How This Briefing Works
This dossier opens with key findings, then maps the gap between what TrenDemon discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection evidence underneath. BLACKOUT observes runtime browser behavior and cites the regulations that address each pattern — legal determinations are your counsel's call.
At a Glance
across 5 sites
vendor fires before consent
2 CRIT · 2 HIGH
Briefing
TrenDemon is an Israeli B2B marketing personalization platform that provides "Account Deanonymization" and attribution services. Despite privacy policy claims that they "do not collect, retain or share any data regarding a particular user or device on sites not owned by TrenDemon," the product explicitly performs visitor identification at scale. Runtime scans reveal 15.9% pre-consent tracking across 261 customer sites, with 8 third-party vendors loading pre-consent on TrenDemon's own website including advertising networks (Sojern, DoubleClick) and identity resolution services (Crunchbase). The gap between stated scope ("attribution software") and actual functionality (deanonymization, persona-level tracking) represents a critical disclosure failure.
What This Means For You
If TrenDemon performs attribution and personalization on your site, their platform identifies anonymous visitors through Account Deanonymization — directly contradicting their privacy policy claim of not collecting data on non-owned sites. Under GDPR Art 5(1)(a) and Art 13, you must transparently disclose this identification to your visitors. The 15.9% pre-consent rate means roughly 1 in 6 TrenDemon interactions fire before consent, including advertising networks Sojern and DoubleClick that are not disclosed. Persona-level tracking distinguishes specific buyer roles within accounts, creating detailed profiles that go far beyond the "attribution software" positioning. TrenDemon holds no visible security certifications (no SOC2, no ISO), leaving you without independent assurance for a vendor processing person-level identification data.
Risk Channel Breakdown
TrenDemon corrupts measurement by operating as undisclosed visitor identification infrastructure. Marketing teams believe they are using attribution software while actually deploying identity resolution that tracks individuals across sessions. The 15.9% pre-consent rate means measurement data includes unconsented tracking, poisoning attribution accuracy from the foundation.
TrenDemon's integration with Crunchbase, Sojern, and other undisclosed third parties creates demand signal leakage. Account-level visitor data flows to advertising networks and data brokers, enabling competitors to target the same high-intent accounts. The persona-level tracking capability means specific buyer roles within accounts are exposed.
The JavaScript deploys with elevated access to customer sites, collecting browsing behavior, engagement patterns, and account information. Pre-consent tracking creates unaudited attack surface. The 8 undisclosed vendors on their own site demonstrate supply chain opacity - customers cannot assess the full data flow.
GDPR Article 6 requires lawful basis before processing. 15.9% pre-consent tracking rate is direct violation. The privacy policy scope statement (no user/device data collection on third-party sites) directly contradicts the product's core deanonymization functionality, creating material misrepresentation liability. Customers deploying TrenDemon inherit these consent violations.
Threat Indicators
Runtime-observed (BTI-C)
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Identity stitching
Ignoring CMP signals
Device identification
PII deanonymization
Container/loader (neutral)
Claims-vs-Reality (BTI-X)
Not in privacy policy
Hidden data recipients
Behavior contradicts marketing
False certification claims
Collection exceeds disclosed scope
Security claims vs evidence
Per-code narrative explanations of what each detected behavior means for your organization
Per-code evidence with full attribution chain, severity rankings, and consequence narratives See pricing →
Claims vs. Reality
BLACKOUT analyzed TrenDemon's public claims against observed runtime behavior and identified 4 contradictions.
"Does not collect, retain or share any data regarding a particular user or device on sites not owned by TrenDemon"
Product explicitly performs Account Deanonymization, persona-level tracking, and distinguishes individuals within companies over extended periods
3 more gaps — with regulatory citations and evidence pointers — available with subscription.
Full claim-vs-reality gap analysis with claim text, observed behavior, severity, regulatory citations (GDPR, CCPA, ePrivacy), and evidence pointers per gap See pricing →
What To Do
5 for current users · 5 for evaluators
contractual leverage points
Role-specific actions (security / legal / marketing / procurement), full negotiation brief with contractual language, and BTI-code-specific consequences See pricing →
Supply Chain & Pairings
Claims 2, observed 2
twitter-pixel, adobelaunch, ensighten…
Full supply-chain mapping (loads / loaded-by lists with vendor identities) and the undisclosed-subprocessor list with observation evidence See pricing →