All Vendors
marketing_automation

Omnisend

Omnisend deploys persistent website tracking, behavioral profiling, and cross-channel identity resolution across email, SMS, and push to build detailed ecommerce customer dossiers that power automated lifecycle marketing.

137 IOCs
0
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Omnisend discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

3 gaps

data_sharing

MEDIUM
They Claim

Never sells or shares mobile numbers

Observed Behavior

Google Ads integration exports customer segments to advertising networks; 174 integrations create broad data sharing surface

pending

UNKNOWN
They Claim

Awaiting scanner verification

Observed Behavior

Runtime behavior analysis pending to confirm tracking script behavior, cookie deployment timing, and consent gate implementation

Customer Impact

What This Means For You

Organizations deploying Omnisend are granting the platform continuous real-time visibility into website visitor behavior, including anonymous browsing patterns, cart activity, and purchase history. This behavioral data feeds AI-driven personalization engines and is exportable to advertising networks via built-in integrations. The documented consent gap for third-party synced contacts means customer databases may contain profiles without valid legal basis for processing. For ecommerce businesses subject to GDPR, the combination of U.S. data storage, cross-platform data flows, and structural consent gaps creates regulatory exposure that scales with customer volume.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for Omnisend

  • - Audit all Omnisend integrations and disable unnecessary data sharing pathways, particularly Google Ads segment export and third-party contact syncs without consent records. - Review consent collection mechanisms for all channels (email, SMS, push) and verify that Omnisend tracking scripts respect consent state before activating behavioral monitoring. - Evaluate whether Omnisend AI-powered personalization features are processing data beyond the scope of your privacy notice disclosures. - Request a data processing audit from Omnisend detailing all third-party sub-processors and data retention periods for behavioral tracking data. - Consider implementing server-side integration to limit Omnisend client-side tracking footprint and reduce direct visitor exposure.

Negotiation Leverage

  • Omnisend's leverage position is weakened by three documented issues: the structural consent gap for third-party synced contacts (acknowledged in their own support docs), the breadth of behavioral data collection powering their AI features, and the 174-integration ecosystem that creates lateral data export pathways. In contract negotiations, demand explicit DPA provisions covering: consent inheritance requirements for all integration-sourced contacts, restrictions on behavioral data use for AI model training, data retention limits for anonymous visitor tracking, and audit rights for sub-processor data flows. The U.S. data storage under EU-U.S. Data Privacy Framework should be addressed with supplementary measures given the framework's uncertain legal standing.
IOC Manifest

IOC Manifest

137 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.omnisend.com/wp-content/themes/omnisend-v2/assets/js/abtesting.js*
Tracking script
TRACK
*www.omnisend.com/wp-content/plugins/duracelltomi-google-tag-manager/js/gtm4wp-form-move-tracker.js*
Tracking script
TRACK
*www.omnisend.com/wp-content/themes/omnisend-v2/assets/js/app.js*
Tracking script
TRACK
www.omnisend.com/wp-content/themes/omnisend-v2/assets/js/app.min.js
Auto-extracted from scan
TRACK
www.omnisend.com/wp-content/plugins/duracelltomi-google-tag-manager/js/gtm4wp-form-move-tracker.js
Auto-extracted from scan
TRACK
www.omnisend.com/wp-content/themes/omnisend-v2/assets/js/abtesting.min.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Omnisend operates within the ecommerce marketing automation ecosystem alongside Klaviyo, Mailchimp, and Drip. It integrates with 174 platforms including Shopify, WooCommerce, BigCommerce, Wix, and WordPress. Key lateral data flows include Google Ads (segment export for retargeting), Facebook Custom Audiences, and various CRM platforms. The Shopify Segments Sync creates bidirectional hourly data exchange. Omnisend's runtime footprint includes website tracking scripts, email tracking pixels, SMS link tracking, and push notification delivery infrastructure. Sites deploying Omnisend typically also run complementary analytics, advertising pixels, and ecommerce platform native tracking, creating a dense behavioral surveillance stack.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

137 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details