← All articles
§ TOPIC

Compliance overviews

Hub articles that cut across accessibility, privacy, and IP. Start here if you're trying to understand the full compliance posture of an AI-built app, or you're heading into a fundraise or acquisition.

AccessibilityPrivacyCode ownershipCompliance overviewsIndustry licensing
2026-05-17 · 10 min read

EU AI Act for SaaS founders — what 2026 looks like

The EU AI Act is the most comprehensive AI regulation in any major market. It's law as of August 2024 with obligations phasing in through 2027 — and the penalty regime is more severe than GDPR's. Most founders building AI-touched SaaS apps will land in the "limited-risk" or "transparency" tier, which means a manageable disclosure-and-labeling regime. A minority will hit high-risk obligations that materially change what they can ship. Here's the operative framework.

Read article →
2026-05-17 · 9 min read

The vibe-coded app launch checklist: what to check before going live

You shipped fast. Now ship safely. This is the complete pre-launch checklist for an AI-built web app — what to set, what to check, what to watch for the day you go live. Each item is one or two sentences of plain English. Skip nothing on the P0 list.

Read article →
2026-05-17 · 7 min read

SEO basics for vibe-coded apps: the 12 things to set before launch

Search engines need help understanding what your app is and who it's for. This is the 12-step setup any indie founder can run through in under 90 minutes — no SEO expertise required, no agency, no shady backlink buying.

Read article →
2026-05-17 · 8 min read

AEO and GEO for AI-built apps: getting cited by ChatGPT and Perplexity

When someone asks ChatGPT 'what's the best compliance scanner for Lovable apps?' you want your answer to be the one it cites. This is how AEO and GEO actually work — practical tactics evidence-based on what gets cited, not marketing fluff.

Read article →
2026-05-17 · 6 min read

Exposed secrets in your client bundle: how to find and fix them

About 1 in 4 vibe-coded apps we scan has at least one credential leaked in the client bundle — usually a Stripe key, an OpenAI token, or a Supabase service-role key. The AI didn't mean to leak it; it just didn't know which keys are safe to expose. Here's how to find yours and fix it before someone else does.

Read article →
2026-05-17 · 8 min read

How acquirers audit AI-built apps: the 2026 diligence playbook

The acquirer's diligence team has a checklist. Most of it didn't exist three years ago because AI-built apps weren't being acquired. Now they are, and the questions are specific: which AI tools did you use, what percentage of the codebase, whose IP is it, what compliance posture do you ship in. This is the actual checklist from the buyer's side — and how to prepare yours before the acquisition email arrives.

Read article →
2026-05-16 · 7 min read

Vibe-coded acquisition diligence checklist (2026)

If you built your app with Lovable / Cursor / Bolt / Replit and you're heading into a fundraise or acquisition, the diligence questions are different than they were two years ago. The Wix-Base44 deal in 2025 introduced "AI code provenance" as a standard line item. JP Morgan's founder guide makes it explicit. Here's what's on the checklist and how to be ready.

Read article →
2026-05-16 · 7 min read

Is your Lovable app legally compliant? A 7-point checklist

Lovable's default output is fast but not legal-by-default. The model has clear preferences — placeholder-only inputs, GA4 on first load, Stripe keys in NEXT_PUBLIC_*, permissive Supabase RLS — that show up in almost every production scan we run. Here's what to check, in what order, with what each one costs if it fires.

Read article →
2026-05-16 · 7 min read

Cursor app compliance checklist — what AI-IDE projects ship by default

Unlike Lovable or Bolt, Cursor doesn't generate apps from a single prompt — it edits a real codebase, file by file, on your filesystem. That means more dev control, more variation in output, and a different failure profile. Most Cursor projects look professional. Most also ship with two or three of these issues hiding in plain sight.

Read article →
2026-05-16 · 6 min read

Bolt.new app compliance checklist — what gets skipped in the rush

Bolt.new's WebContainer model is impressive engineering — you watch the app build, test, and deploy from a browser tab. The compliance issues are similar to Lovable's, plus two Bolt-specific patterns: staging URLs leaking before consent flows exist, and "Continue" iterations silently regressing earlier fixes.

Read article →
2026-05-16 · 7 min read

Replit app compliance checklist — what Replit Agent ships by default

Replit's Agent is the most full-stack of the vibe-coding tools. In one flow it provisions a database, sets up auth, configures secrets, and deploys to Replit's hosting. That breadth is the value — and it also means more compliance surface than apps built on tools that just hand you a frontend.

Read article →
2026-05-15 · 8 min read

5 legal risks of vibe coding nobody talks about

AI-built apps ship fast. The legal review that traditional dev teams used to do at handoff — accessibility, privacy, IP — usually doesn't happen. Here are the five risks that show up the most when we scan vibe-coded apps in production.

Read article →