Privacy Check
Checks your project for data-protection risks, open questions and expert-review needs — before it goes live.
SKILL.md in the open agentskills.io standard — works directly in Claude, ChatGPT/Codex, Cursor, Copilot & more.
Privacy Check is an AI skill for a structured data-protection pre-check of any project — it makes visible which data, purposes, jurisdictions, vendors, consents, retention periods and risks must be checked before you go live. Not just websites: apps, newsletters, giveaways, events, leads/CRM, communities, chatbots, AI agents, shops, courses, HR and automations too. It detects the project type and use cases, routes the relevant regimes (GDPR, ePrivacy, EU AI Act, UK, US state laws), flags high-risk hard, and delivers a risk traffic light, prioritized to-dos and an expert-review briefing. Not legal advice, not a final sign-off.
What this skill does
- Detects the project type and use cases and activates the matching modules (14 areas from website to AI agent)
- Eleven modes via a router: quick check · project intake · use-case check · jurisdiction router · consent & notice · data flow & vendors · risk & DPIA · AI & AI-Act · launch gate · docs & to-do generator · expert-review briefing
- Routes the relevant regimes (GDPR, ePrivacy/§25 TDDDG, EU AI Act, UK GDPR/DUAA, US state laws, Switzerland, …) as check points
- Builds a data inventory, data-flow map and purpose matrix, and forces data minimization
- Structures possible legal bases to check (without finally deciding)
- Checks consent/opt-out, transparency notices, cookie-banner rules and service-vs-marketing separation
- Captures vendors, DPAs, subprocessors and third-country transfers (adequacy/SCCs+TIA/DPF)
- Flags high-risk hard (children, health, biometrics, location, profiling, automated decisions) and checks DPIA need
- Screens AI features against the EU AI Act (Art. 5 bans, Art. 50 transparency, Annex III high-risk, FRIA) — date-aware
- Outputs a risk traffic light, readiness score, prioritized to-dos, draft text blocks and an expert-review briefing
Description
Privacy Check is a skill for a structured data-protection pre-check — it does not decide whether a project is finally lawful; it makes visible which data, purposes, people, countries, platforms, vendors, notices, consents, security measures, retention periods and risks must be checked. The framing is always the same: "before this goes live — what does a qualified human still need to look at?" Instead of only thinking about website cookies, it detects the real project type and activates the matching use-case module: website/tracking, app/mobile SDK, newsletter/direct marketing, leads/CRM/sales, giveaway/contest, event/expo/webinar, community/social, chatbot/AI agent/RAG, shop/payment, course/LMS, children/youth, HR/recruiting, vendor/transfer and security/incident. It thinks globally: operator country, user countries, target markets, cloud region and vendor countries decide which regimes to check — it routes them and recommends verifying the current official source. The flow is a real method: data inventory, data-flow map (source → collection → system → vendor → storage → recipients → deletion), purpose matrix with data minimization, roles (controller/processor), a legal-basis pre-screen (structure the options, don't finally decide), consent/opt-out architecture, transparency blocks, vendor and third-country transfer checks, retention/deletion, security measures (TOMs) and a high-risk screen. It flags high-risk hard: children, health, biometrics, precise location, profiling/scoring, automated decisions, extensive tracking, third-country transfers and AI agents with tool access — and checks whether a DPIA (GDPR Art. 35) is likely mandatory. For AI projects it screens GDPR and the EU AI Act in parallel: prohibited practices (Art. 5), chatbot transparency and synthetic-content marking (Art. 50), high-risk classification (Annex III) and an integrated DPIA + FRIA — date-aware and including the 2026 Digital Omnibus. Every check ends usable: a risk traffic light (🟢🟡🟠🔴), a readiness score (0–100, project maturity, not a legal score), prioritized immediate to-dos, draft notice/consent blocks to review, and a ready-made briefing for a data protection officer or lawyer. It never invents laws, deadlines, fines or sources, does not recommend consent as a blanket fix, and does not sugarcoat risky processing. It is the data-protection pre-check layer alongside Website-Doktor (measured technical audit), the AI Blueprint Assistant (planning) and AI Quality Check (checking AI output).
Examples
What it does not do
- Gives no legal advice and no final compliance sign-off — does not replace a DPO, lawyer or authority
- Doesn't claim a project is GDPR/CCPA/AI-Act compliant, and doesn't sugarcoat risky processing
- Produces no binding legal texts — draft blocks are clearly marked starting points to review
- Doesn't recommend consent as a blanket fix, or tracking/profiling without a real check
- Doesn't invent laws, deadlines, fines or sources — flags time-sensitive items as verify-current
- Won't help launder unlawful processing (dark-pattern consent, hidden tracking) past a review
Compatibility & tech
- Tested (internal)
- 4 scenarios
- Recommended runtime
- Stärkstes verfügbares Modell; für aktuelle Rechts-/Plattform-Quellen eines mit Web-/Such-Tool.
- Modes
- Quick check (triage) · Project intake (data inventory + data-flow map) · Use-case check · Jurisdiction router · Consent & notice check · Data flow, vendors & transfers · Risk & DPIA screen · AI & AI-Act check · Launch go/no-go gate · Docs & to-do generator · Expert-review briefing
- Inputs
- Project description (text) · Website / landing page · App / mobile SDK · Newsletter / giveaway / event · Lead / CRM / shop flow · Chatbot / AI agent / RAG · Vendor / data-flow list
- Output format
- Structured Markdown report (verdict, risk light + readiness score, detected areas, regimes, data & people, high-risk factors, vendors & data flows, use-case check points, open questions, prioritized to-dos, draft text blocks, DPIA/FRIA need, expert-review briefing); optionally a launch-gate table and a documentation set.
- Subcategory
- Data-protection pre-check & compliance prep
- License
- Proprietär
Security profile
Runs entirely on your machine with your own AI — no external runtime, no running costs.
Only instructions, templates and references — no executable scripts.
Accesses external sources / the network in normal use (e.g. live pages, search/data APIs).
What you get
- privacy-check-1.0.0/11 files
- .claude-plugin/marketplace.json
plugins/privacy-check/skills/privacy-check/11 files
- SKILL.md
- manifest.json
references/9 files
- consent-notice-modules.md
- eu-ai-act.md
- jurisdiction-router.md
- official-sources.md
- platform-privacy-rules.md
- privacy-check-checklist.md
- privacy-check-method.md
- risk-score-and-output.md
- use-case-modules.md
- .agents/skills/privacy-check/→ universal — same content (Codex, Cursor, Copilot, Gemini, Windsurf, Cline)
- LICENSE.txt
Installation
Also works as a chat prompt
No AI tool? Paste it into Claude, ChatGPT or Gemini and use the method right away.
This skill ships no scripts, so the prompt carries its full method.
Works best when your chat has web access.
Installing is the full version — it triggers automatically, runs its scripts and loads references as needed. As a chat prompt you drive the method by hand.
Unlock to copy the ready-to-paste prompt — then in “My Skills”.
Reviews
No reviews yet – be the first.
Note
A structured data-protection pre-check, not legal advice and not a final compliance sign-off. Strongest with details on project type, countries and data types; without them it works with flagged assumptions. Confirm time-sensitive legal/platform facts with a web tool, otherwise they are flagged verify-current. For a binding assessment, legal texts or international edge cases, get a qualified data-protection/legal review.
Changelog
- v1.0.001.07.2026[object Object]
Frequently asked questions
What does Privacy Check do?
Privacy Check is an AI skill for a structured data-protection pre-check of any project — it makes visible which data, purposes, jurisdictions, vendors, consents, retention periods and risks must be checked before you go live. Not just websites: apps, newsletters, giveaways, events, leads/CRM, communities, chatbots, AI agents, shops, courses, HR and automations too. It detects the project type and use cases, routes the relevant regimes (GDPR, ePrivacy, EU AI Act, UK, US state laws), flags high-risk hard, and delivers a risk traffic light, prioritized to-dos and an expert-review briefing. Not legal advice, not a final sign-off.
How do I check data protection before my project goes live?
Privacy Check is a structured data-protection pre-check: it detects the project type and use cases, routes the relevant regimes (GDPR, ePrivacy, EU AI Act, UK, US state laws), builds a data inventory and a data-flow map, flags high-risk factors, and outputs a risk traffic light, prioritized to-dos and an expert-review briefing — instead of leaving you to guess what is missing.
Is Privacy Check legal advice?
No. Privacy Check is explicitly not legal advice and not a final compliance sign-off — it does not replace a data protection officer, lawyer or supervisory authority. It makes visible what must be checked and prepares a professional review. Concrete results always end with a clear not-legal-advice note.
Does Privacy Check only cover websites and cookies?
No. Privacy Check covers websites, apps and mobile SDKs, newsletters, giveaways, events/webinars, leads/CRM, communities, chatbots, AI agents and RAG systems, shops/payment, courses, HR/recruiting and automations — each area has its own use-case module with the right questions and typical mistakes.
Does Privacy Check cover the EU AI Act?
Yes. For AI features Privacy Check screens the GDPR and the EU AI Act in parallel: prohibited practices (Art. 5), transparency duties for chatbots and synthetic content (Art. 50, from 2 Aug 2026), high-risk classification (Annex III, e.g. recruiting) and an integrated DPIA + FRIA — date-aware, including the 2026 Digital Omnibus that may defer the high-risk deadlines.
Does Privacy Check invent laws, deadlines or fines?
No. Privacy Check does not invent legal facts, deadlines, fines or sources. Because privacy law and platform rules change fast, it flags time-sensitive items as verify-current and uses a web tool, where available, to confirm the official source with a retrieval date.
Which AI tools does Privacy Check work with?
Claude (Projects & system prompt) · ChatGPT (Custom GPT & Custom Instructions) · Any LLM · Native UI (buttons/forms) where available, Markdown fallback otherwise · Optional: web tool to verify current legal/platform sources
How do I use Privacy Check?
Privacy Check is a SKILL.md in the open agentskills.io standard: install it with one command (npx) or download it and add it to your AI tool — Claude (Projects), ChatGPT (Custom GPT), Cursor, Copilot, Gemini CLI and more. No code needed.