How This Briefing Works
This report opens with key findings, then maps the gaps between what Salespanel discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Analysis pending. Findings will appear here once intelligence collection is complete.
Claims vs. Observed Behavior
consent
“Privacy-first platform that does not use third-party cookies or nefarious data collection”
JavaScript SDK captures IP addresses and sets first-party cookies that enable persistent cross-session tracking. Awaiting scanner verification of pre-consent behavior.
consent
“Tracking only begins when consent mechanism fires”
IP-based company identification may occur before consent is granted depending on implementation. Awaiting runtime verification.
data_sharing
“Never shares or monetizes client user data”
Data flows to CRM integrations (Salesforce, HubSpot, Pipedrive, Zoho) and marketing automation platforms. Awaiting network analysis to verify no additional third-party data flows.
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
Recommended Actions for Salespanel
- →- Audit whether Salespanel JavaScript SDK loads before or after consent mechanism fires on your properties - Review CRM integration data flows to map where Salespanel behavioral data propagates - Verify that IP-based company identification does not occur pre-consent - Assess competitive intelligence exposure by identifying which competitor sites deploy Salespanel - Implement contractual data processing agreements that restrict Salespanel's data retention and sharing
Negotiation Leverage
- →Salespanel positions as a data processor, giving customers contractual leverage to define data handling terms. Negotiate explicit data retention limits, deletion SLAs, and audit rights. Require written confirmation that no data collection occurs before consent mechanism activation — this is the key compliance lever.
- →For procurement, demand evidence of their consent-gating implementation, specifically technical proof that the JavaScript SDK does not initiate any network requests, set cookies, or capture IP addresses before explicit visitor consent. Require contractual warranties that client user data is not used for Salespanel's own analytics, model training, or cross-client insights. Include termination data purge clauses covering all downstream systems where Salespanel data has been synchronized.
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
86 detection signatures across scripts, domains, cookies, and network endpoints