How This Briefing Works
This dossier opens with key findings, then maps the gap between what Mutiny discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 15 sites
vendor fires before consent
1 CRIT · 2 HIGH
Briefing
Mutiny is a Series B ($72M) AI-powered ABM platform (YC S18) that personalizes B2B websites for target accounts. Despite privacy policy claims of using "de-identified and aggregated" data, their own website deploys 39 third-party vendors including aggressive identity resolution services (6sense, Clearbit, IDVisitors, Vector) with 66.7% pre-consent loading. Their subprocessor list discloses only 6 infrastructure vendors while concealing 30+ marketing and tracking vendors. This represents a fundamental gap between privacy marketing and operational reality.
What This Means For You
If Mutiny personalizes your B2B website, their platform deploys 39 third-party vendors while disclosing only 6 infrastructure providers. Under GDPR Art 28, this 30+ vendor disclosure gap means your data processing records are materially incomplete. Identity resolution services (6sense, Clearbit, IDVisitors, Vector) on mutinyhq.com mean visitors to Mutiny's site — including your prospects evaluating the platform — are being deanonymized by four separate identity vendors. The 66.7% pre-consent rate means two-thirds of tracking fires before consent, creating GDPR Art 7 liability. Mutiny's privacy policy claim of "de-identified and aggregated" data is contradicted by four identity resolution vendors that specifically perform individual-level identification.
Risk Channel Breakdown
Mutiny corrupts measurement by deploying identity resolution vendors (6sense, Clearbit) that enrich visitor data beyond what the visitor consented to. This creates phantom attribution where conversions are credited to enriched profiles rather than actual customer intent, distorting pipeline metrics.
As an ABM platform, Mutiny ingests target account lists and intent signals. The undisclosed identity resolution vendors (6sense, Clearbit, Vector) gain visibility into which companies are being targeted, potentially leaking competitive intelligence about sales priorities to data brokers and competitors.
The 39 third-party vendors create significant attack surface. Each vendor script is a potential injection point. The presence of multiple identity resolution vendors means visitor data flows to numerous third parties, any of which could be compromised. Pre-consent loading (66.7%) means this exposure occurs before visitors can opt out.
GDPR and CCPA compliance claims are materially contradicted by 66.7% pre-consent tracking. The privacy policy claim of de-identified/aggregated data is false given identity resolution vendors are active. Subprocessor list omits 30+ vendors - a clear GDPR Article 28 violation for transparency.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Collection exceeds disclosed scope
Security claims vs evidence
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed Mutiny's public claims against observed runtime behavior and identified 4 contradictions.
"6 infrastructure vendors listed in subprocessor disclosure"
39 vendors detected on mutinyhq.com including identity resolution, advertising, and session recording
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 6, observed 8
googletagmanager, googleanalytics4, segment…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →