Back to projects

ComplianceRadar

A fast, affordable compliance radar for AI-driven businesses: identify EU AI Act, GDPR, and ePrivacy risk before it becomes a legal or revenue problem.

ComplianceRadar landing and results flow.

The Problem

European teams are shipping AI features under growing regulatory pressure, but most do not have a simple way to understand whether they are compliant with the EU AI Act, GDPR, and ePrivacy. Traditional options are either expensive legal reviews or enterprise GRC platforms with long onboarding cycles. For startups and SMBs, that creates a dangerous gap: uncertainty now, penalties and business risk later.

The Solution

ComplianceRadar delivers an automated, self-serve compliance workflow. A free scan gives risk level, AI Act classification, GDPR score, benchmark percentile, and top findings. Paid tiers turn that diagnosis into action: Single Report (29 EUR one-time) unlocks full findings with references, remediation checklist, timeline, and PDF export; Pro Monitoring (49 EUR/month) adds recurring rescans and change alerts; Agency Plan (199 EUR/month) supports higher scan volume and service use cases. Optional sign-in, dashboard history, and built-in legal pages make it ready for real customer operations.

Results

This portfolio version intentionally avoids invented metrics. The product is built to optimize clear business outcomes: faster compliance decisions, lower advisory spend, and reduced risk exposure as enforcement deadlines approach. Quantitative KPIs can be added as live customer data matures.

ComplianceRadar is positioned as a practical middle ground between expensive legal consulting and heavy enterprise compliance platforms. Teams can assess risk quickly, prioritize fixes, and communicate progress to stakeholders without slowing product delivery.

Architecture

Submit URL (optional email) → Scan API (Cheerio ± Playwright fallback, optional session → userId; Gemini with ePrivacy context) → Prisma create (userId, userEmail optional) → redirect to results → free teaser or full report; sign-in → Dashboard lists user's scans; Checkout → Stripe → webhook sets isPaid → refresh for full report and PDF download.

Tech choices

  • Next.js 16, App Router — single stack, API routes, server/client components, middleware.
  • Cheerio + fetch + Playwright fallback — scraping; Playwright for JS-heavy sites and ePrivacy (cookie/script detection before consent).
  • Google Gemini (@google/genai) — structured JSON output, system prompt for compliance analyst; no user data for model training.
  • PostgreSQL + Prisma 7 — Scan, User, Account, Session (NextAuth); @prisma/adapter-pg.
  • Stripe Checkout — hosted one-time (€29 Full Report) and subscription (€49/mo Pro); webhook for isPaid.
  • NextAuth (Google + Credentials) — sign-in, Dashboard (scan history), scans linked to user when signed in. react-to-print for PDF export when paid.

Implementation highlights

  • Prisma 7 and pg adapter — client built with PrismaPg adapter; singleton in lib/prisma.ts only when DATABASE_URL is set.
  • Stripe and build-time env — Checkout and webhook use getStripe() inside request handler so app builds without Stripe keys in CI.
  • Scan API: URL validation (HTTP(S) only; reject localhost/private IPs), multi-page scrape (compliance paths), Playwright fallback for minimal text and ePrivacy (cookies, third-party scripts before consent).
  • NextAuth and scan ownership — getServerSession in Scan API; scan created with userId when signed in; Dashboard queries scans by user.
  • Results and PDF — paid view wraps report in #pdf-report-content; react-to-print triggers browser print/PDF; light-theme print styles; filename from scan URL host.
  • Cookie banner (lib/cookieConsent) — Accept all / Reject non-essential / Customize; choice stored; ConsentAwareAnalytics.

Security and robustness

  • Secrets (GEMINI_API_KEY, STRIPE_*, DATABASE_URL, NEXTAUTH_SECRET, OAuth) server-only; Price IDs and NEXTAUTH_URL public where needed.
  • Price ID allowlist — checkout validates priceId against env-based Full Report and Pro Monitoring Price IDs.
  • Webhook idempotency — checkout.session.completed may repeat; setting isPaid true is idempotent.
  • Scan access — anyone with scanId link can view teaser and complete checkout; Dashboard and API return only the authenticated user's scans when userId is set.

File layout

  • app/page.tsx — Landing: urgency banner, hero, URL form, email modal, pricing, FAQ; on success → /results/[scanId].
  • app/results/[scanId]/page.tsx — Server component; loads scan, passes to ResultsView.
  • app/results/[scanId]/ResultsView.tsx — Client: teaser vs full report, blur, Stripe CTAs (€29 / €49/mo), PDF via react-to-print (paid).
  • app/dashboard/page.tsx — Protected; lists user's scans (date, URL, risk, View report).
  • app/api/scan/route.ts — URL validation, scrape (Cheerio ± Playwright), Gemini, Prisma create (userId, userEmail optional).
  • app/api/checkout/route.ts — Validate scan and price, create Stripe session, return URL.
  • app/api/webhooks/stripe/route.ts — Verify signature, set isPaid on checkout.session.completed.
  • app/api/auth/[...nextauth]/route.ts, app/terms, app/privacy, app/security — NextAuth handler; legal pages (prose). lib/cookieConsent.ts, lib/playwright-scraper.ts.

Outcome

ComplianceRadar turns regulatory uncertainty into an actionable product decision flow: diagnose risk fast, prioritize fixes, and upgrade to continuous monitoring when needed. The commercial model (free entry, low-friction paid tiers) supports conversion without enterprise-style sales cycles, while the technical stack keeps the platform extensible and operationally reliable.