Privacy Policy

Last updated: February 11, 2025

The short version

We collect what we need to run the service. We do not sell your data. We do not track you across the internet. We built a compliance tool, so it would be professionally embarrassing to violate your privacy.

1. Who we are

sudo legal is operated by Hexa, based in Brussels, Belgium. We are the data controller for the personal data processed through this service.

Contact: privacy@sudolegal.com

2. What we collect

Account data

When you sign up, we collect your name, email address, and (if you use Google sign-in) your Google profile information. We store a hashed password if you use email/password authentication. We never see your actual password, and frankly, we do not want to.

Website data

When you run a scan, we crawl and store the publicly available content of your website's legal pages (privacy policy, terms of service, cookie policy, etc.). This is the same content any visitor to your site can see. We also store the HTML for technical checks and generate text embeddings for our analysis.

Scan results

We store the findings, scores, corrections, and reports generated by our scanner. These are tied to your account and your scanned websites.

Usage data

We collect basic analytics: pages viewed, features used, and error logs. We use this to improve the product, not to build an advertising profile of you. We do not use third-party analytics trackers on this site.

3. Legal basis (GDPR Art. 6)

We process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): to provide the scanning service you signed up for
  • Legitimate interest (Art. 6(1)(f)): to improve the service, prevent abuse, and ensure security
  • Consent (Art. 6(1)(a)): for optional features like marketing emails (you can withdraw anytime)

We reference the actual GDPR articles because we scan for them. It would be hypocritical not to.

4. Who we share data with

We use the following third-party services to operate:

Neon (Database)

Stores your account data, scan results, and website content. Hosted in the EU.

Vercel (Hosting)

Hosts the application. Processes requests through their edge network.

Anthropic (AI Analysis)

Analyzes your website content to generate compliance findings. We send page content for analysis. Anthropic does not use this data to train their models.

OpenAI (Embeddings)

Generates text embeddings for semantic search during analysis. We send text chunks, not full pages.

Firecrawl (Web Crawling)

Crawls your website to extract page content. Only accesses publicly available pages.

Browserbase (Browser Automation)

Runs a cloud browser to test your cookie banners and consent flows.

Resend (Email)

Sends transactional emails (scan complete notifications, team invitations).

Google (Authentication)

If you sign in with Google, we receive your name, email, and profile picture. We do not access anything else in your Google account.

We do not sell, rent, or trade your personal data. We do not share it with advertisers. We do not even share it with people who ask nicely.

5. Data retention

We keep your account data for as long as your account exists. Scan results are retained as long as your account is active so you can track compliance over time. If you delete your account, we delete your data within 30 days. Some anonymized, aggregated statistics (like "X% of scanned sites have cookie issues") may be retained indefinitely because they contain no personal data.

See, that was a specific retention period. Not "as long as needed." We know the difference.

6. International transfers

Some of our sub-processors (Anthropic, OpenAI, Vercel) are based in the United States. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where applicable. Your core data (database) is stored in the EU via Neon.

7. Your rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data (Art. 17), also known as "the right to be forgotten," which is a more dramatic name than it deserves
  • Restrict processing (Art. 18)
  • Data portability (Art. 20): we can export your scan data in CSV or PDF
  • Object to processing (Art. 21)
  • Withdraw consent at any time for consent-based processing

To exercise any of these rights, email privacy@sudolegal.com. We will respond within 30 days, as required by law. Usually faster, because we actually read our emails.

8. Cookies

We use strictly necessary cookies for authentication (session tokens). That is it. No analytics cookies, no advertising cookies, no "this site uses cookies" banner that takes up half your screen. You are welcome.

9. Security

We use HTTPS everywhere, hash passwords with bcrypt, store data in encrypted databases, and follow security best practices. If you discover a vulnerability, please report it to security@sudolegal.com rather than tweeting about it. We will respond promptly and gratefully.

10. Children

The service is not intended for anyone under 18. We do not knowingly collect data from minors. If you are under 18, you should be doing homework, not auditing privacy policies. Although we respect the ambition.

11. Changes to this policy

We may update this policy as the service evolves or as regulations change (and they will, this is the EU). We will notify you of material changes via email. The "last updated" date at the top will always reflect the current version.

12. Supervisory authority

If you believe we have violated your data protection rights, you have the right to lodge a complaint with your local data protection authority. In Belgium, that is the Autorité de protection des données. We would prefer you contact us first so we can fix the issue, but we respect the process.

Questions?

Email privacy@sudolegal.com. We wrote a compliance scanner, so rest assured we take this seriously.

Terms of Use