Pillar 4 of 4

The audit your privacy policy has been quietly failing

We find your policy in 8 languages, extract the clean text, and grade it clause-by-clause against a rubric your DPO would actually approve.

Starta en gratis scan Testa den gratis audit

Why a rubric instead of a vibe check

An off-the-shelf LLM will happily tell you a policy 'looks comprehensive' when it's missing a third of the clauses regulators actually look for. We don't ask the LLM 'is this policy compliant?' — we ask 14 specific yes/no questions, each tied to a regulatory citation, each requiring an evidence quote when the answer is yes. The scoring is mechanical: percentage of rubric items passed. An 80%+ score is solid. A 60% score means several material gaps. Below 50% usually means the policy was templated quickly and never updated for GDPR or CCPA.

Multilingual policy discovery

If you're scanning a German bakery's website, looking for the word 'privacy' won't help. We match against link text in English, German, French, Spanish, Italian, Portuguese, Dutch, and Japanese — covering ~80% of the open web by traffic. If link text matching fails, we probe a short list of conventional URLs (/privacy, /datenschutz, /privacidad, etc.) before giving up. When no policy is found at all, the result is unambiguous: zero rubric items pass, and the report flags 'no policy detected' as the top issue.

What we don't do

We don't tell you whether your business is GDPR-compliant — that's a question for legal counsel and a real DPIA. What we do is surface the exact clauses your policy doesn't contain, so when your counsel sits down to review it they have a punch list instead of a blank page. The LLM output is cached against a hash of the policy text, so repeated scans of an unchanged policy don't burn tokens.

Motor

Multilingual link-text matching falls back to URL probing for sites that don't expose a clear privacy link. The clean text is graded by an LLM running on OpenRouter against a 14-point rubric covering GDPR, CCPA, COPPA, and general hygiene. Each rubric item is returned with a pass/fail flag and a short evidence quote when passing.

Det vi kontrollerar

GDPR Article 6 legal basis for processing
GDPR Articles 15–22 data subject rights
GDPR data categories enumeration
GDPR international data transfer disclosures (SCCs, adequacy)
GDPR retention periods or criteria
GDPR sub-processor / third-party recipient list
DPO or privacy contact details
CCPA notice at collection (12-month lookback)
CCPA "Do Not Sell or Share" opt-out
CCPA right to know, delete, correct
COPPA position on under-13 data
Last-updated / effective date
Cookie policy disclosure
Security safeguards description

Exempel på finding

serious

Missing GDPR data subject rights description

Your privacy policy does not describe the rights granted to data subjects under GDPR Articles 15–22 (access, rectification, erasure, portability, restriction, objection). This is a material omission for any site processing data of EU residents and is one of the most commonly cited deficiencies in DPA enforcement actions.

Rubric item: gdpr.data-subject-rights
Framework  : GDPR
Result     : FAIL
Evidence   : (none — policy contains no description of rights)
Citation   : GDPR Articles 15, 16, 17, 18, 20, 21

Scanna din site på 60 sekunder

25 gratis credits. Inget kreditkort. Riktiga findings på den sida du bryr dig om.

Skapa ditt gratis konto Se priser