Executive Summary
Userpilot is a product growth platform offering user onboarding, analytics, feedback collection, and session replay for SaaS companies. Despite marketing itself as a "privacy-first" solution and maintaining SOC2/GDPR compliance certifications, BLACKOUT runtime analysis reveals 22 undisclosed third-party vendors operating on their website, including identity resolution services (Clay, Vector) and data brokers (Brightdata, Dstillery, Intentdata). Seven vendors load pre-consent, creating a significant gap between their compliance posture and actual data practices. Their Trust Center (powered by Vanta) lists only AWS and Cloudflare as subprocessors, representing a material disclosure gap.
Revenue Threat Profile
4 COLLAPSE VECTORSHow this vendor creates financial exposure. Each score (0-100) reflects observed runtime behavior and documented business practices.
CAC Subsidization
As a product analytics platform, Userpilot influences how customers measure user behavior. Their own use of 22 undisclosed tracking vendors while providing analytics services creates a conflict: they track their prospects with tools they help customers optimize, potentially gaining competitive intelligence on customer product decisions.
Signal Corruption
Identity resolution vendors Clay and Vector on Userpilot's site can identify prospects evaluating the platform, feeding that intent data to competing vendors or data brokers. Brightdata, Dstillery, and Intentdata presence suggests visitor data may flow to third-party data marketplaces.
Legal Tail Risk
22 third-party scripts create substantial attack surface. Each vendor is a potential supply chain compromise vector. Session replay capabilities on a site running this many trackers means recorded sessions could be exfiltrated through any compromised vendor.
GTM Attack Surface
SOC2 Type II and GDPR claims paired with 7 pre-consent vendors and undisclosed data brokers creates regulatory exposure. EU customers expecting GDPR compliance are unknowingly tracked by US data brokers before consent. The gap between 2 disclosed and 22 detected subprocessors violates GDPR Art 28 transparency requirements.