What regulations does Regulatory Signals cover?

Regulatory Signals continuously monitors GDPR, CCPA/CPRA, the EU AI Act, ePrivacy/cookies rules, and a growing catalog of global privacy and AI obligations. New regulations are added as they are enacted.

How often does Regulatory Signals re-scan my site?

Continuous monitoring runs on a configurable cadence — typically daily for Professional and Enterprise plans, and weekly for Starter. Ad-hoc re-scans can be triggered at any time from the dashboard.

Is my scan data encrypted?

Yes. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Scan artifacts are stored with per-tenant isolation and role-based access controls.

Does Regulatory Signals provide legal advice?

No. Regulatory Signals provides automated compliance monitoring, detection, and evidence. Output is intended to assist qualified privacy, security, and legal professionals. It is not a substitute for legal advice.

Can I export compliance evidence for auditors?

Yes. All scans generate an exportable audit trail including timestamped findings, raw evidence, and remediation status — suitable for internal audits, DPIAs, and external assessments.

How does the EU AI Act readiness check work?

The free AI Act check classifies your system into prohibited, high-risk, limited-risk, or minimal-risk categories using Article 6/Annex III criteria, then surfaces the specific obligations that apply.

Do you offer a free trial or free scan?

Yes. You can run a free compliance scan on the homepage and use the AI Act readiness tool at no cost. Paid plans add continuous monitoring, alerting, and evidence export.

What a Privacy Compliance Audit Actually Checks (And What Most Tools Miss)

A privacy audit is not just a cookie scan. Here's what a thorough compliance audit examines — from data flows to legal page adequacy — and why most automated tools only scratch the surface.

When a regulator, a large enterprise client, or your own legal team asks for a "compliance audit," they are not asking whether you have a privacy policy page. They are asking whether your actual data handling matches what your documentation claims — and whether that documentation meets the legal standard.

Here is what a thorough privacy compliance audit examines, layer by layer.

Layer 1: What is actually loading on your pages

The starting point is a full scan of every third-party resource your pages load — JavaScript files, iframes, pixel endpoints, CDN calls, web fonts, and API requests. This is not the same as looking at your tag manager configuration. Actual page loads reveal:

Trackers you inherited from an acquired product
Third-party scripts added by a marketing plugin you forgot was installed
Analytics tools that were "turned off" in the dashboard but are still firing
Ad tech pixels from an old campaign that never got cleaned up

A proper audit uses headless browser scans with cookie consent accepted and rejected, comparing what fires in each state. Many sites leak trackers even when consent is declined.

Layer 2: Cookie classification

For every cookie set, the audit classifies:

Strictly necessary — session management, security, load balancing. No consent required.
Functional — remembers user preferences. Consent required in most EU jurisdictions.
Analytics — usage measurement. Consent required unless strictly first-party and non-identifying.
Advertising/tracking — behavioural profiling. Consent always required.

The audit checks whether your consent banner categories match reality. A common finding: advertising cookies classified as "analytics" in the consent banner.

Layer 3: Legal page adequacy

Having a privacy policy is not the same as having an adequate privacy policy. The GDPR's Article 13 transparency requirements are specific:

Identity and contact details of the controller
Contact details of the DPO (if applicable)
Purposes and legal bases for every processing activity
Legitimate interests relied upon (where applicable)
Recipients or categories of recipients of personal data
Details of international transfers and safeguards
Retention periods (or criteria used to determine them)
All data subject rights, including the right to withdraw consent
Right to lodge a complaint with a supervisory authority

A privacy policy that says "we use your data to improve our services" without specifying purposes, bases, and recipients fails this test regardless of length.

Layer 4: Data subject rights mechanisms

The audit checks whether you have functioning processes — not just policy text — for:

Access requests (Article 15 GDPR)
Erasure requests (Article 17)
Rectification (Article 16)
Portability (Article 20)
Objection (Article 21)

For CCPA, equivalents include the right to know, right to delete, right to opt-out of sale, and right to non-discrimination.

Layer 5: Forms and data collection points

Every form is a data collection point. The audit checks:

What data is collected, and whether it's proportionate to the stated purpose
Whether consent language is specific to the purpose (not blanket)
Whether marketing opt-ins are pre-ticked (invalid under GDPR)
Whether financial or health data fields trigger additional safeguards

What most automated tools miss

Most scanner tools check Layer 1 (trackers) and produce a list. Some check Layer 3 superficially — whether certain words appear in your privacy policy. Almost none check whether your documented purposes match your actual processing, whether your retention periods are realistic, or whether your international transfer mechanisms are current.

The gap between "scan output" and "audit-ready documentation" is where most compliance risk lives.

What Regulatory Signals does differently

Regulatory Signals runs a deep technical scan (Layers 1–2) and a legal adequacy check (Layer 3) in a single pass, flagging missing GDPR Article 13 disclosures, undisclosed trackers, and cookie classification mismatches. For EU AI Act obligations, it adds AI system risk classification.

The output is not just a list of findings — it's a structured compliance gap report with the specific remediation each gap requires, plus the ability to generate the policy documents needed to close those gaps.

An audit is only useful if it leads to action. That requires knowing not just what is wrong, but exactly what to do next.