# EU + California Compliance Checklist — doany.ai Launch

**Date:** April 11, 2026
**Status:** Pre-launch review

> **Disclaimer:** This checklist is for informational purposes. Consult with a qualified attorney for legal advice specific to your situation.

---

## GDPR Compliance (EU Users — Germany, France, Netherlands)

### Documents & Governance
- [x] Privacy Policy published at `/privacy` with GDPR Art. 13/14 disclosures
- [x] Cookie Notice published at `/cookies` with full cookie inventory
- [ ] **DPO appointed** — required for large-scale data processing; currently [TO BE APPOINTED]
- [ ] **EU Representative appointed** — required under GDPR Art. 27 for non-EU controllers
- [ ] **Registered address** added to privacy policy (replace `[REGISTERED ADDRESS]`)

### Lawful Basis (Art. 6)
- [x] Lawful basis identified for each processing activity (see Privacy Policy Section 3)
- [x] Consent used for analytics (GA4, Mixpanel) and marketing (Mailchimp)
- [x] Contract basis used for account/service delivery and payments
- [x] Legitimate interest used for security (session, CSRF)

### Consent Mechanisms
- [x] Cookie consent banner implemented with three options (Accept All / Manage / Reject)
- [x] Analytics and marketing scripts blocked until consent is granted (`tracking.js` checks consent state)
- [x] Consent record stored with timestamp and version (`doany_consent` in localStorage)
- [x] Email marketing uses double opt-in via Mailchimp
- [x] Consent checkbox not pre-checked on newsletter form
- [ ] **Cookie banner needs to be activated** — currently `display:none` in `index.html` line 50

### Data Subject Rights
- [x] Rights listed in Privacy Policy (access, rectification, erasure, portability, objection, restriction)
- [x] Contact mechanism provided (legal@doany.ai)
- [ ] **Internal process documented** for handling DSARs within 30-day deadline
- [ ] **Identity verification process** defined for data subject requests

### Data Processing & Transfers
- [x] Third-party processors listed with purposes and data shared
- [x] Standard Contractual Clauses (SCCs) referenced for international transfers
- [ ] **DPAs signed** with all processors: Mailchimp, Google, Mixpanel, Stripe, Supabase, Vercel
- [ ] **Transfer Impact Assessments (TIAs)** completed for US-based processors
- [ ] **EU data replication** deployed (currently planned, not live)

### Security & Breach Response
- [x] Encryption in transit (TLS) and at rest documented
- [x] 72-hour breach notification commitment in Privacy Policy
- [ ] **Breach response procedure** documented internally
- [ ] **Internal breach register** created
- [ ] **Data Processing Impact Assessment (DPIA)** completed (if required for AI processing)

### Records & Documentation
- [ ] **Records of Processing Activities (ROPA)** maintained per Art. 30
- [ ] **Privacy by Design** assessment documented for AI workspace features

---

## CCPA/CPRA Compliance (California Residents)

### Disclosures
- [x] Categories of personal information collected disclosed (Privacy Policy Section 8)
- [x] Business purposes for each category stated
- [x] "We do not sell personal information" explicitly stated
- [x] "We do not share for cross-context behavioral advertising" explicitly stated
- [x] Retention periods disclosed per category
- [x] Right to non-discrimination stated

### Consumer Rights
- [x] Right to Know documented
- [x] Right to Delete documented
- [x] Right to Correct documented
- [x] Right to Opt-Out of Sale/Sharing — N/A (we don't sell/share), but disclosed
- [x] Right to Limit Sensitive PI — disclosed
- [ ] **"Do Not Sell or Share My Personal Information" link** — add to footer (required even if not selling, as a clear signal; some interpretations require the link)
- [ ] **Verification process** for consumer requests (45-day response window)

### Financial & Sensitive Data
- [x] No financial incentives offered for data collection
- [x] No sensitive personal information used beyond service necessity
- [x] Payment data processed by Stripe (not stored directly)

---

## ePrivacy Directive (Cookie Compliance)

- [x] Cookie banner presented before non-essential cookies are set
- [x] Granular consent options (analytics / marketing / functional separately)
- [x] Full cookie inventory published with name, purpose, duration, provider
- [x] Easy withdrawal mechanism (Cookie Settings link, banner re-prompt)
- [x] Do Not Track signal respected
- [ ] **Cookie banner activated** — remove `display:none` and wire up functionality

---

## CAN-SPAM & Email Marketing

- [x] Double opt-in enabled for EU subscribers (Mailchimp)
- [x] Clear unsubscribe mechanism referenced
- [x] Consent checkbox required, not pre-checked
- [x] No pre-checked boxes for marketing consent
- [ ] **Physical mailing address** required in every marketing email (CAN-SPAM)
- [ ] **Unsubscribe honored within 10 business days** — verify Mailchimp settings

---

## Priority Action Items Before Launch

| # | Action | Owner | Blocking? |
|---|--------|-------|-----------|
| 1 | **Activate cookie consent banner** — remove `display:none`, wire up JS handlers | Engineering | YES |
| 2 | **Add registered address** to Privacy Policy `[REGISTERED ADDRESS]` placeholder | Legal/Ops | YES |
| 3 | **Sign DPAs** with Mailchimp, Google, Mixpanel, Stripe, Supabase, Vercel | Legal | YES |
| 4 | **Add physical mailing address** to Mailchimp email templates | Marketing | YES |
| 5 | Appoint DPO or document why one is not required | Legal | Soon |
| 6 | Appoint EU Representative (Art. 27) | Legal | Soon |
| 7 | Add "Do Not Sell or Share" footer link for CCPA | Engineering | Soon |
| 8 | Create internal DSAR handling process | Legal/Ops | Soon |
| 9 | Complete Data Processing Impact Assessment (DPIA) | Legal/Eng | Post-launch |
| 10 | Maintain Records of Processing Activities (ROPA) | Legal | Post-launch |
| 11 | Document breach response procedure | Security | Post-launch |
| 12 | Deploy EU data replication | Engineering | Post-launch |

---

## Attorney Review Flags

The following sections should be reviewed by qualified legal counsel before or shortly after launch:

- [ ] International transfer mechanisms (SCCs current version, supplementary measures)
- [ ] Limitation of liability language (if added to Terms of Service)
- [ ] Age of consent thresholds by jurisdiction (16 in GDPR, varies by member state)
- [ ] AI-specific data processing disclosures (GDPR Art. 22 automated decision-making)
- [ ] Jurisdiction and governing law clauses