Paste your URL. In about 60 seconds we flag patterns that could lead to lawsuits, fines, or code you may not own — and give you a one-line fix to paste into Cursor or Claude.
Can it get you sued? US accessibility law (ADA) hit 3,117 websites with lawsuits in 2025 alone. The most-cited problems: missing form labels, low color contrast, and images without alt text. We find every instance on your app.
Could it get you fined? If you have EU users and any tracking pixel — Meta, Google, TikTok — loads before they click “Accept,” that may be a GDPR violation. We watch every network call your app makes on first load.
Do you own the code? Per the US Copyright Office (January 2025), code only an AI wrote may not be copyrightable. Worse: AI sometimes copies open-source code in ways that could force you to release your own code. We scan your bundle for both signals.
Are you allowed to operate? If you built an AI legal tool, therapist, or financial advisor, your vertical has its own enforcement record — UPL prosecutions against AI legal products, FTC settlements against mental-health apps ($7.8M BetterHelp, $5.1M Cerebral), SEC Marketing Rule actions against “AI advisors.” We detect the language and missing disclaimers that triggered them.
Is your data leaking? Public storage buckets, API endpoints returning bulk user data, missing security headers — these are the patterns that trigger breach-notification laws when something goes wrong. We check your app the way an acquirer’s diligence team would.
# What we saw when your page loaded:
GET connect.facebook.net/fbevents.js [200]
POST facebook.com/tr/?ev=PageView [200]
↳ a hashed user id was sent to Meta
─── your cookie banner appeared 2.4s later ───# Don't load Facebook's tracker until users agree The tracker is loading in app/layout.tsx no matter what. Wait for consent first: 1. Replace <Script> with a component that checks useConsent().marketing first. 2. Default marketing consent to false. 3. Re-scan; the warning should disappear.
Plain-English explainers with primary sources. Built to hand to a non-lawyer founder.
Open-source licenses range from "use freely, even commercially" to "if you ship this on the network, your entire app's source must be public." AI coding tools reproduce code from all of them with no license headers attached. The license obligations travel with the code anyway. This is the cheat sheet you can reference when something flags in a scan or shows up unexpectedly in a dependency tree.
An SBOM is a machine-readable inventory of every software component in your application — direct dependencies, transitive dependencies, versions, licenses, suppliers. Procurement teams at large enterprises and the US federal government now require them; the EU's Cyber Resilience Act will require them for products sold in the EU starting late 2027. The good news: generating one for a JS or Python app takes minutes with the right tool.
If you vibe-coded a tool that drafts contracts, files small-claims paperwork, or answers legal questions, the question isn't whether UPL law applies to you — it's whether you've crossed the line your state's bar uses to decide. Here's the actual test, the language that gets investigated, and the mitigations the legal-tech category has converged on.
Mental-health software has a regulatory stack that's deeper than founders usually realise. State psychology licensing boards police diagnosis and treatment claims. The FTC enforces against deceptive data-sharing. The FDA regulates anything that diagnoses or treats — even via chatbot. And both major app stores now require crisis-resources disclosure. Here's the enforcement record, the four-layer compliance stack, and what to ship before traffic scales.
The line between a 'financial information tool' and an 'unregistered investment adviser' is narrow and the SEC has been actively enforcing it against AI-flavoured retail products. The Investment Advisers Act's three-part test (advice, securities, compensation) catches a lot of products founders didn't think were in scope. Here's the test, the Marketing Rule, the enforcement record, and the registration-vs.-disclaimer decision every operator has to make.
The European Accessibility Act is the EU's parallel to ADA Title III — but more prescriptive, more proactive, and now actively enforced. Most US founders building consumer apps have never heard of it. EU regulators have started sending advisory letters to non-compliant operators, and a handful of countries have already issued fines. Here's what changed in June 2025 and what to do.
The HHS Office for Civil Rights and the FTC have made tracking pixels on health apps a top enforcement priority since 2023. The math is brutal because the violations are per-affected-user — a single Meta Pixel firing on a checkout page that mentions a medication can produce a six- or seven-figure settlement. Here's the pattern, the recent cases, and what to actually check.
If you're remediating an app for ADA or EAA compliance in 2026, the question is which WCAG version to target. WCAG 2.1 is what most current law references explicitly. WCAG 2.2 is what the next round of regulations and standards will reference. Doing the work twice is wasteful; doing 2.2 first costs almost nothing extra. Here's the differential.
If you're operating a SaaS or consumer app from anywhere in the world, you probably need to comply with both GDPR and CCPA — they reach you based on customer location, not company location. The good news: the requirements overlap significantly, and a single compliance architecture can satisfy both. Here's what triggers each, what they actually require, and where they diverge.
The EU AI Act is the most comprehensive AI regulation in any major market. It's law as of August 2024 with obligations phasing in through 2027 — and the penalty regime is more severe than GDPR's. Most founders building AI-touched SaaS apps will land in the "limited-risk" or "transparency" tier, which means a manageable disclosure-and-labeling regime. A minority will hit high-risk obligations that materially change what they can ship. Here's the operative framework.
You shipped fast. Now ship safely. This is the complete pre-launch checklist for an AI-built web app — what to set, what to check, what to watch for the day you go live. Each item is one or two sentences of plain English. Skip nothing on the P0 list.
Search engines need help understanding what your app is and who it's for. This is the 12-step setup any indie founder can run through in under 90 minutes — no SEO expertise required, no agency, no shady backlink buying.
When someone asks ChatGPT 'what's the best compliance scanner for Lovable apps?' you want your answer to be the one it cites. This is how AEO and GEO actually work — practical tactics evidence-based on what gets cited, not marketing fluff.
Receiving an ADA accessibility demand letter is alarming the first time. It is also routine — roughly 30,000–60,000 are sent in the US each year and the response playbook is well established. This is what to do, in order, before you do anything you can't take back.
The cookie banner is the most-implemented and most-wrong piece of vibe-coded compliance. Either you don't have one and you're loading Meta Pixel on page-1 (GDPR violation), or you have one but it doesn't actually block tracking until consent (also GDPR violation). Here's the actual rule, the actual setup, and the cookieless option that skips the whole problem.
About 1 in 4 vibe-coded apps we scan has at least one credential leaked in the client bundle — usually a Stripe key, an OpenAI token, or a Supabase service-role key. The AI didn't mean to leak it; it just didn't know which keys are safe to expose. Here's how to find yours and fix it before someone else does.
There is no federal US privacy law. Instead, there are 19 state laws as of 2026, each with its own thresholds, definitions, and consumer rights. Most indie SaaS founders ignore everything outside California and Texas — and most are missing real obligations. Here's the actual map of who you need to comply with, in plain English.
If you build with AI and never document the human authorship, you can't prove copyright when it matters — at acquisition diligence, in a competitor-cloning dispute, or when you want to enforce your code against a copier. The fix is cheap if you do it from day one and very expensive to retrofit. Here's the documentation trail to build proactively.
The acquirer's diligence team has a checklist. Most of it didn't exist three years ago because AI-built apps weren't being acquired. Now they are, and the questions are specific: which AI tools did you use, what percentage of the codebase, whose IP is it, what compliance posture do you ship in. This is the actual checklist from the buyer's side — and how to prepare yours before the acquisition email arrives.
Two different questions get conflated all the time: "does GitHub own this?" (a contract question — answered no in their TOS) and "does anyone own this?" (a copyright question — increasingly answered "maybe not" by the US Copyright Office). The first one is settled. The second is what acquirers and litigators are starting to ask.
Analytics is the single most common place EU privacy law trips up SaaS founders. The rule is simpler than it looks: if your analytics involves reading or writing to the user's device (cookies, localStorage, fingerprinting) or processing personal data, you need consent before it fires. Here's the actual law, the narrow exceptions, and what regulators have done about it.
AGPL is the strongest copyleft license in mainstream use. It's specifically designed to cover network services, which means deploying an app — not just shipping a binary — can trigger the source-disclosure requirement. AI coding tools occasionally reproduce AGPL-licensed code from their training data. Here's what happens when those two facts collide.
If you built your app with Lovable / Cursor / Bolt / Replit and you're heading into a fundraise or acquisition, the diligence questions are different than they were two years ago. The Wix-Base44 deal in 2025 introduced "AI code provenance" as a standard line item. JP Morgan's founder guide makes it explicit. Here's what's on the checklist and how to be ready.
Lovable's default output is fast but not legal-by-default. The model has clear preferences — placeholder-only inputs, GA4 on first load, Stripe keys in NEXT_PUBLIC_*, permissive Supabase RLS — that show up in almost every production scan we run. Here's what to check, in what order, with what each one costs if it fires.
Unlike Lovable or Bolt, Cursor doesn't generate apps from a single prompt — it edits a real codebase, file by file, on your filesystem. That means more dev control, more variation in output, and a different failure profile. Most Cursor projects look professional. Most also ship with two or three of these issues hiding in plain sight.
Bolt.new's WebContainer model is impressive engineering — you watch the app build, test, and deploy from a browser tab. The compliance issues are similar to Lovable's, plus two Bolt-specific patterns: staging URLs leaking before consent flows exist, and "Continue" iterations silently regressing earlier fixes.
Replit's Agent is the most full-stack of the vibe-coding tools. In one flow it provisions a database, sets up auth, configures secrets, and deploys to Replit's hosting. That breadth is the value — and it also means more compliance surface than apps built on tools that just hand you a frontend.
If you operate a commercial website in the US, the odds of getting a demand letter went up again in 2025. Here's the actual data — federal filings, demand-letter estimates, state breakdown, the WCAG rules lawyers cite most, and what it costs to settle.
AI-built apps ship fast. The legal review that traditional dev teams used to do at handoff — accessibility, privacy, IP — usually doesn't happen. Here are the five risks that show up the most when we scan vibe-coded apps in production.
| Plan | What you get | Price | |
|---|---|---|---|
| Run a scan.No card needed | Scan any URL, as many times as you want. See every problem, ranked by how serious it is. | $0free, always | Start → |
| Unlock everything.All fixes for one scan | Get fix instructions for every problem we found, plus a shareable PDF report. Re-scan as many times as you want. | $19per scan | Unlock → |
| Monthly plan.For builders shipping weekly · coming soon | Unlimited scans and fix instructions. Auto-scan after every deploy. Plug in to Cursor / Claude via MCP. | $29/ month | Get notified → |
| Agency plan.For studios shipping client work · concierge | Unlimited apps and team members. White-label PDFs. Priority support on Slack. | $290/ month | Contact → |
Paste your app's URL. In about 60 seconds we tell you if your site could get sued under the ADA (US accessibility law), fined under GDPR (European privacy law), or has code that you might not legally own. Each problem comes with a one-line fix you paste into Cursor, Claude, or Windsurf to apply the change.
CheckVibe finds security problems — leaked API keys, weak passwords, hackable endpoints. We find legal problems — accessibility lawsuits, privacy fines, code-ownership disputes. Different threats, same audience. Most teams shipping client work run both.
Potentially, in three different ways. (1) Accessibility: in 2025, US federal courts saw 3,117 ADA website lawsuits and an estimated 30,000–60,000 demand letters. Settlements averaged around $12,500. (2) Privacy: if you have EU users and you load Meta Pixel / Google Ads / TikTok before they consent, that pattern is what European regulators target. (3) Ownership: AI-generated code may not be fully yours, and AI sometimes reproduces licensed code in ways that could trigger open-source obligations. We check all three. None of this is legal advice — for your specific situation, talk to a lawyer.
Maybe not. The US Copyright Office issued guidance in January 2025 saying that pure AI-generated work without sufficient human authorship may not be copyrightable. If a competitor copies your app, you may not have the legal grounds you'd expect. Separately: if the AI reproduced a chunk of GPL-licensed code, you could be subject to that license's obligations. Our scanner flags both signals — for definitive legal answers, consult an attorney.
If a lawyer sends you a demand letter, settling out of court typically costs $5,000–$25,000. If they actually file in court, it commonly runs $15,000–$75,000 including legal fees. New York, Florida, and California account for about three-quarters of these cases — if your site mentions those states or serves customers there, the risk goes up.
No. We only need the public URL of your app. We open it like a regular user would, look at what loads, and check for problems. We never see your private code unless you connect a GitHub repo — and that's only for the deeper code-ownership audit, which is optional.