SCAN · CC-2026-0512-7A3F

Scan results for checkout.flowstate.app

Run 2026-05-12 22:32:27 · 3 things to look at
Unlock the fixes

See the exact, paste-into-Cursor instructions for all 3 findings on this scan, plus a branded PDF and unlimited re-scans for 30 days.

WHAT WE FOUND

High legal exposure. Multiple critical-flow violations match patterns actively cited by plaintiff law firms. Address before further launch.

Lawsuit risk (US)
High
ADA applies to your app
Fine risk (Europe)
High
GDPR applies to your app
Privacy risk (US)
Moderate
California law applies
Code ownership
High
Checked your shipped JavaScript
Rough estimate: based on publicly reported 2025 settlement data for similar findings, a typical demand letter in this category settles for roughly $22,000–$105,000 out of court. Filed cases trend higher. Your actual exposure depends on facts we can’t see from a scan; talk to a lawyer if a letter actually arrives.
Why we think that
  • Site is a commercial transactional flow — ADA Title III applies. 2 critical user flows detected.
  • 3 WCAG violations on critical user flows — patterns frequently cited in 2025 demand letters.
  • Site mentions NY/FL/CA — those states accounted for ~75% of 2025 ADA web filings.
  • EU surface detected — GDPR Art. 6(1)(a) and ePrivacy Directive in scope.
  • Financial data flow detected — PCI-DSS + state privacy laws apply.

Compliance scores

Open-Source Licensing & IP38/100 · 4 findings
Copyleft exposure
Accessibility (WCAG 2.2)52/100 · 11 findings
Forms & contrast
Privacy & Tracking41/100 · 4 findings
Pixels pre-consent
01

Code ownership

1 thing

Things that could make your code not legally yours, or that could expose secrets. The stuff acquirers and investors check.

Critical

GPL-3.0 package detected in production bundle

GPL-3.0 §5 — combined work obligation
"dependencies": { "framer-motion-utils": "^1.4.2", // LICENSE: GPL-3.0 ← copyleft, viral "next": "14.2.0", "react": "18.3.1" }
How seriousCritical
What we checkedbundle_fingerprint
How sure we are70%
02

Accessibility (could get you sued in the US)

1 thing

Problems that disabled users would hit on your site. These are the things lawyers cite in demand letters — sorted by how often they get cited.

Critical

Checkout form has no labeled fields

WCAG 2.2 · §1.3.1 Info and Relationships · §3.3.2 Labels or Instructions · ADA Title III
<input type="email" placeholder="Email"> ← no <label>, no aria-label <input type="text" placeholder="Card number"> ← no <label>, no aria-label <input type="text" placeholder="CVC"> ← no <label>, no aria-label Screen-reader output: "edit text, edit text, edit text"
How seriousCritical
What we checkedoverlay
How sure we are95%
03

Privacy (could get you fined in the EU)

1 thing

Trackers and analytics that fire on your site before users have a chance to say no. If you have European users, this is the part regulators care about.

Critical

Meta Pixel fires before consent prompt

GDPR Art. 6(1)(a) · ePrivacy Directive Art. 5(3) · CCPA §1798.135
# Network requests on first page load: GET https://connect.facebook.net/en_US/fbevents.js [200] ← BEFORE consent dialog rendered POST https://www.facebook.com/tr/?ev=PageView [200] ← user ID hashed, sent ─── consent dialog rendered at t=2400ms ───
How seriousCritical
What we checkedpixel_pre_consent
How sure we are90%
Not legal adviceComply Code is an automated pattern-matching tool, not a substitute for review by a qualified attorney. Findings and risk estimates are based on publicly reported 2025 enforcement patterns; your specific situation may differ. For decisions about real legal matters, consult a lawyer licensed in your jurisdiction. Scan id cc-2026-0512-7A3F, run 2026-05-12T22:32:27Z.