“From "we should probably do GDPR" to an actual plan.”
Editor's note
Describe your business, what data you process, and where your users are. The tool produces a Record of Processing Activities, a data protection impact assessment, a GDPR-aligned privacy policy, and a data subject request workflow — plus a prioritized list of the gaps still standing between you and compliance.
Tagged
§ Section I
Enter what your company does, who your customers are, and how you collect and use personal data. Add the regions you serve, whether you handle special-category data, and the third-party processors you rely on — Stripe, AWS, HubSpot, and the like. The more specific you are, the sharper the pack.
The tool maps your inputs against the GDPR and drafts a Record of Processing Activities, an Article 35 DPIA screen, a data subject request workflow, a privacy policy, and a prioritized gap list. Each lawful basis is tied to an Article 6 reference rather than a vague label.
Work through the gap list highest priority first, download the privacy policy draft, and slot the RoPA into your records. Treat the output as a structured first draft — have a DPO or privacy lawyer review it before you rely on it for an actual audit.
§ Section II
Get a defensible RoPA, privacy policy, and gap list before your first enterprise security review — without hiring a consultant on day one. Useful when a prospect's procurement team asks how you handle EU customer data.
Turn a quarterly RoPA refresh or a new-feature assessment into a structured draft in minutes, then spend your time on the judgment calls — lawful-basis disputes, transfer risk, and DPIA depth — instead of formatting documents.
Pressure-test a product team's description of their data processing against the actual Articles, surface where a Legitimate Interests Assessment or Article 9 condition is missing, and hand back a remediation list with priorities attached.
Planning to sell into the EU or UK? Generate a baseline of what GDPR will require of your data flows — records, transfer mechanisms, and data subject rights — so you scope the compliance work before launch rather than after a complaint.
§ Section III
One run returns a draft Record of Processing Activities (Article 30), a DPIA screening with risks and mitigations (Article 35), a data subject request workflow for Articles 15–22, a draft privacy policy in Markdown you can download, and a prioritized list of compliance gaps with remediation steps. It costs 10 credits per run.
No. It is a preparation tool that turns a business description into structured, Article-referenced documentation so you walk into a review with a draft instead of a blank page. Data protection decisions — especially lawful-basis choices, special-category processing, and international transfers — should be confirmed by a qualified data protection professional.
It works from the six bases in Article 6(1): consent, contract, legal obligation, vital interests, public task, and legitimate interests. It assigns one basis per processing activity and names the Article reference. Where it suggests legitimate interests, it flags that you need a documented Legitimate Interests Assessment to back it up.
When you list non-EEA processors, the pack flags transfer obligations under Chapter V — an adequacy decision (Article 45), Standard Contractual Clauses with a transfer impact assessment after Schrems II (Article 46), or a derogation (Article 49). Transfers to US vendors certified under the EU-US Data Privacy Framework can rely on the July 2023 adequacy decision.
It screens your processing against the Article 35(3) high-risk triggers: large-scale systematic profiling with significant effects, large-scale special-category data, and systematic monitoring of public areas. If a trigger plausibly applies it marks a DPIA as likely required and lists the risks to assess; otherwise it explains why one is probably not needed.
It is a 0–100 estimate of how prepared you look based on what you described and what is missing. A business with no RoPA, undocumented lawful bases, and no request-handling process scores low; one with clear data flows and existing controls scores higher. It is a directional signal to prioritize work, not a certification.