How This Briefing Works
This report opens with key findings, then maps the gaps between what Userpilot discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.
Key Findings
Subprocessor Disclosure
22 additional vendors detected on userpilot.com including data brokers
Data Broker Presence
Brightdata, Dstillery, Intentdata (data brokers) detected on site
Pre-Consent Tracking
7 vendors including identity resolution load before any consent mechanism
Privacy-First Marketing
Identity resolution vendors (Clay, Vector) identify visitors by PII
Undisclosed Party
Not in privacy policy
Claims vs. Observed Behavior
Subprocessor Disclosure
“Only AWS and Cloudflare listed as subprocessors”
22 additional vendors detected on userpilot.com including data brokers
Runtime scan 2026-01-23
Data Broker Presence
“Will never sell/use data for Third Parties without consent”
Brightdata, Dstillery, Intentdata (data brokers) detected on site
Runtime detection of known data broker scripts
Pre-Consent Tracking
“SOC2 Type II and GDPR compliant”
7 vendors including identity resolution load before any consent mechanism
Pre-consent detection flags on ActiveCampaign, Clay, Clipcentric, Cloudflare Insights, HubSpot, LinkedIn, Vector
Privacy-First Marketing
“Privacy-first Session Replay tool”
Identity resolution vendors (Clay, Vector) identify visitors by PII
Homepage marketing vs runtime detection
Security Documentation Access
“SOC2 Type II certified”
Report not publicly available, requires request access
Trust Center shows gated access button
What This Means For You
What To Do About It
Role-specific actions based on observed behavior
If You Use Userpilot
- →Audit your consent implementation — Userpilot's own site loads 7 vendors pre-consent, verify their SDK does not replicate this pattern in your application
- →Review their Data Processing Agreement against GDPR Art 28 — the gap between 2 disclosed and 22 detected subprocessors is a material red flag
- →Request their SOC2 Type II report and verify scope explicitly covers the SDK deployed in your application, not just their marketing infrastructure
- →Monitor network requests from Userpilot's SDK in your application to ensure no undisclosed third-party data flows to data brokers
- →Update your privacy policy if Userpilot's SDK creates data flows to any of their 22 detected vendor partners
If You're Evaluating Userpilot
- →Discount privacy-first marketing claims — their own site contradicts this positioning with 22 undisclosed vendors and 3 data brokers
- →Ask specifically about Clay and Vector usage and whether visitor identification data from their website feeds into sales outreach targeting
- →Require pre-contract runtime scan of your test environment with Userpilot SDK installed to verify actual third-party loading behavior
- →Compare against alternatives with verifiable subprocessor transparency (Pendo, WalkMe, Appcues) that do not run data brokers on their sites
- →Negotiate right-to-audit clause allowing you to scan your application network behavior with Userpilot SDK active
Negotiation Leverage
- →Subprocessor audit clause: Userpilot's Trust Center lists 2 subprocessors while 22 vendors are detected at runtime. Require quarterly runtime audit rights and contractual obligation to disclose all third-party code executing on their properties.
- →SDK isolation guarantee: As a product analytics platform embedded in your application, require contractual guarantee that Userpilot's SDK does not load any third-party vendors into your users' browsers without explicit documentation and approval.
- →Data broker prohibition: Brightdata, Dstillery, and Intentdata detected on userpilot.com are known data brokers. Require contractual commitment that no data broker relationships exist within their SDK supply chain.
- →Consent architecture SLA: 7 pre-consent vendors on their own site suggests consent-last engineering culture. Require documented consent-first initialization proof for their SDK with liquidated damages for violations.
- →Identity resolution disclosure: Clay and Vector perform visitor identification on userpilot.com. Require written disclosure of whether prospect identification data from their website feeds into sales targeting.
Runtime Detections
BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.
Evasion infrastructure, auditor bypass
Keystroke/mouse tracking
Full session replay
Device identification
PII deanonymization
Container/loader (neutral)
IOC Manifest
Indicators of compromise across 3 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.
Ecosystem & Supply Chain
Evidence Artifacts
Artifacts collected during analysis, available with evidence-tier access.
Complete network capture with all requests and responses
95 detection signatures across scripts, domains, cookies, and network endpoints