Pillar 4 of 4
The audit your privacy policy has been quietly failing
We find your policy in 8 languages, extract the clean text, and grade it clause-by-clause against a rubric your DPO would actually approve.
Why a rubric instead of a vibe check
An off-the-shelf LLM will happily tell you a policy 'looks comprehensive' when it's missing a third of the clauses regulators actually look for. We don't ask the LLM 'is this policy compliant?' — we ask 14 specific yes/no questions, each tied to a regulatory citation, each requiring an evidence quote when the answer is yes. The scoring is mechanical: percentage of rubric items passed. An 80%+ score is solid. A 60% score means several material gaps. Below 50% usually means the policy was templated quickly and never updated for GDPR or CCPA.
Multilingual policy discovery
If you're scanning a German bakery's website, looking for the word 'privacy' won't help. We match against link text in English, German, French, Spanish, Italian, Portuguese, Dutch, and Japanese — covering ~80% of the open web by traffic. If link text matching fails, we probe a short list of conventional URLs (/privacy, /datenschutz, /privacidad, etc.) before giving up. When no policy is found at all, the result is unambiguous: zero rubric items pass, and the report flags 'no policy detected' as the top issue.
What we don't do
We don't tell you whether your business is GDPR-compliant — that's a question for legal counsel and a real DPIA. What we do is surface the exact clauses your policy doesn't contain, so when your counsel sits down to review it they have a punch list instead of a blank page. The LLM output is cached against a hash of the policy text, so repeated scans of an unchanged policy don't burn tokens.
Eksempler på findings
Manglende beskrivelse af GDPR-data subject rettigheder
Din privacy policy beskriver ikke de rettigheder, data subjects har under GDPR Articles 15–22 (access, rectification, erasure, portability, restriction, objection). Det er en væsentlig undladelse for alle sites, der behandler data om EU-borgere, og er en af de mest almindeligt citerede mangler i DPA-håndhævelsessager.
Rubric item: gdpr.data-subject-rights Framework : GDPR Result : FAIL Evidence : (none — policy indeholder ingen beskrivelse af rettigheder) Citation : GDPR Articles 15, 16, 17, 18, 20, 21
Ingen CCPA "Do Not Sell or Share"-disclosure
Policyen nævner ikke Californiens forbrugeres ret til at fravælge salg eller deling af personlige oplysninger, og beskriver heller ikke, hvordan man udøver den ret. CCPA/CPRA kræver denne disclosure for enhver virksomhed, der møder revenue- eller data-tærsklerne — selv hvis du ikke mener, at du sælger data. Den juridiske definition er bredere end den daglige.
Rubric item: ccpa.do-not-sell Framework : CCPA / CPRA Result : FAIL Evidence : (none — ingen opt-out-mekanisme beskrevet) Citation : Cal. Civ. Code §1798.135
Ingen angivne data retention periods
Policyen siger, at I opbevarer data "så længe det er nødvendigt" uden at angive de faktiske varigheder eller kriterierne, der bruges til at bestemme dem. GDPR Article 13(2)(a) kræver retention-perioden — eller, hvis det ikke er muligt, kriterierne, der bruges til at bestemme den. "Så længe det er nødvendigt" alene er blevet afvist af flere DPA’er som utilstrækkeligt.
Rubric item: gdpr.retention-periods Framework : GDPR Result : FAIL Evidence : "Vi opbevarer dine data, så længe det er nødvendigt for at levere Serviceet." Citation : GDPR Article 13(2)(a), 14(2)(a) Fix: list konkrete varigheder pr. datakategori, fx "Account data: indtil sletning + 30 dage. Logs: 30 dage. Billing: 7 år (statutory)".
Scan dit site på 60 sekunder
25 gratis credits. Ingen kreditkort. Reelle findings på den side, du faktisk går op i.