SaaS founders: when a “quick GDPR check” should be a runtime audit (and how to buy one without a subscription)

The boring problem every SaaS has

You move fast: landing site, product app, docs, marketing stack. Someone adds Google Analytics, Meta Pixel, chat widgets, A/B tools — often before consent flows are airtight.

From the outside it looks fine: you have a privacy policy and a banner. Maybe even CMP installed.

From the browser’s point of view, the story can be different: requests and storage before meaningful consent, third parties you didn’t intend, “unknown” cookies that never made it into your cookie table.

That gap is what regulators and sharp buyers care about — behaviour, not declarations.

Why static scans hit a ceiling

Checklists and static crawlers can list what they see on a page load. They struggle with:

- What fires before accept/reject
- Dynamically loaded trackers
- Real network timing and third-party data flows

So you can get a green-ish inventory and still carry real compliance exposure.

What “runtime auditing” means (in one paragraph)

SecureSpells drives a real browser (Playwright / Chromium), watches network + cookies + script behaviour, and scores findings against a large check registry — so you get evidence-backed output, not “probably fine.”

We’re not a law firm and not a CMP — we help you see what the site does so you can fix it or brief counsel.

When a one-off full report is the right move

A One-Off Compliance Audit Report is for moments like:

- Pre-launch / big marketing push (“are we clean this week?”)
- Investor or enterprise diligence (“show me something defensible”)
- Post-incident or post-rewrite (“did we actually fix tracking?”)
- You’re not ready for continuous monitoring but need one deep, structured pass

€395 one-time — full runtime-style audit output and report artifacts without a subscription (see current details on the pricing page).

Free path: run a no-signup scan on https://securespells.com first if you want a taste of how findings look.

What you should not expect

- A legal sign-off (“you are compliant”) — that’s for your lawyer/DPO.
- Automatic fixing in production — we surface evidence and remediation guidance; your team implements.

CTA

1. Free runtime check: https://securespells.com
2. One-off deep report (pricing & checkout): https://securespells.com/#pricing

If you’re a founder and your question is “are we kidding ourselves on cookies and trackers?” — this is the shortest honest path to an answer with receipts.

Educational, not legal advice. For compliance decisions, involve qualified legal/privacy counsel.