All Vendors
deanon
Intentsify

Intentsify

80% pre-consent tracking on their own website while claiming SOC2/GDPR/CCPA compliance. Two contradicting privacy policies — website policy says "we do not sell personal information" while consumer policy explicitly admits selling identifiers, personal information, and professional information.

73 IOCs5 detections80% pre-consent4 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Intentsify discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

5 detections across 4 sites80% pre-consent activity1 critical disclosure gap
CRITICAL

Consent Divergence

80% of vendors load before consent obtained on their own website. Six surveillance vendors (Clearbit, CookieYes, Demandbase, HubSpot, IDVisitors, TradeDesk) fire pre-consent.

GDPR Article 7CCPA Section 1798.100ePrivacy Directive
CRITICAL

Pre-Consent Activity

Intentsify was observed loading and executing before user consent was obtained on 80% of sites where it was detected.

GDPRePrivacy
HIGH

Subprocessor Transparency

21 distinct third-party vendors detected on their website with no disclosure mechanism

GDPR Article 28GDPR Article 30
HIGH

Data Sale Contradiction

Consumer privacy policy: We may have sold or shared identifiers, personal information, professional information

CCPA Section 1798.140(ad)FTC Act Section 5
HIGH

Scope Misrepresentation

Identity resolution with 382M contacts, 5B MAIDs, hashed emails for person-level tracking

GDPR Article 5(1)(a)GDPR Article 13
Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
1 CRIT3 HIGH
Classified:BTI-X05BTI-X12

Subprocessor Transparency

GDPR Article 28 · GDPR Article 30HIGH
They Claim

No public subprocessor list provided

Observed Behavior

21 distinct third-party vendors detected on their website with no disclosure mechanism

intel_detections shows Clearbit, Demandbase, HubSpot, IDVisitors, TradeDesk, Hotjar, RB2B, Reddit, and 13 others

Data Sale Contradiction

CCPA Section 1798.140(ad) · FTC Act Section 5HIGH
They Claim

Website privacy policy: We do not sell or share personal information

Observed Behavior

Consumer privacy policy: We may have sold or shared identifiers, personal information, professional information

Conflicting statements between website-data-privacy-policy and consumer-data-privacy-policy pages

Scope Misrepresentation

GDPR Article 5(1)(a) · GDPR Article 13HIGH
They Claim

B2B intent data and buying group intelligence

Observed Behavior

Identity resolution with 382M contacts, 5B MAIDs, hashed emails for person-level tracking

Identity Graph page explicitly states contact records, MAIDs, and IP resolution capabilities

Customer Impact

What This Means For You

If Intentsify provides your intent data, you are consuming intelligence built on an identity resolution infrastructure of 382 million contacts, 5 billion MAIDs, and 203 million IP addresses. Under GDPR Art 5(1)(a), you must ensure lawful basis for processing this data — Intentsify's 80% pre-consent rate and conflicting privacy policies make consent chain verification impossible. Their consumer privacy policy explicitly admits selling personal information while their website policy claims the opposite, creating a compliance documentation gap you inherit. Under CCPA §1798.140, intent data derived from person-level surveillance without proper consent exposes you to shared liability. The multi-tenant data model means your research signals may also strengthen competitor campaigns using the same platform.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Intentsify

  • Audit your DPA and verify subprocessor notification rights exist — Intentsify has no public subprocessor list despite 21 detected vendors
  • Verify your privacy policy adequately discloses Intentsify's identity resolution capabilities, not just 'intent data' — they operate 382M contacts and 5B MAIDs
  • Review consent basis for all Intentsify-sourced data — their 80% pre-consent rate and contradicting privacy policies make consent chain verification critical
  • Document legitimate interest basis if applicable — 'intent data' framing may not cover person-level tracking through their Identity Graph
  • Request written reconciliation of their two contradicting privacy policies before your next contract renewal

If You're Evaluating Intentsify

  • Request SOC2 Type II report and verify scope covers data processing operations, not just infrastructure
  • Ask for written confirmation of GDPR legal basis for identity resolution processing across 382M contacts
  • Require complete subprocessor list as a pre-contract condition — their refusal to publish one is a transparency red flag
  • Verify their opt-out mechanism actually removes data from the Identity Graph — test with your own organization's records
  • Consider alternative providers with transparent data sourcing: Bombora for aggregate-only intent, G2 for declared intent signals

Negotiation Leverage

  • Privacy policy reconciliation: Intentsify's website policy says 'we do not sell personal information' while their consumer policy admits selling identifiers and professional information. Require written reconciliation of these contradictions and contractual commitment to the non-sale position for your data.
  • Consent chain verification: 80% pre-consent rate on intentsify.io raises questions about consent provenance for their 382M contact database. Require documented consent chain for all data provided to your organization, with right to audit quarterly.
  • Subprocessor disclosure: 21 third-party vendors detected on their website with no public subprocessor list. Require complete enumeration of all data processors in their supply chain with 30-day advance notice before additions.
  • Identity Graph opt-out: Require contractual mechanism for your organization's employees and customers to be permanently excluded from Intentsify's Identity Graph of 382M contacts, 5B MAIDs, and 203M IP addresses.
  • Data isolation guarantee: Multi-tenant intent data model means your research signals may inform competitor campaigns. Require contractual data isolation ensuring your account activity and intent signals are never used to enrich competitor targeting.
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

73 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*intentsify.io/wp-content/themes/nylon/assets/build/animated-hero.js*
Tracking script
TRACK
*intentsify.io/wp-content/themes/nylon/assets/build/tabs.js*
Tracking script
TRACK
*intentsify.io/wp-content/themes/nylon/assets/build/manifest.js*
Tracking script
TRACK
*intentsify.io/wp-content/themes/nylon/assets/build/main.js*
Tracking script
TRACK
*intentsify.io/wp-content/themes/nylon/assets/build/vendor.js*
Tracking script
TRACK
*intentsify.io/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*intentsify.io/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
tracking.intentsify.io
Tracking script
TRACK
intentsify.io/wp-content/themes/nylon/assets/build/manifest.js
Auto-extracted from scan
TRACK
intentsify.io/wp-content/themes/nylon/assets/build/vendor.js
Auto-extracted from scan
TRACK
intentsify.io/wp-content/themes/nylon/assets/build/main.js
Auto-extracted from scan
TRACK
intentsify.io/wp-content/themes/nylon/assets/build/animated-hero.js
Auto-extracted from scan
TRACK
intentsify.io/wp-content/themes/nylon/assets/build/tabs.js
Auto-extracted from scan
TRACK
tracking.intentsify.io/page-tracking/intentsify-intentsify/https%3A%2F%2Fintentsify.io%2F
Auto-extracted from scan
TRACK
intentsify.io/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
intentsify.io/cdn-cgi/challenge-platform/h/b/scripts/jsd/d251aa49a8a3/main.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Intentsify operates in the B2B intent data ecosystem as both a data aggregator and activation platform. They source signals from 460K+ content sites, ad exchanges, and bidstream data. They load ON customer websites via their tag while also loading third-party vendors (Clearbit, Demandbase) on their own properties. Key integrations include Salesforce, HubSpot, Marketo, and programmatic ad platforms. They compete directly with Bombora, 6sense, and Demandbase - notably, they use Demandbase on their own website while positioning as a competitor. Parent data flows likely include TechTarget (CEO background) and programmatic exchanges. Downstream, their identity-resolved data feeds into customer CRMs, ABM platforms, and ad targeting systems.
Loads (1)
Hubspot
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

73 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details