DIY Privacy Compliance Path — Raxx v1 Launch Research

Status: research-only. This document does NOT constitute legal or tax advice. Before filing, acting, or making launch decisions based on this research, consult a privacy attorney (CCPA/GDPR specialist) licensed in California and familiar with GDPR controller obligations. The artifacts in this memo are starting points, not final documents. Last updated: 2026-05-11 UTC. Sources as of that date — verify freshness. Related: docs/legal/research/i18n-launch-language-research-2026-05-09.md

TL;DR

Raxx's profile — pre-revenue US SaaS, Stripe-mediated billing, no credit decisions, Quebec geo-blocked, EU customers via organic signup — almost certainly sits below the CCPA/CPRA applicability threshold today, making ADMT risk-assessment obligations inapplicable at v1. A well-configured Termly Pro+ policy ($180/yr), a self-drafted Article 30 RoPA, documented FCRA-out posture, and a one-page CPRA self-determination form get you to an honest "Tier A" launch in 1–2 days. Tier B (add a $1,000–$1,500 attorney review pass) is the right call the moment Raxx crosses $1M ARR or signs its first enterprise customer that issues a vendor questionnaire.

Section 1 — Privacy Policy Templates: Evaluated for Raxx's Profile

1.1 Profile Summary

Raxx's data-collection surface at v1:

Field	Category	Source	Sensitivity
Name, email	Identity / contact	Signup form	Standard
Billing address	Contact	Stripe	Standard
Payment card (last 4, brand)	Financial identifier	Stripe-tokenized; Raxx never sees raw PAN	Low (tokenized)
acquisition_source	Behavioral metadata	App-captured	Standard
customer_segment	Operator-assigned label	Console-set	Standard
payment_event_count	Aggregate count	Derived from Stripe events	Standard (see FCRA analysis, Section 4)
Strategy configuration data	User-generated content	App	Standard
IP address, browser/device	Usage / log data	Standard web	Standard
Cookies / session tokens	Technical	App	Standard

US + EU customers. Quebec geo-blocked at signup (confirmed per project_quebec_geoblock_decision.md). California customers present. No GLBA-covered brokerage account relationship — Raxx is the strategy layer; the user's broker (Alpaca-default) is the custodian.

1.2 Template Evaluation Matrix

Generator	CCPA/CPRA coverage	GDPR Art. 13/14 coverage	CPRA 2026 ADMT clauses	Custom data categories	Pricing (annual)	Verdict for Raxx
Termly Pro+	Strong. Built in US; covers CCPA, CPRA, VCDPA, CO CPA, CT CTDPA, and 28 state laws. Auto-updates as laws change.	Present; European attorney review claimed. Covers Art. 13/14 disclosure elements.	Yes — CPRA 2026 updates included in auto-update plan.	Yes — paid plans allow custom service/data-type insertion. Good for 6+ unusual fields.	$180/yr (Pro+, annual)	Best fit for US-first operator. Easiest CCPA/state law coverage. GDPR coverage is present but lighter than iubenda.
iubenda Advanced	Present; covers CCPA/CPRA US state laws.	Strongest GDPR coverage — EU attorneys review clauses; Schrems II transfer language; ePrivacy Directive. Over 1,500 customizable clauses.	Yes — CPRA updates included.	Yes — modular clause approach; 30+ services supported at Advanced tier.	~$336/yr (Advanced, $27.99/mo annual)	Best fit if EU customer base grows. More attorney-reviewed GDPR depth. More expensive. More configuration overhead.
GetTerms.io	Present; CCPA and GDPR template available.	Adequate — template-based, less modular.	Not confirmed — no explicit CPRA 2026 ADMT clause update policy found.	Moderate — basic custom field insertion.	~$49 one-time or subscription. Cheapest.	Acceptable for MVP. Less confidence on ongoing auto-update for regulatory changes.
PrivacyPolicies.com	CCPA/CPRA present.	GDPR wording present — adequate.	Not explicitly confirmed.	Moderate.	Free or low-cost tiers.	Usable but reputation is consumer-grade, not SaaS-grade. Not recommended as sole solution.
FreePrivacyPolicy.com	CCPA, GDPR, CalOPPA, COPPA present.	Present.	Not confirmed.	Limited.	Free tier / paid for downloads.	Consumer-grade. Enterprise customer vendor questionnaires will flag this. Not recommended for B2B SaaS.
IAPP sample templates	Enterprise-grade; attorney-drafted starting points. Available free to IAPP members; non-member fee for some.	Comprehensive; Article 30, DPIAs, Art. 13/14 notice — separate templates for each.	More current than consumer generators.	Requires manual customization — they are skeletons, not auto-generators.	IAPP membership ~$695/yr or templates sold individually ($50–$200).	Best for Tier B/C path. Use as skeleton for attorney-reviewed policy. Not a one-click solution.
GitHub community templates	Highly variable. Most popular (e.g., `nicholasnbg/privacy-policy`) are short and lack CCPA/CPRA depth.	Variable. 2018 EU-facing ones predate CPRA 2026 ADMT amendments.	Generally absent.	Yes — everything is manual.	Free.	Not appropriate as a sole source. Use as structural reference only.
Peer fintech (Robinhood, Acorns, M1, Wealthfront)	Robinhood: strong CCPA/GLBA overlay structure; Art. 6 GDPR-adjacent processing-purpose table. Note: they have GLBA coverage Raxx does not need at v1 (no brokerage custodian relationship).	Wealthfront and M1 both show clean GDPR section headers and data-category tables. Robinhood's Financial Privacy Notice (GLBA) is separate from its US Privacy Statement (CCPA).	Present in 2025+ versions.	All custom to their product. Steal structure, not text.	Free to read.	Use as structural model. Robinhood's 10-section format (Section 1.2 above) is a good skeleton. Do not copy text — different GLBA/FINRA posture.

1.3 Recommendation for Raxx v1

Termly Pro+ ($180/yr) is the right pick for a US-first launch:

Covers CCPA/CPRA and all US state privacy laws with auto-update.
GDPR Art. 13/14 coverage is present and adequate for initial EU users.
Allows custom data categories — covers all 9 fields in the profile table above.
Pro+ plan includes consent-management banner integration (needed for GDPR cookie law compliance).
Upgrade path: if EU customer base becomes material, migrate to iubenda Advanced or add attorney review pass.

Note: Termly's GDPR coverage is lighter than iubenda's attorney-reviewed EU clauses. For v1 with organic EU signups (no active EU marketing), this is acceptable. It becomes insufficient when Raxx actively markets to EU users — see Section 3.

Sources: - https://termly.io/pricing/ - https://cybernews.com/privacy-compliance-tools/termly-vs-iubenda/ - https://www.iubenda.com/en/pricing/ - https://getterms.io/

Section 2 — CCPA/CPRA Self-Determination

2.1 Does CCPA Apply to Raxx at v1?

The CCPA/CPRA applies to a for-profit business that does business in California AND meets at least one of three thresholds:

Annual global gross revenues exceed $26,625,000 (2026 CPI-adjusted threshold per CPPA)
Annually buys, sells, receives, or shares for commercial purposes the personal information of 100,000 or more California consumers or households
Derives 50% or more of annual revenues from selling or sharing consumers' personal information

Source: Cal. Civ. Code § 1798.140(d); CPPA CPI adjustment page https://cppa.ca.gov/regulations/cpi_adjustment.html

Raxx v1 self-determination:

Threshold	Raxx v1 status	In scope?
>$26.6M gross revenue	Pre-revenue at launch	No
>100K CA consumer records processed/sold/shared	Early-stage customer base; almost certainly under 100K at launch	No
>50% revenue from selling/sharing data	Raxx does not sell or share consumer data for revenue	No

Self-determination result: Raxx is almost certainly not a CCPA-covered business at v1. The operator should document this determination (see artifact: docs/legal/artifacts/cpra-threshold-self-determination.md).

Important caveat: Even non-covered businesses benefit from maintaining a privacy policy that reflects their actual practices. Misrepresentations in a published privacy policy (promising things you don't do, or not disclosing things you do) create FTC Section 5 unfair/deceptive practice exposure regardless of CCPA coverage. Source: FTC Act 15 U.S.C. § 45.

2.2 ADMT Risk Assessment — Is Raxx in Scope?

ADMT Definition (finalized CPRA regulations, effective 2026-01-01):

"Any technology that processes personal information and uses computation to replace or substantially replace human decision-making."

Source: CPPA Final Regulations (September 23, 2025) — https://cppa.ca.gov/regulations/ccpa_updates.html; Baker Botts analysis https://www.bakerbotts.com/thought-leadership/publications/2025/august/a-101-of-the-cppas-finalizes-rules-on-admt-risk-assessments-and-cybersecurity-audits

"Significant decisions" (the trigger for risk assessment):

ADMT risk assessment obligations apply when the technology makes significant decisions affecting consumers' access to: - Employment or independent contracting - Housing - Credit or lending - Health care services - Education enrollment

Raxx v1 ADMT analysis:

Architect v3 design choice: payment_event_count is displayed as raw counts to operators. No automated decision is made by Raxx's software from this count. Raxx is a strategy-execution platform — the human operator sets rules, Raxx executes them deterministically. The AI layer (per feedback_deterministic_execution_ai_augments.md) augments understanding, does not make autonomous decisions.

ADMT question	Raxx answer	In scope?
Does Raxx software replace human decision-making?	No — execution is rule-based; operator sets all rules	No
Does Raxx make decisions about employment, housing, credit, health care, or education?	No — Raxx is a trading strategy SaaS	No
Does Raxx process personal information to infer sensitive traits?	No	No
Does Raxx use machine learning that substantially replaces a human decision?	No — backtesting is retrospective; signal output is informational, not a decision	No

Self-determination result: Raxx does not use ADMT as defined, and does not make significant decisions as defined. ADMT risk assessment obligations are not triggered.

Compliance dates (for future reference if product evolves):

Risk assessments: required effective 2026-01-01 for covered businesses
ADMT consumer rights (opt-out, notice): required effective 2027-01-01
First CPPA attestation filing: April 1, 2028

Source: Wiley Law alert https://www.wiley.law/alert-California-Finalizes-Pivotal-CCPA-Regulations-on-AI-Cyber-Audits-and-Risk-Governance; Morgan Lewis https://www.morganlewis.com/pubs/2025/08/cppa-board-finalizes-new-rules-on-admt-cybersecurity-audits-and-risk-assessments

2.3 Enforcement Exposure Under CCPA/CPRA

For a non-covered business that voluntarily publishes a privacy policy and misrepresents its practices:

Primary risk is FTC Section 5, not CCPA: FTC has broad authority to act against deceptive practices in any US business. Publishing a privacy policy and failing to honor it is an FTC target regardless of CCPA coverage.
CCPA AG/CPPA enforcement: Only for covered businesses. AG can impose $2,500/violation for unintentional violations; $7,500/violation for intentional violations. Per violation means per consumer × violation, making a systemic failure extremely expensive.
CCPA Private Right of Action: Limited to data security breaches under Cal. Civ. Code § 1798.150. Statutory damages $100–$750 per consumer per incident. No actual harm required. For a pre-revenue startup, a breach affecting even 1,000 customers = $100,000–$750,000 potential exposure from private suit alone.

Sources: - https://www.cookieyes.com/blog/ccpa-fines/ - https://termly.io/resources/articles/ccpa-private-right-of-action/ - https://www.skadden.com/insights/publications/2025/04/district-court-rulings-could-signal-expansion

3.1 Applicability

GDPR applies to Raxx because Raxx "processes personal data of data subjects who are in the Union" regardless of where Raxx is established. Source: GDPR Article 3(2) — https://gdpr-info.eu/art-3-gdpr/

This is not optional or threshold-dependent. One EU customer = GDPR applies.

3.2 Article 30 — Records of Processing Activities (RoPA)

Can Raxx self-draft a RoPA? Yes. GDPR Article 30(3) requires records "in written form, including electronic form." No specific template is mandated. The ICO explicitly states: "You don't have to use our template." — https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/how-do-we-document-our-processing-activities/

250-employee exemption: GDPR Article 30(5) provides an exemption for organizations with fewer than 250 employees UNLESS the processing: - Is not occasional, - Could result in a risk to rights/freedoms, or - Includes special category data (Article 9) or criminal conviction data (Article 10).

Raxx's processing of strategy-configuration data and billing data is ongoing (not occasional), so the exemption likely does not apply. Best practice is to maintain a RoPA regardless. Source: https://gdpr-info.eu/art-30-gdpr/

Mandatory fields for a controller RoPA:

Name and contact details of the controller (and representative/DPO where applicable)
Processing purposes
Categories of data subjects and personal data
Categories of recipients (including third-country recipients)
Third-country transfers and applicable safeguards
Anticipated retention/erasure timeframes (where feasible)
Description of technical and organizational security measures

The pre-populated Raxx RoPA template is in docs/legal/artifacts/ropa-template.md.

Sources: - https://gdpr-info.eu/art-30-gdpr/ - https://practical-gdpr.com/ico-ropa-template-records-of-processing-activities/ (ICO template walkthrough) - ICO direct template download: https://ico.org.uk/media2/migrated/2553993/dpia-template.docx

3.3 DPIA — When Required

GDPR Article 35 requires a DPIA when processing "is likely to result in a high risk to the rights and freedoms of natural persons." The supervisory authority must be consulted if DPIA identifies a high risk that cannot be mitigated.

The ICO identifies nine criteria — any two present triggers a DPIA:

Evaluation or scoring (including profiling)
Automated decision-making with legal/significant effect
Systematic monitoring
Sensitive data processing
Large-scale processing
Matching/combining datasets
Vulnerable data subjects
Innovative technology
Cross-border transfer preventing rights exercise

Raxx v1 DPIA analysis:

Criterion	Raxx v1	Present?
Evaluation/scoring (profiling)	payment_event_count is raw count display; no scoring	No
Automated decisions with legal effect	No autonomous decisions	No
Systematic monitoring	Strategy performance monitoring — of the user's own trades, not of third parties	Borderline — discuss with attorney
Sensitive data	Financial data (not special-category sensitive under Art. 9)	No
Large-scale processing	Pre-revenue startup; not large-scale	No
Matching/combining datasets	No cross-dataset combination	No
Vulnerable data subjects	General population	No
Innovative technology	Standard cloud SaaS	No
Cross-border transfer	US server serving EU users — this alone may trigger, per some DPA guidance	Discuss with attorney

Preliminary finding: Raxx v1 likely does not require a DPIA. The cross-border transfer criterion is the edge case — some DPAs treat any US-hosted service receiving EU personal data as meeting this criterion. This is the question to ask a GDPR attorney.

Self-drafted DPIAs are acceptable. ICO publishes a free template: https://ico.org.uk/media2/migrated/2553993/dpia-template.docx. GDPR.eu publishes another: https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf

Sources: - https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/ - https://gdpr-info.eu/art-35-gdpr/ - https://gdpr.eu/data-protection-impact-assessment-template/

3.4 Article 13/14 Privacy Notice — Required Disclosure Phrasing

GDPR Article 13 mandates the following disclosures at time of data collection (direct collection from the subject):

Paragraph 1 — Mandatory initial disclosures:

Identity and contact details of the controller (and representative if applicable)
Contact details of DPO (if applicable — Raxx v1 likely does not require a DPO under Art. 37)
Purposes of processing and legal basis for each purpose
If legitimate interests (Art. 6(1)(f)): the specific legitimate interests pursued
Recipients or categories of recipients
Transfers to third countries and applicable safeguards

Paragraph 2 — Additional fair-processing information:

Retention period or criteria for determining it
Rights: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), object (Art. 21)
Right to withdraw consent (if processing is consent-based)
Right to lodge complaint with a supervisory authority
Whether provision of personal data is a statutory/contractual requirement; consequences of non-provision
Automated decision-making information (Art. 22) — if applicable

Source: https://gdpr-info.eu/art-13-gdpr/; https://gdpr.eu/privacy-notice/

DPO requirement (Art. 37): DPO mandatory for public authorities, those whose core activity requires large-scale systematic monitoring, or those who process special-category data at large scale. Raxx v1 does not meet any of these. DPO not required. Confirm with GDPR attorney.

3.5 Lead Supervisory Authority — US-Domiciled Company

For a US company with no EU establishment, the GDPR's "main establishment" lead-authority rule does not apply cleanly. The result:

Each EU member state DPA where Raxx has data subjects has theoretical jurisdiction.
In practice, for a US-based startup with organic EU users, the Irish DPC (Data Protection Commission) is the most common point of contact for US tech companies, but only if Raxx has or establishes an EU representative or some EU presence.
EU Representative (Art. 27): Any controller/processor subject to GDPR but not established in the EU must designate a written representative in a member state where data subjects reside. This is mandatory for non-EU entities processing EU data — unless processing is occasional, low-risk, and does not involve special-category data or criminal records.

Raxx v1 Art. 27 analysis: Raxx's processing of EU user data is ongoing (subscription SaaS), which likely disqualifies the "occasional" exemption. An EU representative should be designated. Several services offer Art. 27 representative services for small companies at ~$50–$300/yr (e.g., VeraSafe, DataRep). This is not an attorney requirement — it is a service you can procure directly.

Sources: - https://iapp.org/news/a/is-it-possible-to-choose-your-lead-supervisory-authority-under-the-gdpr - https://gdpr-info.eu/art-27-gdpr/ - https://www.goodwinprivacyblog.com/2023/05/05/new-edpb-guidelines-on-designation-of-a-lead-supervisory-authority/

Section 4 — FCRA-Adjacent: FCRA-Out Posture Documentation

4.1 The Statutory Framework

15 U.S.C. § 1681a(d)(1) — "Consumer report" definition (FCRA):

"any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for—(A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b"

Source: https://www.law.cornell.edu/uscode/text/15/1681a

15 U.S.C. § 1681a(f) — "Consumer reporting agency" definition (FCRA):

"any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports."

12 CFR § 1002.2(l) — "Creditor" definition (ECOA Regulation B):

"a person who, in the ordinary course of business, regularly participates in a credit decision, including setting the terms of the credit."

Source: https://www.law.cornell.edu/cfr/text/12/1002.2

4.2 FCRA-Out Analysis for Raxx

Raxx's FCRA-out position rests on three independent elements, each of which independently breaks the FCRA chain:

Element 1 — Raxx is not a "consumer reporting agency."

Raxx does not assemble or evaluate consumer credit information for the purpose of furnishing consumer reports to third parties. Raxx stores payment_event_counts for internal operator visibility only — it does not furnish this data to any third party for credit, insurance, employment, or any other FCRA-enumerated purpose. The data is never sold, shared, or transmitted to a third party as an input to their decision about a consumer's eligibility.

Element 2 — payment_event_count is not a "consumer report."

A "consumer report" requires (a) communication by a consumer reporting agency (b) bearing on creditworthiness/credit standing/etc. (c) used for an enumerated FCRA purpose. Raxx's payment_event_count display does not satisfy (a) or (c):

The count is not communicated to any third party for credit/insurance/employment decisions — it is displayed to the operator (Raxx itself, or the business entity running the console) to inform their SaaS subscription management.
15 U.S.C. § 1681a(d)(2)(A) explicitly excludes from the definition of "consumer report": "any report containing information solely as to transactions or experiences between the consumer and the person making the report." Raxx's payment event counts are precisely "transactions or experiences between the consumer [the subscriber] and the person making the report [Raxx]." This is the first-party transaction exclusion.

Element 3 — Raxx is not a "creditor" under ECOA.

Raxx sells SaaS subscriptions. It does not extend credit, defer payment as an ordinary course of business, or regularly participate in credit decisions. ECOA and Regulation B apply to creditors — entities that regularly grant the right to defer payment of debt. A subscription SaaS charged via Stripe at point-of-sale is not a credit transaction. Raxx is not a creditor.

4.3 Documentation to Retain for CFPB/FTC Inquiry

The following documentation should be created and retained. The FCRA-out one-pager template is in docs/legal/artifacts/fcra-out-posture.md.

Architectural decision record (ADR): Document the decision to store payment_event_count as a raw counter, not as an aggregated credit score or consumer report. Record who decided this, when, and why. Cross-reference architect v3 design notes.
Data-flow diagram: Show that payment_event_count flows from Stripe webhook → internal DB → operator console display only. No third-party data furnishing.
Vendor contracts: Stripe's processing agreement governs Stripe's data handling. Raxx's role is Stripe customer (data processor for payment-processing purposes) — not a credit reporter.
This FCRA-out memo: Keep as internal compliance documentation. Date it, sign it (operator signature), retain it. If CFPB ever asks, "good-faith reliance on a written legal analysis" is a mitigating factor even if the analysis is not attorney-authored.
Privacy policy disclosure: The privacy policy must accurately describe payment data handling — including that Raxx collects payment event data for subscription management purposes only, does not furnish it to credit bureaus or third parties, and does not use it for credit decisions.

Sources: - https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf - https://www.consumerfinance.gov/rules-policy/regulations/1002/2/ - https://www.orrick.com/en/Insights/2022/08/What-Fintech-Companies-Need-to-Know-About-GLBA-and-FCRA-Exemptions-Under-State-Data-Protection-Laws

Section 5 — Hard Limits: Where DIY Breaks

This section is honest about what the templates and self-determination above cannot accomplish.

5.1 What Termly/Self-Drafted Cannot Deliver

Gap	Why it matters	Risk if unaddressed
Standard Contractual Clauses (SCCs) for EU data transfers	Schrems II (CJEU, 2020) invalidated Privacy Shield; US companies receiving EU personal data now need SCCs or other Transfer Impact Assessment (TIA) mechanism. Termly mentions SCCs but does not generate them for you — you need the 2021 EU Commission SCC modules and to execute them with your data processors.	GDPR enforcement action by EU DPA; fine up to 4% of global annual turnover.
GDPR Data Processing Agreements (DPAs) with vendors	GDPR Art. 28 requires a written DPA with every processor who handles personal data on Raxx's behalf (Stripe, Heroku, Sentry, Postmark, etc.). Most major vendors offer standard DPAs — you just need to execute them. Termly does not do this for you.	Art. 28 violation; DPA enforcement.
EU Representative designation (Art. 27)	Required for non-EU controllers; not optional if processing is not occasional. Termly does not provide this service.	Regulatory fine; inability to demonstrate GDPR compliance to DPAs.
State-specific CCPA notice obligations if you become covered	If Raxx crosses 100K CA records or $26.6M revenue, the full CCPA compliance obligation kicks in — including "Do Not Sell" infrastructure, consumer request handling (45-day response), and consent management. Termly has the banner, but the backend request-handling process must be built.	CPPA enforcement; $2,500/violation/consumer.
Attorney-reviewed terms of service	ToS governs the operator-customer relationship, limitation of liability, indemnification, and governing law. A Termly-generated privacy policy does not substitute for a ToS.	Contract disputes; inability to enforce limitation of liability; exposure on class actions.
Enterprise vendor questionnaires	At some ARR threshold (typically $100K–$500K ARR or first enterprise customer), customers issue security questionnaires and request SOC 2 compliance, attorney-reviewed privacy policies, and written DPAs. A Termly policy will not pass enterprise vendor due diligence.	Lost enterprise deals.
FCRA legal opinion letter	The FCRA-out analysis above is research, not a legal opinion. If CFPB opens an inquiry, an attorney-authored opinion letter (citing the same statutory provisions) carries significantly more weight than an internal memo.	Without opinion letter, CFPB inquiry resolution takes longer and is more expensive.
Investment adviser registration question	Per `docs/legal/research/ai-strategy-execution-risks-2026-04-29.md`, the SEC investment adviser question is open. If Raxx is a registered investment adviser, GLBA applies to it — not just CCPA. GLBA has different privacy-notice requirements (Reg P). This is not a DIY determination.	SEC/FINRA enforcement; regulatory action.

5.2 The Worst-Case DIY Scenario

If Raxx self-drafts, self-determines CCPA out-of-scope, and turns out to be wrong:

CCPA scenario (if covered): - First enforcement is typically a notice-to-cure letter from the CPPA (AG discretion, cure period now discretionary post-CPRA). First-offense warning letters before civil penalty have been the historical pattern for small businesses. - Civil penalties: $2,500/unintentional violation; $7,500/intentional. "Per violation" interpreted as per-consumer in some enforcement actions. 1,000 consumers × $2,500 = $2.5M theoretical maximum. Actual CPPA enforcement against small pre-revenue startups: no published case of this magnitude against a sub-10-employee company. - CCPA data-breach private right of action: $100–$750/consumer. A breach affecting 5,000 users = $500K–$3.75M exposure. This is the realistic near-term risk — not CPPA enforcement, but data-security breach class action.

GDPR scenario: - GDPR fines: up to €20M or 4% of global annual turnover (whichever is greater) for serious violations. - For a pre-revenue startup, 4% of turnover ≈ 4% of $0 = technically $0, but DPAs can issue minimum-floor fines even below the percentage threshold. Dutch DPA fined TikTok €750K. Irish DPC issued Meta a €1.2B fine. - Practical risk for a sub-$1M ARR US startup: most DPAs prioritize large controllers. The realistic risk is a DPA complaint from a single EU user → remediation demand → potential nominal fine. Reputational damage (public enforcement decision) is the bigger practical risk. - The GDPR gap that kills startups is not the fine — it is the enterprise customer who reads your privacy policy, finds no SCCs and no Art. 27 representative, and blocks the deal.

FCRA/ECOA scenario: - CFPB has not pursued FCRA actions against small SaaS companies for internal payment-event tracking. The risk is low but non-zero. CFPB civil penalty: up to $5,000/day for violations (15 U.S.C. § 1681s). Attorney consultation (not full engagement) is appropriate before reaching significant customer scale.

Sources: - https://captaincompliance.com/education/ccpa-fines/ - https://www.skadden.com/insights/publications/2025/04/district-court-rulings-could-signal-expansion - https://iapp.org/news/a/top-10-operational-impacts-of-the-cpra-part-10-enforcement-and-potential-penalties

Section 6 — Recommendation: Tier Matrix

This section expresses the BLR agent's honest assessment. It is not legal advice.

6.1 Tier Definitions

Tier	Approach	Time to v1 launch	Cost	Residual risk
Tier A — Maximum DIY	Termly Pro+ generated policy + self-drafted RoPA (see artifact) + self-determined CPRA out-of-scope (see artifact) + documented FCRA-out posture (see artifact) + EU Art. 27 representative service ($100–$300/yr) + execute vendor DPAs with Stripe/Heroku/Sentry/Postmark (free — they provide standard forms)	1–2 days	~$280–$480 first year	Real but moderate. CCPA/CPRA almost certainly not triggered. GDPR SCC gap is the most material remaining exposure. Data-breach private action risk is a function of security posture, not policy text.
Tier B — Hybrid	Tier A artifacts above + flat-fee privacy attorney review pass (policy review only, not full engagement) from a boutique privacy firm	4–5 days (incl. 2-day attorney turnaround)	~$1,200–$2,500 one-time + $180/yr Termly	Low. Attorney can bless FCRA-out posture, confirm GDPR SCC path, flag any CA-specific issues. Does not fully address enterprise due-diligence gap but substantially mitigates regulatory exposure.
Tier C — Full engagement	Privacy attorney engagement: full policy drafting, SCC execution, CCPA compliance program, DPIA, FCRA opinion letter, Art. 27 representative selection. Per prior BLR memo.	1–2 weeks minimum	$5,000–$15,000 initial + ongoing	Minimal. Satisfies enterprise due diligence. Provides defensible record for regulatory inquiries.

6.2 Honest Assessment

For v1 launch in 12 days (2026-05-23 UTC): Tier A is viable. Here is the honest case:

Raxx at v1 is almost certainly not a CCPA-covered business. GDPR applies but the practical enforcement risk for a pre-revenue US SaaS with organic EU users is low — DPAs prioritize large controllers. The FCRA-out analysis is clean. The biggest practical risk is not a regulatory fine — it is a data-security breach that triggers CCPA's private right of action. That risk is addressed by security posture (encryption, access controls, audit logging from the security agent's work), not by policy text.

The one item Tier A misses that matters most: SCCs with EU processors and Raxx's own Art. 27 EU representative. Both can be addressed in Tier A time with minimal cost:

SCCs: Execute the 2021 EU Commission Module 2 SCCs (Controller-to-Processor) with Stripe, Heroku, Sentry, Postmark. Stripe, Heroku (Salesforce), and Sentry all provide pre-signed DPAs with SCCs built in — go to each vendor's legal/privacy portal and complete the DPA execution. Time: 2–4 hours.
Art. 27 representative: Procure from VeraSafe (https://verasafe.com/public-resources/discuss-data-protection/) or DataRep at ~$50–$300/yr. Time: 30 minutes.

Upgrade trigger: Move to Tier B the moment any of the following occur: - First enterprise customer ($10K+ ARR deal or SOC 2 questionnaire) - Raxx reaches $500K ARR - Any CPPA/GDPR inquiry or complaint from a user - The SEC investment-adviser registration question is resolved as "yes, you are an RIA" (which triggers GLBA/Reg P)

BLR recommendation: Tier A for v1, Tier B at first enterprise deal or $500K ARR.

Section 7 — Resources List

Resource	URL	Cost	License / Terms
Termly Pro+	`https://termly.io/pricing/`	$180/yr	Subscription; policy hosted or exportable. Attribution-free on Pro+.
iubenda Advanced	`https://www.iubenda.com/en/pricing/`	~$336/yr	Subscription; attorney-reviewed clauses.
GetTerms.io	`https://getterms.io/`	Free / $49 one-time	One-time or subscription; GDPR template available.
GDPR.eu Privacy Notice Template	`https://gdpr.eu/privacy-notice/`	Free	Open use; maintained by Proton AG with EU attorney input.
ICO RoPA Guidance	`https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/how-do-we-document-our-processing-activities/`	Free	UK government Crown Copyright; freely reusable.
ICO DPIA Template	`https://ico.org.uk/media2/migrated/2553993/dpia-template.docx`	Free	Crown Copyright; freely reusable.
GDPR.eu DPIA Template	`https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf`	Free	Open use.
GDPR Article 30 full text	`https://gdpr-info.eu/art-30-gdpr/`	Free	Reference only; primary source is EUR-Lex.
GDPR Article 13 full text	`https://gdpr-info.eu/art-13-gdpr/`	Free	Reference only.
EU 2021 SCCs (Module 2 — C2P)	`https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors_en`	Free	EU Commission; freely executable.
FCRA full text (FTC PDF)	`https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf`	Free	US government public domain.
ECOA Regulation B (12 CFR 1002)	`https://www.ecfr.gov/current/title-12/chapter-X/part-1002`	Free	US government public domain.
CPPA CCPA regulations page	`https://cppa.ca.gov/regulations/ccpa_updates.html`	Free	CA government public.
CPPA CPI threshold adjustment	`https://cppa.ca.gov/regulations/cpi_adjustment.html`	Free	CA government public.
LII 15 USC 1681a (FCRA)	`https://www.law.cornell.edu/uscode/text/15/1681a`	Free	Cornell LII; secondary source for primary US statute.
VeraSafe Art. 27 EU Representative	`https://verasafe.com/public-resources/discuss-data-protection/`	~$50–$300/yr	Service contract.
IAPP Privacy Policy Resources	`https://iapp.org/resources/`	IAPP membership ~$695/yr or pay-per-resource	Professional association; templates are attorney-influenced.
Robinhood US Privacy Statement (structural model)	`https://robinhood.com/us/en/support/articles/rh-financial-entities-privacy-statement/`	Free	Do not copy text — GLBA overlay. Structural reference only.

Section 8 — Timing and Deadlines

Item	Deadline	Notes
Privacy policy live at launch	2026-05-23 UTC	Must be accessible before first customer signup.
GDPR Art. 27 EU Representative	Before first EU customer	Mandatory for ongoing processing of EU data. Procure from VeraSafe or DataRep — 30 min.
Vendor DPAs (Stripe, Heroku, Sentry, Postmark)	Before first EU customer	Execute standard DPAs from each vendor's privacy portal. 2–4 hours total.
CPRA self-determination form	Before launch	Sign, date, file in company records. See artifact.
FCRA-out posture one-pager	Before launch	Sign, date, file. See artifact.
RoPA initial version	Before first EU customer	Can be updated as processing evolves. See artifact.
CCPA coverage re-check	At $1M ARR or 10K CA customers (whichever first)	Re-evaluate applicability thresholds.
ADMT re-evaluation	If AI layer evolves to make autonomous recommendations	If product roadmap adds AI-driven decision suggestions, re-evaluate ADMT scope.
Tier B upgrade trigger	At first enterprise deal or $500K ARR	Commission attorney review pass.
SEC RIA determination	Per prior BLR research — open question	If Raxx is an RIA, GLBA/Reg P applies — different notice requirements.

Questions for Attorney

(See also docs/business/questions-for-attorney.md)

SCCs and transfer mechanism: Do the 2021 EU Commission Module 2 SCCs (executed with Stripe/Heroku/Sentry/Postmark) provide adequate transfer mechanism for Raxx's EU data subjects? Is a Transfer Impact Assessment (TIA) also required?
Art. 27 EU Representative scope: Is a VeraSafe or DataRep EU representative sufficient for a startup at Raxx's scale, or does the representative need to be in a specific member state based on where EU users are concentrated?
DPIA cross-border-transfer criterion: Does Raxx's cross-border transfer of EU personal data to a US-hosted server independently trigger a DPIA obligation, even absent other high-risk criteria?
DPO requirement edge case: Is there any argument that Raxx's processing of financial/strategy data for EU users constitutes "large-scale systematic monitoring" triggering a DPO requirement?
SEC RIA status: Does Raxx's backtesting + signal layer constitute "investment advice" under the Investment Advisers Act 1940? (Prior BLR memo flags this as open. If yes: GLBA/Reg P privacy-notice requirements apply instead of/alongside CCPA/GDPR.)
FCRA opinion letter: For a flat fee, will the attorney author a short FCRA-out opinion letter blessing the three-element analysis in Section 4 of this memo?
California-specific: Is there any CalOPPA, CPPA, or other CA-specific privacy obligation that applies to Raxx below the CCPA coverage threshold?

Questions for CPA

(See also docs/business/questions-for-cpa.md)

GLBA/Reg P applicability: If Raxx is determined to be a "financial institution" under GLBA (which FCRA-adjacent operations sometimes trigger), what are the Regulation P annual privacy-notice requirements and how do they interact with the Termly-generated CCPA policy?

Sources

https://cppa.ca.gov/regulations/ccpa_updates.html — CPPA CCPA/CPRA regulations page
https://cppa.ca.gov/regulations/cpi_adjustment.html — CPPA CPI threshold adjustments
https://www.wiley.law/alert-California-Finalizes-Pivotal-CCPA-Regulations-on-AI-Cyber-Audits-and-Risk-Governance
https://www.bakerbotts.com/thought-leadership/publications/2025/august/a-101-of-the-cppas-finalizes-rules-on-admt-risk-assessments-and-cybersecurity-audits
https://www.morganlewis.com/pubs/2025/08/cppa-board-finalizes-new-rules-on-admt-cybersecurity-audits-and-risk-assessments
https://www.skadden.com/insights/publications/2025/10/california-finalizes-cppa-regulations
https://www.law.cornell.edu/uscode/text/15/1681a — FCRA 15 USC 1681a
https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf
https://www.law.cornell.edu/cfr/text/12/1002.2 — ECOA Regulation B 12 CFR 1002.2
https://www.consumerfinance.gov/rules-policy/regulations/1002/2/ — CFPB ECOA definitions
https://gdpr-info.eu/art-13-gdpr/ — GDPR Article 13
https://gdpr-info.eu/art-30-gdpr/ — GDPR Article 30
https://gdpr-info.eu/art-35-gdpr/ — GDPR Article 35 (DPIA)
https://gdpr.eu/privacy-notice/ — GDPR.eu privacy notice template
https://gdpr.eu/data-protection-impact-assessment-template/
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/how-do-we-document-our-processing-activities/
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/
https://practical-gdpr.com/ico-ropa-template-records-of-processing-activities/
https://iapp.org/news/a/is-it-possible-to-choose-your-lead-supervisory-authority-under-the-gdpr
https://www.goodwinprivacyblog.com/2023/05/05/new-edpb-guidelines-on-designation-of-a-lead-supervisory-authority/
https://termly.io/pricing/
https://cybernews.com/privacy-compliance-tools/termly-vs-iubenda/
https://www.iubenda.com/en/pricing/
https://iapp.org/news/a/top-10-operational-impacts-of-the-cpra-part-10-enforcement-and-potential-penalties
https://captaincompliance.com/education/ccpa-fines/
https://www.cookieyes.com/blog/ccpa-fines/
https://termly.io/resources/articles/ccpa-private-right-of-action/
https://www.skadden.com/insights/publications/2025/04/district-court-rulings-could-signal-expansion
https://www.orrick.com/en/Insights/2022/08/What-Fintech-Companies-Need-to-Know-About-GLBA-and-FCRA-Exemptions-Under-State-Data-Protection-Laws
https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors_en
https://verasafe.com/public-resources/discuss-data-protection/
https://robinhood.com/us/en/support/articles/rh-financial-entities-privacy-statement/