What you get from a $39 Pre-Launch Audit
Illustrative output for a fictional demo company. Same format, sections, and depth as a real Pre-Launch Audit report — generated by the same compliance pipeline. No real customer data shown.
Compliance review for https://pixelnotes.example.com
Generated: sample report (illustrative)
Audited entity: Pixel Notes Inc. (fictional demo company)
Notice — sample output, not a real audit.
This page shows the format and depth of a Sekrd compliance review.
The company, domain, and findings below are fabricated for
illustration. A real review compares your existing privacy
disclosures against a closed-set corpus of 48 article-level
citations across EU GDPR, UK GDPR, CCPA, CPRA, and LGPD. It
identifies gaps for counsel review. It is not a compliance
certification.
Coverage score
74 / 100 — Moderate coverage
A privacy policy was detected and parsed. The policy enumerates 21
data categories. 3 processors are named. Retention is specified per
category for 4 categories. Several disclosures expected by the
corpus were not detected.
What you already cover well
- ✓ Data controller named: Pixel Notes Inc.
- ✓ Privacy contact published: privacy@pixelnotes.example.com
- ✓ Policy references applicable laws: GDPR, CCPA
- ✓ Data categories enumerated (21 categories listed)
- ✓ Retention periods specified per data category (4 categories)
- ✓ Third-party processors named (3 processors)
- ✓ Data subject rights enumerated: access, rectify, erase, restrict, object, withdraw consent
- ✓ Legal bases declared: performance of a contract, legitimate interests, consent
- ✓ Account / data deletion path documented
- ✓ International data transfers disclosed
What's missing
These are concerns the corpus expects to be addressed but were not
detected on the site or in the policy:
- ✗ "Do Not Sell or Share My Personal Information" link missing — required on the homepage by CCPA §1798.135 if the business sells or shares personal information. (May not apply.)
- ✗ Global Privacy Control (GPC) signal not honored — CPRA §1798.135 requires server-side handling of the `Sec-GPC: 1` header. (May not apply if no California users.)
- ✗ Children's data policy not declared — GDPR Art. 8 + COPPA require an explicit statement if the service is directed at, or knowingly collects from, users under 13/16.
- ✗ Data Protection Officer (DPO) contact not published — GDPR Art. 37 may require a named DPO depending on scale of processing; if appointed, contact must be published.
Where the existing policy could be sharper
These are not strict gaps — the policy addresses the concern at a
high level — but the corpus expects more specificity for full
disclosure compliance.
- ⚠️ Controller named but no postal address. GDPR-compliant policies typically include a registered postal address for data subject requests; consider adding it.
- ⚠️ Retention periods specified for only 4 of 21 enumerated categories. Consider expanding the retention table to cover all categories.
- ⚠️ Processor list names 3 vendors but does not include sub-processor disclosure. GDPR Art. 28 best practice is to publish or link a current sub-processor list.
Findings mapped to articles
High
- gdpr-no-children-policy — cites `gdpr-art-8`
No statement detected regarding processing of personal data of
children under the relevant age threshold. If any users may be
under 13/16, an explicit policy is required.
Medium
- ccpa-no-do-not-sell-link — cites `ccpa-1798-135`
The website is missing the required "Do Not Sell or Share My
Personal Information" link on its homepage, which is mandated by
CCPA if the business sells or shares personal information.
- cpra-no-gpc-handling — cites `cpra-1798-135`
Server response headers do not indicate handling of the Sec-GPC
signal. CPRA requires honoring this opt-out signal as a "Do Not
Sell" request.
- gdpr-incomplete-retention-table — cites `gdpr-art-13`
Retention periods are specified for only 4 of 21 enumerated data
categories. Art. 13(2)(a) expects retention period (or criteria)
per category.
Low
- gdpr-no-postal-address — cites `gdpr-art-13`
Controller is named but no postal address is provided. Best
practice for handling data subject requests under GDPR.
Detected company information
- Controller: Pixel Notes Inc. (fictional)
- Contact: privacy@pixelnotes.example.com
- Jurisdictions referenced: GDPR, CCPA
Next steps
1. Counsel review — bring this review to qualified privacy
counsel. The gaps section above is the priority list.
2. Process changes, not just text — many gaps require operational
changes (e.g. honoring GPC requires server-side header handling,
not just a policy disclosure).
3. Re-audit after changes — Sekrd's $39 Pre-Launch Audit can be
re-run; we recommend re-running after any material policy or
processing change to confirm gaps closed.
*This review was generated by Sekrd's automated compliance scanner.
Sekrd does not provide legal advice. Final review by qualified
counsel is required before relying on this report for compliance
decisions or regulatory submissions. The sample above uses a
fictional company for illustration.*
This is one of five artifacts in every Pre-Launch Audit
Above is the compliance review — the headline artifact. The full $39 package also produces:
- ✓Generated privacy policy template (Markdown, populated with your detected data flows)
- ✓Generated Terms of Service template (Markdown, with limitation-of-liability clauses)
- ✓App Store Privacy Manifest checklist (~8KB, pre-filled answers for PrivacyInfo.xcprivacy + App Privacy Details form)
- ✓Google Play Data Safety form guide (~7KB, pre-filled Data Safety form answers)
Plus 7 days of unlimited re-scans, AI fix prompts, full security findings with file paths + line numbers, and the signed PDF report.
Reminder: Sekrd is not a certified auditor. The report is technical attestation of findings mapped to regulation text. Use it as evidence, not legal opinion. Consult counsel before relying on it for regulatory decisions.
Ready to audit your app?
Run a free scan first, or jump straight to the $39 Pre-Launch Audit.