By segment · Digital Media

Publishers, compliantly read in Europe.

Digital media sits across two EU regimes simultaneously: GDPR for subscriber and audience data, DSA for comments and moderated content. We file the Art. 27 representative, operate the Art. 16 notice endpoint, host the DSR inbox, and provide the public trust page your newsroom links to when readers ask what happens with their data. Your CMP of choice — Cookiebot, Usercentrics, OneTrust — sits alongside; we integrate rather than replace it.

Book a demo See the three layers
Three layers · one platform

What applies where.

Digital media sits at the intersection of three distinct regimes — each with its own supervisory authority, enforcement appetite, and typical complaint pattern. We operate all three from one desk.

Layer 01 · ePrivacy

Cookies & trackers

Every non-strictly-necessary tracker needs prior, informed, specific consent. You run this through a dedicated CMP; we sit alongside, not on top.

  • Bring your own CMP · Cookiebot, Usercentrics, OneTrust
  • Your consent records feed into our sub-processor list
  • We draft the cookie policy & tracker disclosures
  • Our consent layer is on the roadmap, not live yet
Integrates with your CMP
Layer 02 · GDPR

Readers & subscribers

Subscriber accounts, newsletter lists, payment data, behavioural profiles — all personal data with processing purposes and retention limits.

  • Named Art. 27 Representative in the EU
  • Hosted DSR inbox with 30-day SLA
  • Privacy notice published + versioned
  • Named DPO if large-scale monitoring
Runs in GDPR Representative
Layer 03 · DSA

Comments & moderation

If your site hosts user comments, reader submissions, forum threads, or user-generated contributions — the DSA's hosting-services duties apply.

  • Named Art. 13 representative in the EU
  • Public Art. 16 notice-and-action endpoint
  • Statement of Reasons for every moderation call
  • Annual Art. 15 transparency report
Runs in DSA Representative
The reader lifecycle

Reader request to audit, in one flow.

Every reader interaction that touches privacy — a DSR, a comment dispute, a notice to your newsroom, a DPA inbound — runs through the same pipeline. Each stage is an artefact we operate.

Submit
Reader submits a DSR

Via the hosted privacy page: access, erasure, portability, objection, rectification. Auto-routed to the right internal team with our 30-day deadline timer attached.

Privacy Center
Triage
Identity verified, scope set

We verify the requester, scope the data pull to the right subscriber record, and flag any special-category concerns (journalistic sources, minors, sensitive subjects).

Privacy Center
Fulfil
Response drafted & sent

Data package, erasure confirmation, or reasoned denial — drafted in the reader's language, signed by the controller, delivered through the hosted portal.

Your editorial + us
Escalate
Reader complains to a DPA

When it happens (and on a newsroom audience, it will), the DPA writes to our Art. 27 address. Our counsel answers in your name with the full evidence trail.

GDPR Representative
Evidence
Auditor asks for proof

Single export: DSR timeline, response artefact, sub-processor register, incident log, transparency report. Answer time: minutes, not weeks.

Audit export

Publisher DSR volume is real. Subscription-facing newsrooms see 10–100x the DSR volume of a typical SaaS — audiences are larger, regulatory awareness is higher, and a meaningful slice of readers are journalists who know the rules. The hosted inbox is built to scale through that.

Your editorial team stays out of it. We handle the intake, verification, and response drafting. Your editorial leadership gets involved only on the hard cases — a journalistic-source request, a reader trying to unpublish a correction they objected to, a high-profile right-to-be-forgotten claim.

The complaint wall. When a reader complains to a DPA, we get the first call. With the signed DSR log and the incident register, our counsel answers in your name. Most complaints close at first-response; a few escalate; we carry them.

The publisher stack

The four products every publisher runs.

Privacy Center and GDPR Rep are the two that apply to every EU-facing publisher. DSA Rep turns on the moment your site accepts comments. DPO becomes mandatory at subscriber scale.

Core · Required

Privacy Center

Hosted trust hub · DSR inbox · versioned policies · sub-processor registry · incident log.

Starts atFree
 Core · Required

GDPR Representative

Art. 27 rep · DPA correspondence · ROPA builder · UK GDPR add-on for cross-market publishers.

Flat$127 / mo
 If comments on

DSA Representative

Art. 13 rep · Art. 16 notice endpoint · Statement-of-Reasons filings · Art. 15 transparency.

From$499 / mo
 Publisher scale

Data Protection Officer

Required at large-scale systematic monitoring — which most EU-facing publishers cross on reader count alone.

CustomEngaged
 If AI recommender

AI Act Representative

If your feed, homepage, or push notifications use an AI recommender — Art. 22 obligations kick in.

From$899 / mo
 If you host infra

NIS 2 Representative

Some large publishers host other media's content (syndication). NIS 2 can apply — we'll check on the call.

From$599 / mo
Common questions

What publisher heads of product ask first.

Do you run the cookie consent banner for us?

Not yet. Consent is on our roadmap but isn't live today. Most publishers we work with run a dedicated CMP — Cookiebot, Usercentrics, OneTrust — and we sit alongside it. We draft the cookie policy and tracker disclosures; the CMP runs the banner and logs consent; our Privacy Center hosts the hub the banner links to. If the current banner has legal exposure (accept-all-only designs are now flagged by CNIL, Garante, and others), we'll say so on the discovery call and recommend a CMP that fixes it.

Does the DSA actually apply to a news site?

The editorial content doesn't trigger DSA hosting duties — a journalist's article isn't user-generated content. But almost every news site accepts reader comments, letters to the editor, or forum submissions. That is hosting content at the direction of third parties, and the Art. 13 / Art. 16 / Art. 17 duties apply to those sections of the site.

What's the deal with TCF 2.2?

IAB Europe's Transparency & Consent Framework v2.2 is the ad-tech industry's shared consent-string standard. It's not legally required — it's an industry convention — but practically, if you want your ad inventory to work across SSPs and DSPs, your CMP needs to emit a valid TCF string. We don't run the CMP ourselves today; the major providers (Cookiebot, Usercentrics, OneTrust, Didomi) all emit valid TCF 2.2, and we integrate with them.

Do we need a DPO if we just have a newsletter?

A newsletter alone rarely triggers the Art. 37 mandatory-DPO thresholds. A subscription publisher with tens of thousands of paying subscribers usually does — "large-scale systematic monitoring" includes behavioural profiling of audience engagement. If your buyers (or your legal exposure) ask, having one is usually cheaper than arguing about whether you need one.

If we're a podcast / streaming / non-comment publisher?

You're still in scope for ePrivacy and GDPR — every reader / listener is personal data. DSA obligations mostly don't apply unless you host third-party submissions. Many streamers run with just Privacy Center + GDPR Rep; if you add commenting, playlists, or user uploads, DSA turns on.

What about AI-generated articles or personalised feeds?

AI-generated content adds transparency obligations (Art. 50 of the AI Act — "this content was generated or altered with AI"). A personalisation engine that materially steers what readers see can hit the AI Act as a "limited-risk" system, which means disclosing that AI is at work. Our AI Act rep product covers both.

Your newsroom, compliantly read.

30-minute discovery call. We'll audit your DSR volume, comment footprint, CMP setup, and AI usage — and scope the publisher stack in writing.

Book a discovery call See Privacy Center →