This is Part 2 of our series on data ownership and privacy. Part 1 covered the financial trap of cloud dependency and what we built to escape it.

What We've Seen Go Wrong

Template farms targeting specific trades. Certain industries, particularly trades like HVAC, plumbing, roofing, and similar services, get aggressively targeted by vendors who mass-produce templated websites and sell them as custom work. The pricing seems competitive until you realize the same content appears on 20 or 30 other sites with minor variations. The vendor controls the leads, withholds contact information, and delivers monthly reports full of metrics that can't be independently verified. The business owner thinks things are going well because someone is telling them so, but they have no access to their own analytics, their own leads, or in some cases their own website.

Fake development shops using no-code tools. We encounter vendors who call themselves developers while building everything in drag-and-drop platforms. The client pays development rates for work that has no meta tags, no schema markup, no meaningful SEO implementation, and no technical optimization. When the site doesn't perform, the vendor blames the market or the client's expectations rather than the complete absence of foundational technical work. Those builders hit technical walls fast and were never meant for mid-market solutions.

Offshore operations posing as domestic agencies. This is the most concerning pattern and it's accelerating.

Shell companies registered in the United States with American-sounding names, complete with fabricated team member profiles on LinkedIn listing locations in major hubs like New York, San Diego, Austin, and other areas. The actual work is performed entirely offshore, sometimes in countries without reciprocity agreements for copyright and trademark law, which means trade secrets and proprietary business information may have no legal protection once they leave U.S. jurisdiction via their network.

These operations are now pursuing government contracts at local, county and state levels, competing alongside legitimate firms that are strongly rooted here. Most of us who are owners and operators remember the Corporate Transparency Act and the FinCEN self-reporting just a few years ago? That was allegedly supposed to stop some of this from happening, however that rule was administratively modified in March 2025 so that U.S. companies and individuals no longer had to do that. It was only applicable to foreign-formed entities, but they are still operating with impunity through clever loopholes.

We've seen clients discover that their entire web presence is leased, not owned, and that the "website included" in their CRM or ERP subscription can't be taken with them when they leave.

When they push back, they're offered settlement agreements with NDAs or a buy-back of what was a template to begin with. We've seen companies delisted from search engines for months after vendor disputes. We've watched business owners realize during discovery that the entity they signed a contract with is foreign-registered and beyond practical legal reach for many without resources.

One situation stands out, however. We joined a call where a business owner was trying to understand why customer sales receipts were accessible to anyone through serialized URL patterns, meaning private financial documents and personally-identifiable information were exposed on the open web. The offshore development team couldn't explain how to fix it and honestly didn't seem interested. When the owner tried to leave the relationship due to this lack of care, they were screamed at on the call and blamed for the problems, along with us. Someone needed to be the scapegoat, and it wasn't going to be the vendor. She had no legal recourse in this case and never had the agreement formally reviewed; this could have been prevented with a bit of due diligence.

Membership organizations and legacy platforms. Chambers of Commerce and other membership organizations represent a specific category of this problem. Many are running on legacy technology stacks that market themselves as modern solutions, paying $4,000 to $15,000 or more annually for platforms with member directories, event management, and job boards that look polished on the surface but lack the technical infrastructure, automations, and integrations that would deliver real operational value.

The sales pitch is compelling, the onboarding is smooth, and over time the organization becomes so dependent on the platform that switching feels impossible. It's a bad-marriage scenario where the organization needs to weigh the cost of the divorce and what they may lose. We've seen organizations defend these vendors despite years of stagnant results, similarly to a case of Stockholm Syndrome, because the cost of admitting the investment was misguided and they were duped feels worse than continuing to pay.

Blind Spots With AI and Your Data

This is the risk that most vendor evaluation frameworks haven't caught up to yet.

Organizations across every sector are using AI tools for sensitive work. Board reports, financial analysis, strategic planning, member communications, client correspondence. In many cases, they're doing this on consumer-grade accounts where the terms of service explicitly state that inputs may be used for model training. Some terms of service provide the platform with an irrevocable ownership and use of a customer's data. Hardly anyone reads these terms of service, so it's easy to miss.

We've seen this firsthand with nonprofits and Chambers of Commerce using free or basic ChatGPT accounts to draft reports for their boards and leadership, create social media content, and handle communications involving financials and strategic direction. Every piece of sensitive information entered into a consumer AI account becomes part of the training pipeline.

Trade secrets, budget details, member data, strategic plans, all of it is being ingested by systems designed to learn from user inputs. Would any of those platforms ever use that data strategically, and not just for training? It's hard to tell, but would you want to risk it?

This isn't hypothetical. We've had clients send us emails drafted by consumer AI tools, complete with errors, incorrect names, and templated language that made it clear no human reviewed the output before hitting send. It's embarrassing and unprofessional (side note: they are no longer clients). If that's how they're handling external communications, consider what's happening with internal strategic discussions (if they happen at all).

The solution isn't to avoid AI, that's not realistic anymore, it's being shoved down our throats every moment of every day; it's exhausting. The solution instead is to understand the difference between consumer and commercial implementations, because there's a difference. Commercial API plans typically exclude training on user inputs. Self-hosted solutions using open-source platforms with commercial API connections keep data within controlled environments. We're building this capability internally using LibreChat on our own infrastructure with API-level access, and we're in conversations with organizations about deploying similar setups on virtual private servers where they maintain full control.

The same principle applies to search, analytics, and research tools. If your vendor's team is discussing your project strategy, your competitive positioning, or your customer data on consumer-grade platforms, that information is no longer private. It doesn't matter what their contract says about confidentiality if their operational tools are designed to share data with third parties by default.

What You Need to Know Before Trusting Your Vendor

None of the situations we described above are unusual. We encounter some version of these patterns in nearly every rescue engagement we take on. The organizations that avoided the worst outcomes weren't luckier. They asked better questions before signing, and they maintained control of their accounts and data from day one.

Part 3 covers how to do that. We walk through the specific questions that reveal what's really happening with your vendor, the red flags that should prompt a deeper look, and what to have in place before things go sideways.