Does this replace a lawyer?

No. It is a first-pass heuristic that flags AI topics commonly missing from older privacy policies. Use the output as a checklist to discuss with qualified counsel before publishing changes.

How does the analyzer detect a gap?

It looks for keywords and phrases that signal each required topic, such as "automated decision", "human review", "sub-processor", and "training". If none are found for a topic, it reports that area as a likely gap.

Is my policy text sent anywhere?

No. All matching runs in your browser with JavaScript. Nothing is uploaded, stored, or logged, so you can safely paste a draft policy.

Which regulations does this cover?

The checks map mostly to GDPR and UK GDPR expectations around automated decision-making (Article 22), transparency, and processor disclosure, plus emerging AI-transparency norms. They are a general guide, not jurisdiction-specific legal advice.

What if a topic is mentioned but vaguely?

Keyword matching cannot judge sufficiency. A topic marked "present" may still be too thin to meet regulatory standards, so treat "found" as "mentioned somewhere", not "adequate".

AI Privacy Policy Gap Analyzer

AI privacy policy gap analyzer

Most privacy policies were written before generative AI entered the workflow. If your product now sends user data to an LLM provider, makes automated decisions, or contributes to model training, your policy probably has blind spots. This tool scans your existing policy text for the AI-specific topics regulators increasingly expect and flags which ones appear to be missing.

How it works

Paste the full policy text and the analyzer runs keyword and phrase matching for a set of AI-relevant disclosures: automated decision-making and profiling, the right to human review, AI sub-processors and subprocessor lists, AI training data use, data retention by AI vendors, and a contact route for AI-related requests. For each topic it reports whether matching language was found, and if not, it explains why the topic matters and offers starter wording. All processing happens locally in your browser — the text never leaves your machine.

Tips and notes

“Found” means mentioned, not adequate. A single passing keyword does not guarantee the clause is sufficient; read the relevant section before relying on it.
Update after every AI integration. Adding a new LLM vendor is a sub-processor change and usually needs a policy and changelog update.
Pair with a subprocessor register. Regulators expect a maintained list of who processes data, including AI APIs.
Get legal sign-off. This is a triage checklist, not a substitute for qualified data-protection advice.