All Vendors
marketing_automation
TrenDemon

TrenDemon

Privacy policy claims they "do not collect, retain or share any data regarding a particular user or device on sites not owned by TrenDemon" — while the product explicitly performs Account Deanonymization and persona-level tracking across 261 customer sites. 15.9% pre-consent rate with advertising networks loading before consent.

156 IOCs274 detections16% pre-consent264 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what TrenDemon discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

274 detections across 264 sites16% pre-consent activity2 critical disclosure gaps
CRITICAL

Scope Misrepresentation

Product explicitly performs Account Deanonymization, persona-level tracking, and distinguishes individuals within companies over extended periods

GDPR Art 5(1)(a) - TransparencyGDPR Art 13 - Information to be providedCCPA 1798.100 - Disclosure requirements
CRITICAL

Pre-Consent Tracking

15.9% pre-consent tracking rate across customer sites, 8 pre-consent vendors on own site

GDPR Art 6 - LawfulnessGDPR Art 7 - Conditions for consentePrivacy Directive Art 5(3)
MEDIUM

Pre-Consent Activity

TrenDemon was observed loading and executing before user consent was obtained on 16% of sites where it was detected.

GDPRePrivacy
HIGH

Undisclosed Subprocessors

Runtime shows Crunchbase, Sojern, Semcasting, IntentData, CHEQ, DoubleClick receiving data

GDPR Art 28 - Processor requirementsGDPR Art 30 - Records of processing
HIGH

Document Inconsistency

Security policy explicitly lists IP address, email, cookies as Confidential PII data collected

GDPR Art 5(1)(a) - Fairness and transparency
Disclosure Gaps

Claims vs. Observed Behavior

4 gaps
2 CRIT2 HIGH
Classified:BTI-X01BTI-X02BTI-X04BTI-X05BTI-X08BTI-X09

Scope Misrepresentation

GDPR Art 5(1)(a) - Transparency · GDPR Art 13 - Information to be provided · CCPA 1798.100 - Disclosure requirementsCRITICAL
They Claim

Does not collect, retain or share any data regarding a particular user or device on sites not owned by TrenDemon

Observed Behavior

Product explicitly performs Account Deanonymization, persona-level tracking, and distinguishes individuals within companies over extended periods

Privacy policy scope statement vs product overview features

Undisclosed Subprocessors

GDPR Art 28 - Processor requirements · GDPR Art 30 - Records of processingHIGH
They Claim

Privacy policy lists LinkedIn, Twitter, AWS, Google

Observed Behavior

Runtime shows Crunchbase, Sojern, Semcasting, IntentData, CHEQ, DoubleClick receiving data

TrenDemon.com scan detections

Document Inconsistency

GDPR Art 5(1)(a) - Fairness and transparencyHIGH
They Claim

Privacy policy says no IP/user identifier collection on third-party sites

Observed Behavior

Security policy explicitly lists IP address, email, cookies as Confidential PII data collected

Privacy Policy vs Information and Data Security Policy comparison

Customer Impact

What This Means For You

If TrenDemon performs attribution and personalization on your site, their platform identifies anonymous visitors through Account Deanonymization — directly contradicting their privacy policy claim of not collecting data on non-owned sites. Under GDPR Art 5(1)(a) and Art 13, you must transparently disclose this identification to your visitors. The 15.9% pre-consent rate means roughly 1 in 6 TrenDemon interactions fire before consent, including advertising networks Sojern and DoubleClick that are not disclosed. Persona-level tracking distinguishes specific buyer roles within accounts, creating detailed profiles that go far beyond the "attribution software" positioning. TrenDemon holds no visible security certifications (no SOC2, no ISO), leaving you without independent assurance for a vendor processing person-level identification data.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use TrenDemon

  • Audit consent flow — verify TrenDemon JavaScript loads ONLY after explicit consent, given 15.9% pre-consent rate with undisclosed ad networks
  • Update your privacy policy to disclose Account Deanonymization capability — TrenDemon's own policy contradicts what the product actually does
  • Request subprocessor list and compare against runtime detections on your site — advertising networks like Sojern and DoubleClick may load without disclosure
  • Review DPA scope to ensure identity resolution and persona-level tracking are explicitly covered as processing activities
  • Implement consent-gated loading in GTM or your tag manager to control when TrenDemon fires relative to consent

If You're Evaluating TrenDemon

  • Ask for reconciliation of privacy policy scope statement ('no data collection on non-owned sites') versus the Account Deanonymization product feature
  • Demand complete subprocessor list with data flow documentation before procurement decision
  • Verify no SOC2 certification exists — this is a significant gap for a vendor performing person-level identification
  • Include identity resolution and persona-level tracking explicitly in contract scope and DPA terms
  • Consider alternatives (Mutiny, Qualified) with clearer alignment between privacy claims and product capabilities

Negotiation Leverage

  • Privacy policy reconciliation: TrenDemon's privacy policy claims no data collection on non-owned sites while the product performs Account Deanonymization. Require written reconciliation of this contradiction and contractual commitment to update privacy policy to accurately reflect product capabilities.
  • Scope documentation: Product performs persona-level tracking beyond stated 'attribution software' scope. Require contractual specification of exactly what identification capabilities are active on your property and what data is collected, stored, and shared.
  • Pre-consent SLA: 15.9% pre-consent rate with undisclosed advertising networks (Sojern, DoubleClick) loading before consent. Require contractual guarantee of 0% pre-consent activity on your property.
  • Security certification: No SOC2 or ISO certifications visible for a vendor performing person-level identification. Require SOC2 Type II as a contract condition given the sensitivity of deanonymization data.
  • Subprocessor transparency: 8 vendors fire pre-consent on TrenDemon's site including Crunchbase and advertising networks. Require complete subprocessor list with data flow documentation for all third parties.
Runtime Detections

Runtime Detections

8 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

BTI-C10Fingerprinting

Device identification

BTI-C14Identity Resolution

PII deanonymization

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

138 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*assets.trendemon.com/trends-tag/989*
Tracking script
TRACK
*trendemon.com/wp-content/themes/trendemon/js/priority-menu.js*
Tracking script
TRACK
*trendemon.com/wp-content/themes/trendemon/assets/js/jquery-3.3.1.js*
Tracking script
TRACK
*trendemon.com/wp-content/themes/trendemon/assets/js/homepage-functions.js*
Tracking script
TRACK
*trendemon.com/wp-content/themes/trendemon/assets/js/slick.js*
Tracking script
TRACK
*trendemon.com/wp-content/themes/trendemon/assets/js/bootstrap.js*
Tracking script
TRACK
*trendemon.com/wp-content/themes/trendemon/assets/js/custom.js*
Tracking script
TRACK
*trendemon.com/wp-content/themes/trendemon/assetstal/js/vendor/swiper.js*
Tracking script
TRACK
*trendemon.com/wp-content/themes/trendemon/assets/js/developer.js*
Tracking script
TRACK
*trendemon.com/wp-content/uploads/*/03/Hero_mob2.json*
Tracking script
TRACK
*trendemon.com/wp-content/uploads/*/03/Hero1.json*
Tracking script
EXFIL
*trackingapi.trendemon.com/api/settings/989*
Data collection endpoint
TRACK
*assets.trendemon.com/global/identity.js*
Tracking script
TRACK
*assets.trendemon.com/tag/trends.js*
Tracking script
EXFIL
*trackingapi.trendemon.com/api/Identity/me*
Data collection endpoint
TRACK
*trendemon.com/wp-includes/js/wp-emoji-release.js*
Tracking script
EXFIL
*trackingapi.trendemon.com/api/marketingautomation*
Data collection endpoint
EXFIL
*trackingapi.trendemon.com/api/experience/personal-stream*
Data collection endpoint
EXFIL
*trackingapi.trendemon.com/api/experience/personal*
Data collection endpoint
EXFIL
*trackingapi.trendemon.com/api/experience/personal-embedded*
Data collection endpoint
TRACK
assets.trendemon.com/trends-tag/989
Auto-extracted from scan
TRACK
trendemon.com/wp-content/themes/trendemon/js/priority-menu.js
Auto-extracted from scan
TRACK
trendemon.com/wp-content/themes/trendemon/assets/js/jquery-3.3.1.min.js
Auto-extracted from scan
TRACK
trendemon.com/wp-content/themes/trendemon/assetstal/js/vendor/swiper.min.js
Auto-extracted from scan
TRACK
trendemon.com/wp-content/themes/trendemon/assets/js/homepage-functions.js
Auto-extracted from scan
TRACK
trendemon.com/wp-content/themes/trendemon/assets/js/slick.min.js
Auto-extracted from scan
TRACK
trendemon.com/wp-content/themes/trendemon/assets/js/bootstrap.min.js
Auto-extracted from scan
TRACK
trendemon.com/wp-content/themes/trendemon/assets/js/custom.js
Auto-extracted from scan
TRACK
trendemon.com/wp-content/themes/trendemon/assets/js/developer.min.js
Auto-extracted from scan
EXFIL
trackingapi.trendemon.com/api/settings/989
Auto-extracted from scan
TRACK
assets.trendemon.com/global/identity.min.js
Auto-extracted from scan
TRACK
assets.trendemon.com/tag/trends.min.js
Auto-extracted from scan
EXFIL
trackingapi.trendemon.com/api/Identity/me
Auto-extracted from scan
TRACK
trendemon.com/wp-includes/js/wp-emoji-release.min.js
Auto-extracted from scan
EXFIL
trackingapi.trendemon.com/api/marketingautomation
Auto-extracted from scan
EXFIL
trackingapi.trendemon.com/api/experience/personal-stream
Auto-extracted from scan
EXFIL
trackingapi.trendemon.com/api/experience/personal
Auto-extracted from scan
EXFIL
trackingapi.trendemon.com/api/experience/personal-embedded
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

TrenDemon operates in the ABM personalization layer, typically deployed via JavaScript tag loaded through GTM or direct insertion. Integrates bidirectionally with CRM systems (Salesforce, HubSpot, Marketo) for closed-loop attribution. Competes with Mutiny, Qualified, PathFactory, and Intellimize. Uses third-party ABM data providers (Crunchbase detected) for account identification. Customers include enterprise B2B companies (Walmart, Panasonic, Tenable, Cato Networks). The platform positions itself as replacement for A/B testing tools (VWO, Optimizely) and content experience platforms. Revenue of $2.2M with ~20 employees suggests early growth stage with concentrated customer dependency.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

156 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details