ARTICLES

Plain-English explainers, with sources.

Long-form pieces on the legal questions every vibe coder eventually runs into. Lawsuit data, enforcement patterns, court rulings on AI code, copyleft mechanics. We try to write each one so you can hand it to a non-lawyer founder and they’ll get it.

Browse by topic:AccessibilityPrivacyCode ownershipCompliance overviews
Code ownership2026-05-18 · 8 min read

Open-source license cheat sheet for vibe coders

Open-source licenses range from "use freely, even commercially" to "if you ship this on the network, your entire app's source must be public." AI coding tools reproduce code from all of them with no license headers attached. The license obligations travel with the code anyway. This is the cheat sheet you can reference when something flags in a scan or shows up unexpectedly in a dependency tree.

Read article →
Code ownership2026-05-18 · 7 min read

Software Bill of Materials (SBOM) — do you need one for your AI-built app?

An SBOM is a machine-readable inventory of every software component in your application — direct dependencies, transitive dependencies, versions, licenses, suppliers. Procurement teams at large enterprises and the US federal government now require them; the EU's Cyber Resilience Act will require them for products sold in the EU starting late 2027. The good news: generating one for a JS or Python app takes minutes with the right tool.

Read article →
Article2026-05-18 · 9 min read

Is my AI legal assistant practising law without a license?

If you vibe-coded a tool that drafts contracts, files small-claims paperwork, or answers legal questions, the question isn't whether UPL law applies to you — it's whether you've crossed the line your state's bar uses to decide. Here's the actual test, the language that gets investigated, and the mitigations the legal-tech category has converged on.

Read article →
Article2026-05-18 · 8 min read

AI therapy apps: licensing rules, FTC enforcement, and the crisis-resources duty

Mental-health software has a regulatory stack that's deeper than founders usually realise. State psychology licensing boards police diagnosis and treatment claims. The FTC enforces against deceptive data-sharing. The FDA regulates anything that diagnoses or treats — even via chatbot. And both major app stores now require crisis-resources disclosure. Here's the enforcement record, the four-layer compliance stack, and what to ship before traffic scales.

Read article →
Article2026-05-18 · 9 min read

AI financial advice: when your app becomes an unregistered investment adviser

The line between a 'financial information tool' and an 'unregistered investment adviser' is narrow and the SEC has been actively enforcing it against AI-flavoured retail products. The Investment Advisers Act's three-part test (advice, securities, compensation) catches a lot of products founders didn't think were in scope. Here's the test, the Marketing Rule, the enforcement record, and the registration-vs.-disclaimer decision every operator has to make.

Read article →
Accessibility2026-05-17 · 9 min read

European Accessibility Act (EAA) — what changed in June 2025

The European Accessibility Act is the EU's parallel to ADA Title III — but more prescriptive, more proactive, and now actively enforced. Most US founders building consumer apps have never heard of it. EU regulators have started sending advisory letters to non-compliant operators, and a handful of countries have already issued fines. Here's what changed in June 2025 and what to do.

Read article →
Privacy2026-05-17 · 8 min read

Is your telehealth app leaking PHI through tracking pixels?

The HHS Office for Civil Rights and the FTC have made tracking pixels on health apps a top enforcement priority since 2023. The math is brutal because the violations are per-affected-user — a single Meta Pixel firing on a checkout page that mentions a medication can produce a six- or seven-figure settlement. Here's the pattern, the recent cases, and what to actually check.

Read article →
Accessibility2026-05-17 · 7 min read

WCAG 2.1 vs 2.2 — what changed and what to fix on your app

If you're remediating an app for ADA or EAA compliance in 2026, the question is which WCAG version to target. WCAG 2.1 is what most current law references explicitly. WCAG 2.2 is what the next round of regulations and standards will reference. Doing the work twice is wasteful; doing 2.2 first costs almost nothing extra. Here's the differential.

Read article →
Privacy2026-05-17 · 9 min read

GDPR vs CCPA — when each applies to your app

If you're operating a SaaS or consumer app from anywhere in the world, you probably need to comply with both GDPR and CCPA — they reach you based on customer location, not company location. The good news: the requirements overlap significantly, and a single compliance architecture can satisfy both. Here's what triggers each, what they actually require, and where they diverge.

Read article →
All-in-one2026-05-17 · 10 min read

EU AI Act for SaaS founders — what 2026 looks like

The EU AI Act is the most comprehensive AI regulation in any major market. It's law as of August 2024 with obligations phasing in through 2027 — and the penalty regime is more severe than GDPR's. Most founders building AI-touched SaaS apps will land in the "limited-risk" or "transparency" tier, which means a manageable disclosure-and-labeling regime. A minority will hit high-risk obligations that materially change what they can ship. Here's the operative framework.

Read article →
All-in-one2026-05-17 · 9 min read

The vibe-coded app launch checklist: what to check before going live

You shipped fast. Now ship safely. This is the complete pre-launch checklist for an AI-built web app — what to set, what to check, what to watch for the day you go live. Each item is one or two sentences of plain English. Skip nothing on the P0 list.

Read article →
All-in-one2026-05-17 · 7 min read

SEO basics for vibe-coded apps: the 12 things to set before launch

Search engines need help understanding what your app is and who it's for. This is the 12-step setup any indie founder can run through in under 90 minutes — no SEO expertise required, no agency, no shady backlink buying.

Read article →
All-in-one2026-05-17 · 8 min read

AEO and GEO for AI-built apps: getting cited by ChatGPT and Perplexity

When someone asks ChatGPT 'what's the best compliance scanner for Lovable apps?' you want your answer to be the one it cites. This is how AEO and GEO actually work — practical tactics evidence-based on what gets cited, not marketing fluff.

Read article →
Accessibility2026-05-17 · 7 min read

I got an ADA demand letter for my website. What do I do?

Receiving an ADA accessibility demand letter is alarming the first time. It is also routine — roughly 30,000–60,000 are sent in the US each year and the response playbook is well established. This is what to do, in order, before you do anything you can't take back.

Read article →
Privacy2026-05-17 · 8 min read

Cookie consent for vibe-coded apps: GDPR-compliant setup in 2026

The cookie banner is the most-implemented and most-wrong piece of vibe-coded compliance. Either you don't have one and you're loading Meta Pixel on page-1 (GDPR violation), or you have one but it doesn't actually block tracking until consent (also GDPR violation). Here's the actual rule, the actual setup, and the cookieless option that skips the whole problem.

Read article →
All-in-one2026-05-17 · 6 min read

Exposed secrets in your client bundle: how to find and fix them

About 1 in 4 vibe-coded apps we scan has at least one credential leaked in the client bundle — usually a Stripe key, an OpenAI token, or a Supabase service-role key. The AI didn't mean to leak it; it just didn't know which keys are safe to expose. Here's how to find yours and fix it before someone else does.

Read article →
Privacy2026-05-17 · 9 min read

US state privacy laws beyond CCPA: TDPSA, VCDPA, and what indie SaaS founders need to know

There is no federal US privacy law. Instead, there are 19 state laws as of 2026, each with its own thresholds, definitions, and consumer rights. Most indie SaaS founders ignore everything outside California and Texas — and most are missing real obligations. Here's the actual map of who you need to comply with, in plain English.

Read article →
Code ownership2026-05-17 · 7 min read

AI code provenance: how to prove you own your app's code

If you build with AI and never document the human authorship, you can't prove copyright when it matters — at acquisition diligence, in a competitor-cloning dispute, or when you want to enforce your code against a copier. The fix is cheap if you do it from day one and very expensive to retrofit. Here's the documentation trail to build proactively.

Read article →
All-in-one2026-05-17 · 8 min read

How acquirers audit AI-built apps: the 2026 diligence playbook

The acquirer's diligence team has a checklist. Most of it didn't exist three years ago because AI-built apps weren't being acquired. Now they are, and the questions are specific: which AI tools did you use, what percentage of the codebase, whose IP is it, what compliance posture do you ship in. This is the actual checklist from the buyer's side — and how to prepare yours before the acquisition email arrives.

Read article →
Code ownership2026-05-16 · 9 min read

Does GitHub Copilot own my code? (And do you?)

Two different questions get conflated all the time: "does GitHub own this?" (a contract question — answered no in their TOS) and "does anyone own this?" (a copyright question — increasingly answered "maybe not" by the US Copyright Office). The first one is settled. The second is what acquirers and litigators are starting to ask.

Read article →
Privacy2026-05-16 · 7 min read

Is GDPR consent required for analytics?

Analytics is the single most common place EU privacy law trips up SaaS founders. The rule is simpler than it looks: if your analytics involves reading or writing to the user's device (cookies, localStorage, fingerprinting) or processing personal data, you need consent before it fires. Here's the actual law, the narrow exceptions, and what regulators have done about it.

Read article →
Code ownership2026-05-16 · 8 min read

What happens if your AI-built app uses AGPL code?

AGPL is the strongest copyleft license in mainstream use. It's specifically designed to cover network services, which means deploying an app — not just shipping a binary — can trigger the source-disclosure requirement. AI coding tools occasionally reproduce AGPL-licensed code from their training data. Here's what happens when those two facts collide.

Read article →
All-in-one2026-05-16 · 7 min read

Vibe-coded acquisition diligence checklist (2026)

If you built your app with Lovable / Cursor / Bolt / Replit and you're heading into a fundraise or acquisition, the diligence questions are different than they were two years ago. The Wix-Base44 deal in 2025 introduced "AI code provenance" as a standard line item. JP Morgan's founder guide makes it explicit. Here's what's on the checklist and how to be ready.

Read article →
All-in-one2026-05-16 · 7 min read

Is your Lovable app legally compliant? A 7-point checklist

Lovable's default output is fast but not legal-by-default. The model has clear preferences — placeholder-only inputs, GA4 on first load, Stripe keys in NEXT_PUBLIC_*, permissive Supabase RLS — that show up in almost every production scan we run. Here's what to check, in what order, with what each one costs if it fires.

Read article →
All-in-one2026-05-16 · 7 min read

Cursor app compliance checklist — what AI-IDE projects ship by default

Unlike Lovable or Bolt, Cursor doesn't generate apps from a single prompt — it edits a real codebase, file by file, on your filesystem. That means more dev control, more variation in output, and a different failure profile. Most Cursor projects look professional. Most also ship with two or three of these issues hiding in plain sight.

Read article →
All-in-one2026-05-16 · 6 min read

Bolt.new app compliance checklist — what gets skipped in the rush

Bolt.new's WebContainer model is impressive engineering — you watch the app build, test, and deploy from a browser tab. The compliance issues are similar to Lovable's, plus two Bolt-specific patterns: staging URLs leaking before consent flows exist, and "Continue" iterations silently regressing earlier fixes.

Read article →
All-in-one2026-05-16 · 7 min read

Replit app compliance checklist — what Replit Agent ships by default

Replit's Agent is the most full-stack of the vibe-coding tools. In one flow it provisions a database, sets up auth, configures secrets, and deploys to Replit's hosting. That breadth is the value — and it also means more compliance surface than apps built on tools that just hand you a frontend.

Read article →
Accessibility2026-05-15 · 6 min read

How many ADA website lawsuits happen each year? (2025 data)

If you operate a commercial website in the US, the odds of getting a demand letter went up again in 2025. Here's the actual data — federal filings, demand-letter estimates, state breakdown, the WCAG rules lawyers cite most, and what it costs to settle.

Read article →
All-in-one2026-05-15 · 8 min read

5 legal risks of vibe coding nobody talks about

AI-built apps ship fast. The legal review that traditional dev teams used to do at handoff — accessibility, privacy, IP — usually doesn't happen. Here are the five risks that show up the most when we scan vibe-coded apps in production.

Read article →