GDPR合规检查器

输入

Practices Description

We collect user email, name, and usage analytics. Data is stored on AWS Frankfurt. We use Stripe for payments and Intercom for support chat. No explicit cookie consent banner yet; privacy policy mentions data is 'kept securely' but no retention period or DPO contact. Users can delete accounts by emailing support.

Business Type

saas

Check Type

quick

输出（节选）

GDPR Quick Check — 3 critical gaps found. 1) Missing lawful basis statement: specify consent/legitimate interest per processing purpose (Art. 6). 2) No cookie consent mechanism despite analytics — add a banner with granular opt-in (ePrivacy). 3) Data retention undefined: state how long data is kept (Art. 5). Strengths: EU data residency (Frankfurt) and a self-service deletion path support data subject rights. Recommended next: appoint/identify a DPO contact and add a Records of Processing entry.

输入

Practices Description

Privacy policy: 'We collect your name, address, payment, and browsing data to fulfil orders and improve our store. We share data with shipping and payment partners. We may send marketing emails. Contact us with questions.' Built on Shopify, sells across the EU.

Business Type

ecommerce

Check Type

privacy_policy

输出（节选）

Privacy Policy Review. Coverage: moderate. Present: data categories, purposes, third-party sharing. Missing for GDPR compliance: (1) named legal basis for each purpose; (2) explicit list of recipients/processors and any non-EU transfers with safeguards; (3) data subject rights (access, erasure, portability, objection) and how to exercise them; (4) marketing opt-in/withdrawal mechanism; (5) retention periods; (6) identity and contact of the data controller. Add these sections to reach compliance.

输入

Practices Description

We run paid ad campaigns and email marketing for clients. We import client customer lists into our CRM (HubSpot), build lookalike audiences in Meta Ads, and use cookie-based retargeting pixels on client sites. We store lead data indefinitely and sometimes reuse lists across clients.

Business Type

marketing

Check Type

full

输出（节选）

Full GDPR Audit — high risk. Critical: reusing client lists across accounts likely violates purpose limitation and lawful basis (Art. 5, 6) — each dataset needs documented consent or contract scope. Indefinite retention breaches storage limitation; define retention schedules. Lookalike/retargeting pixels require valid consent and a controller-processor DPA with each client. Action items: sign DPAs, implement per-client data segregation, add consent records, and create a deletion workflow. Compliance score: 38/100.