDPR Art 26 and CCPA §1798.100, you as the site operator bear joint liability for this processing. With both vendor domains offline and no accessible privacy documentation, you cannot demonstrate to regulators that your data processing agreements are current or that data subject rights can be exercised. The tracking script continues to execute on your visitors' browsers with no verified security maintenance since the Springbot acquisition.
Risk Channel Breakdown
Identity Matrix resolves anonymous visitors to named individuals, collapsing the distinction between anonymous traffic and identified leads. Attribution data becomes unreliable because the same visitor can be identified through multiple methods (device ID, hashed email, cookie) and appear as separate conversions in different systems. Marketing teams make spend decisions based on artificially inflated lead counts.
Visitor identification data is the raw material for competitor targeting. When Identity Matrix resolves your website visitors to named individuals with contact details, that same identity graph powers identification for other customers. Your demand signals -- which pages visitors view, how long they stay, what they download -- become available through a shared identity resolution infrastructure. The founder explicitly describes partner marketing networks as the data source, meaning your visitor data feeds back into the same ecosystem.
Client-side tracking script (trackingScript.js) executes JavaScript in visitor browsers to perform device fingerprinting, cookie reading, and identity resolution. This creates a direct attack surface on your website. The script has access to the DOM and can read any first-party data. With the company acquired and domains going offline, there is no guarantee of ongoing security maintenance for deployed scripts.
Identity Matrix claims all visitors have opted in to partner marketing, but treats generic email newsletter consent from unrelated services as blanket authorization for cross-site identity resolution. This fails GDPR Art 6 specificity requirements. Not registered as a data broker in any US state despite meeting statutory definitions in Texas, California, and Vermont. Incorporated in Anguilla, creating jurisdictional complexity for data subject requests. Post-acquisition, data practices under Springbot ownership are undisclosed.
Threat Indicators
Claims-vs-Reality (BTI-X)
Behavior contradicts marketing
False certification claims
Collection exceeds disclosed scope
Security claims vs evidence
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Identity Matrix's public claims against observed runtime behavior and identified 5 contradictions.
"Operates as compliant data processor"
Not registered as a data broker in any US state (Texas, California, Vermont) despite meeting every statutory definition. Resolves anonymous web traffic to named individuals with contact information -- the textbook definition of a data broker. Incorporated in Anguilla, creating jurisdictional opacity.
4 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
4 for current users · 4 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →