Ship GDPR/CCPA legal docs before launch

Solo founders and 2-10 person SaaS/app teams shipping their first product, especially those with EU or California users · Assemble in ~10 min; first full draft in <30 min once installed.

LegalEdit flowon X● golden 96

step 1ready

Map product data flows and user scope

privacy-policy4 alts

step 2ready

Generate the privacy policy

legal-privacy4 alts

step 3ready

Generate the terms of service

legal-terms

step 4ready

GDPR technical compliance scan

gdpr-dsgvo-expert

step 5ready

Build PII redaction and logging policy

pii-redaction-logging-policy-builder

step 6ready

General counsel risk review of both documents

general-counsel-advisor

step 7connector

Publish-ready package and attorney handoff brief

⚡ bring your own tool

Did this recipe work for you?

What you get

▸Privacy policy — GDPR + CCPA compliant Markdown draft, jurisdiction-tagged, with data subject rights and processor clauses
▸Terms of service — SaaS/app-tuned draft covering liability, IP, payment, termination, and governing law
▸PII logging policy + redaction rule set ready to embed in your engineering runbook
▸Attorney handoff brief: open issues list, jurisdiction decisions made, and a compliance findings summary for legal sign-off

tools: No paid tools required for drafting. Document export: Google Docs (free) or Pandoc (free/OSS). Attorney review cost is separate and outside this recipe.

tokens: ~$1–3 for a full 7-step session (30–80k tokens depending on codebase scan depth)

≈ Near-zero ongoing — rerun once every 6 months or after major feature changes

What stays yours

· Attorney review before publishing: AI-generated legal documents are drafts, not legal advice — a qualified attorney in your jurisdiction must review before you go live, especially for EU establishment or health/finance data
· Jurisdiction calls you must make yourself: governing law selection, choice of DPA supervisory authority, and CCPA 'sale' determination require business decisions the agent cannot make for you
· Cookie consent implementation: the privacy policy references a consent mechanism but building and deploying a compliant cookie banner (OneTrust, Cookiebot, or custom) is outside this recipe

✓ Last verified 2026-06-11claude-sonnet-4-6 (subagent, test-mode fixtures)

✓ step 1 · Map product data flows and user scope

✓ step 2 · Generate the privacy policy

✓ step 3 · Generate the terms of service

✓ step 4 · GDPR technical compliance scan

✓ step 5 · Build PII redaction and logging policy

✓ step 6 · General counsel risk review of both documents

✓ step 7 · Publish-ready package and attorney handoff brief

view sample outputs from this run

step 1 · Map product data flows and user scope

# Product Data Flow Brief

**Product:** FinFlow — a SaaS personal finance dashboard that connects bank accounts via Plaid, categorizes transactions, and generates AI-driven spending insights.

**Effective Date:** 2026-06-11  
**Version:** 1.0  
**Prepared by:** Cybernetic Library receipt run

---

## 1. Product Purpose

FinFlow allows individual users (consumers) to link their bank and credit card accounts, view consolidated transaction history, track budgets by category, and receive weekly AI-generated spending summaries delivered by email. A premium tier adds bill-negotiation assistance rout…

step 2 · Generate the privacy policy

# Privacy Policy

**FinFlow, Inc.**  
**Effective Date:** June 11, 2026  
**Last Updated:** June 11, 2026

---

## 1. About This Policy

FinFlow, Inc. ("FinFlow," "we," "us," or "our") operates the FinFlow personal finance dashboard available at finflow.app and via our mobile applications (collectively, the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, how long we keep it, and what rights you have over it.

This policy applies to all users of the Service, including prospective users who provide an email address on our…

step 3 · Generate the terms of service

# Terms of Service

**FinFlow, Inc.**  
**Effective Date:** June 11, 2026  
**Last Updated:** June 11, 2026

---

## 1. Agreement to Terms

These Terms of Service ("Terms") form a legally binding agreement between you ("User," "you," or "your") and FinFlow, Inc. ("FinFlow," "we," "us," or "our"), a Delaware corporation, governing your access to and use of the FinFlow personal finance dashboard and related services (collectively, the "Service").

**By creating an account or using the Service, you agree to these Terms.** If you do not agree, do not use the Service.

These Terms incorporate our […

The problem

When I'm about to launch my SaaS or mobile app, I want a complete, GDPR/CCPA-compliant privacy policy and terms of service generated from my product's data flows, so that I can ship legally without paying $1,000–$3,000 for a custom legal draft or $14/month forever for a generic subscription.

Cybernetic layers

Memorybyo

No harvested memory artifact for jurisdiction state. Store your data-flow brief and document versions in a project folder or Notion page — paste it back in if you run a revision session.

Backgroundgap

Legal docs need periodic refresh when regulations change or you add new features. No scheduled-refresh artifact exists in the library yet; set a calendar reminder every 6 months or when you ship a major data-handling change.

Harnessready

Claude Code is the runtime. Drop each skill into ~/.claude/skills/ and invoke by name. All steps run in a single session; the data-flow brief from step 1 can be pasted into each subsequent skill as context.

Click any step to see what fills it — and the ranked alternatives you can swap in.