Skip to main content
CompliantHQ
Policy & terms reviewer

Find every gap between what your policies promise and what your site actually does.

We find and read your policy pages — privacy policy, cookie policy and terms of service — and review them against GDPR's information duties (Articles 13–14), ePrivacy and Swedish consumer law. Then we do what no template check can: compare what the policy promises against what the scan actually measured on the site — does the cookie policy declare every tracker, and do your forms collect consent correctly? AI-assessed findings are always clearly flagged as indications to verify, never as legal verdicts.

Start a free scanSee pricing

What we review

The module finds your policy pages automatically, reads the text, and runs around fifty checks — from whether the right information exists at all, to whether it matches reality on the site and the rules for your specific industry.

Privacy policy against GDPR

Is there a reachable privacy policy, and does it contain everything Articles 13–14 require — controller and contact channel, purposes, legal basis, retention, recipients, third-country transfers with a safeguard, the data subjects' rights, the right to withdraw consent and to lodge a complaint with IMY, and a data protection officer where one is required? We check each point on its own — not just that the policy exists.

Cookie declaration vs reality

Does the cookie policy list the trackers that actually load, with a category and lifespan per cookie? We compare what the policy declares with what the cookie scan measured and flag trackers that run without being named — plus contradictions like "we use no tracking cookies" when we observed otherwise.

Forms & consent

Do your forms collect personal data correctly — no pre-ticked consent box (invalid under GDPR Art. 4.11), no consent bundling several purposes into a single tick, a link to the privacy policy, and a stated Article 9 basis when sensitive data such as health is requested? We review every form we find on the pages.

Terms & purchase conditions

For selling sites: do purchase and terms of service exist, and do they cover what consumer law requires — a 14-day right of withdrawal, a clear total price including VAT, out-of-court dispute resolution via Sweden's ARN, and the statutory company details (name, address, email)? We also flag outdated references, such as the EU's now-discontinued ODR platform.

What you say vs what you actually do

This is what no template check can do: we hold your own claims against what the scan measured. "We don't share data" but external services load? No third-country transfer mentioned but data goes to the US? The consent banner offers a category the policy doesn't describe? The accessibility statement claims full WCAG compliance but the scan found issues? Every gap becomes its own finding.

That the policy is current and trustworthy

We catch the signs of a policy that was never reviewed: references to the repealed PUL or the renamed Datainspektionen, unfilled template placeholders, the wrong company named as controller, broken policy links, a missing update date, and text that exists only in a language other than Swedish or is too hard to read for an ordinary visitor (Art. 12.1).

Does this apply to my site?

The core is reviewed regardless of industry. Then the module adapts to your operation — if you sell something, are a healthcare provider, or a public-sector body, the rules that apply specifically to you are added.

All websites

Privacy policy, cookie declaration and form consent are reviewed regardless of industry — every site with visitors processes personal data.

Selling sites

Purchase and terms of service, a 14-day right of withdrawal, price information, ARN and statutory company details are reviewed on top of the base.

Healthcare & care services

Healthcare providers process health data — so we check that the policy states a basis under GDPR Article 9.2 (not a consent checkbox, which doesn't hold in a care relationship), mentions the Patient Data Act, and keeps medical-record data separate from ordinary web and marketing data.

Municipalities & public authorities

For public-sector bodies we check that the correct legal basis is stated for the exercise of public authority (Article 6.1 c or e — legitimate interest is not available), and that the policy explains that incoming messages may become public records under the principle of public access.

Which regulations we cover

The policy module is built around GDPR's information requirements, complemented by ePrivacy and Swedish consumer/sector law.

  • GDPR Articles 12–14 (the information duty)

    The data subject must receive clear information about what data is processed, why, on what basis and for how long. We check that the policy actually contains what's required — not just that it exists. Some industries are also covered by sector-specific data-protection law — e.g. the Patient Data Act (2008:355) for healthcare providers — which we assess based on the site's industry.

  • ePrivacy / Electronic Communications Act (2022:482)

    Cookie information must be accurate and complete for consent to be informed. We cross-check the cookie policy against the trackers the scan actually observed.

  • Consumer & e-commerce law

    For selling sites: the Distance Contracts Act, the alternative-dispute-resolution law and the statutory business details a selling site must show — purchase terms, right of withdrawal, ARN and contact details.

  • Sector & administrative law

    Depending on your operation we factor in rules beyond GDPR: the Patient Data Act (2008:355) for healthcare providers, the principle of public access and the correct legal basis for authorities, and the Language Act (2009:600) for the public sector. The same scan — adapted to which laws actually apply to you.

How it works

  1. 1
    You enter your URL

    No plugin to install. No code changes. The module finds your policy pages itself via the footer, standard URLs and the cookie banner.

  2. 2
    We read and review the documents

    Each policy, cookie and terms page is fetched and read against checks tied to the relevant legal basis — deterministic where possible, AI-assessed where interpretation is needed.

  3. 3
    We cross-run the policy against the scan's findings

    The module takes the cookies, trackers and forms that the cookie and accessibility scans already measured and sets them against what the policy documents claim. A tracker that runs but isn't declared, a claim contradicted by the measurement — every discrepancy becomes its own finding. This is where it catches what dry template checks miss.

  4. 4
    Prioritised action plan

    You get each issue explained in plain language — what's missing, which legal basis it concerns and how to fix it. AI-assessed findings are clearly marked as indications to verify, never as claims of a legal breach.

An example of what we find

A cookie policy says "we use no tracking cookies" — but the scan measured Google Analytics and the Meta pixel loading before consent. Or: the privacy policy still references PUL and Datainspektionen, replaced back in 2018. That's invisible in an ordinary template review.

What you get

  • Prioritised action plan with every policy issue explained in plain language and tied to the relevant legal basis
  • An AI adviser you chat with about your policies — it opens your actual website live, reads the policy in context, and answers with references to GDPR and Swedish practice
  • Full audit history — every version of your policies and findings saved, so you can show that compliance has been followed up over time
  • Email when new issues appear between scans

Start scanning your site — free for 30 days

No credit cards. No agents or plugins. See first results within minutes.

Get started