All Vendors
attribution

WhatConverts

WhatConverts is a lead tracking and attribution vendor that captures phone calls, form submissions, and chat interactions using dynamic number insertion and JavaScript tracking, recording and transcribing conversations while attributing every lead to its marketing source.

106 IOCs
27
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what WhatConverts discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Analysis pending. Findings will appear here once intelligence collection is complete.

Disclosure Gaps

Claims vs. Observed Behavior

2 gaps

pending

MEDIUM
They Claim

HIPAA compliance and PCI redaction available

Observed Behavior

Awaiting scanner verification of JavaScript behavior, DNI implementation, and data collection endpoints at runtime

pending

MEDIUM
They Claim

Full lead attribution across channels

Observed Behavior

Scope of session tracking and visitor profiling needs direct observation to characterize

Customer Impact

What This Means For You

Organizations deploying WhatConverts face three primary risks: (1) Communication data exposure — recorded phone calls and chat transcripts contain sensitive personal and business information that is stored externally and accessible via API, creating liability if breached. (2) Consent complexity — automatic call recording, session tracking, and dynamic number insertion each carry distinct consent requirements across jurisdictions, and failure at any point creates regulatory exposure for the data controller. (3) Vendor dependency — once marketing attribution is built on WhatConverts' tracking numbers and JavaScript, migration requires changing all published phone numbers and rebuilding attribution infrastructure, creating significant switching costs.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Recommended Actions for WhatConverts

  • - Audit WhatConverts JavaScript deployment to understand the full scope of visitor data collected beyond attribution (session recording, behavioral tracking, device fingerprinting). - Review call recording consent mechanisms to ensure compliance with two-party consent states and GDPR — verify that adequate notice is provided to all callers before recording begins. - Map data flows from WhatConverts to all connected CRM and ad platforms to understand where recorded calls, transcripts, and lead data ultimately reside. - Evaluate API access controls to ensure call recordings and transcripts are not accessible beyond authorized personnel. - Assess data retention policies for call recordings and transcripts, and establish deletion schedules appropriate for your regulatory environment.

Negotiation Leverage

  • Leverage: WhatConverts' call recording and transcription capabilities create significant liability for its customers — negotiate for strong data breach notification commitments and indemnification covering regulatory actions related to call recording consent. The platform's HIPAA and PCI compliance options indicate awareness of sensitive data risks; insist on these protections regardless of vertical.
  • Key questions: Where are call recordings stored and for how long? Who at WhatConverts can access customer call recordings? What happens to all stored recordings and transcripts upon contract termination? Does the DNI JavaScript collect data beyond what is necessary for attribution? How are two-party consent requirements handled across state lines?
  • Contractual protections: Require encryption at rest and in transit for all call recordings. Include data deletion upon termination with certification. Negotiate for customer-controlled retention periods. Ensure the DPA specifically covers call recording as a processing activity. Include breach notification timelines shorter than regulatory minimums given the sensitivity of recorded communications.
Runtime Detections

Runtime Detections

3 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

BTI-C15Tag Manager

Container/loader (neutral)

IOC Manifest

IOC Manifest

106 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.whatconverts.com/wp-content/cache/autoptimize/js/autoptimize_single_*.js*
Tracking script
TRACK
*www.whatconverts.com/wp-includes/js/dist/i18n.js*
Tracking script
TRACK
*www.whatconverts.com/wp-includes/js/jquery/jquery-migrate.js*
Tracking script
TRACK
*www.whatconverts.com/wp-includes/js/dist/hooks.js*
Tracking script
TRACK
*www.whatconverts.com/wp-includes/js/jquery/jquery.js*
Tracking script
TRACK
*www.whatconverts.com/wp-content/themes/marketing/js/jquery.easy-autocomplete.js*
Tracking script
TRACK
*www.whatconverts.com/wp-content/themes/marketing/js/site-dist.js*
Tracking script
TRACK
*partners.whatconverts.com/pr/js*
Tracking script
TRACK
www.whatconverts.com/wp-includes/js/jquery/jquery.min.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-includes/js/jquery/jquery-migrate.min.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-content/cache/autoptimize/js/autoptimize_single_2db91c46c53a5242d665b7110d063736.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-content/cache/autoptimize/js/autoptimize_single_4d42234fd441c9edae63297b7d5a7dde.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-content/themes/marketing/js/jquery.easy-autocomplete.min.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-content/cache/autoptimize/js/autoptimize_single_975ed29c537ac9b517f9dd0812cd2e00.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-includes/js/dist/hooks.min.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-includes/js/dist/i18n.min.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-content/cache/autoptimize/js/autoptimize_single_96e7dc3f0e8559e4a3f3ca40b17ab9c3.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-content/cache/autoptimize/js/autoptimize_single_2912c657d0592cc532dff73d0d2ce7bb.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-content/cache/autoptimize/js/autoptimize_single_88a6be9d65250bef59a48b7e4a7e8f68.js
Auto-extracted from scan
TRACK
www.whatconverts.com/wp-content/themes/marketing/js/site-dist.js
Auto-extracted from scan
TRACK
partners.whatconverts.com/pr/js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

WhatConverts integrates with major CRM platforms including Salesforce, HubSpot, and Zoho CRM, pushing lead data along with full marketing attribution context — campaign, keyword, referrer, landing page, and call recordings/transcripts. The platform connects to Google Analytics and Google Ads for bidirectional data flow, sending conversion data back to ad platforms. WhatConverts also offers a public API for custom integrations, enabling programmatic access to call recordings, transcripts, and lead data. This creates a data supply chain where sensitive communication content (recorded calls, chat transcripts, form submissions) flows from the customer's website through WhatConverts to CRM systems and ad platforms, with each integration point creating additional data residency and access control considerations.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

106 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details