Live in Europe before your first EU visitor.
The moment a product lands on .com, EU users land with it. GDPR Article 27 kicks in at the first non-EU company serving EU residents — not at the first paying customer, not at the first marketing campaign. We appoint the representative, stand up your Privacy Center, and publish your privacy notice — typically in 48 hours. You launch compliant, not apologetic.
The moment EU users see your product, these apply.
Launching to Europe from outside the EU triggers multiple regimes at once — and none of them forgive "we're pre-revenue" or "we're just testing". Here's what's legally on from the first visitor.
Art. 27 Representative — required
Every non-EU company processing EU personal data (which is nearly every SaaS, every mobile app, every e-commerce product) must designate a representative in writing, in the EU, before processing begins.
Privacy notice + DSR intake
You need a published privacy notice in each relevant language and a working channel for data-subject requests (access, erasure, portability) with a 30-day SLA — from the first visitor, not the first customer.
Art. 13 Representative + notice endpoint
If EU users can post, list, buy, or sell on your product — marketplaces, forums, UGC, review sites — you need a named EU legal representative and a working notice-and-action endpoint.
Art. 22 Representative + Annex IV file
Providers of high-risk AI systems and GPAI models above the compute threshold must appoint an EU authorised representative and maintain an Annex IV technical file.
Signed Monday. Live Wednesday.
For a standard pre-launch SaaS, this is the default cadence. More complex products (AI Act, DSA VLOP scale, regulated verticals) add days — but the Art. 27 piece always lands first.
MSA + Art. 27 mandate signed
One-page mandate per product, plus the master service agreement.
GDPR Representative filed
Our EU entity is your Art. 27 contact. Address goes on your privacy policy.
Privacy Center hosted
privacy.yourdomain.com with DSR inbox, policies, sub-processors, consent.
Privacy notice & sub-processor list
Notice drafted in your reader languages, sub-processor register published, CMP integration brief for your ad-tech team.
Launch-ready sign-off
Compliance checklist cleared, named lead on Slack, handover documents filed.
Hours 0–12 are legal. You sign a one-page Art. 27 mandate, our EU counsel files us as your representative, and the address goes on your privacy policy.
Hours 12–36 are technical. We spin up privacy.yourdomain.com, wire the DSR inbox to our desk, publish your privacy notice + sub-processor register, and hand your ad-tech team an integration brief for whichever CMP you're using.
Hours 36–48 are handover. One Slack channel, one named lead, one monthly summary — and a clean compliance artifact you can show to any enterprise buyer who asks "are you GDPR-ready?"
Two products cover most launches.
For a plain-vanilla SaaS shipping to EU users, two products clear the Day-0 bar: GDPR Representative + Privacy Center. Add specialty representations only if the regulation applies to your shape of product.
GDPR Representative
Article 27 coverage · named EU entity · DPA correspondence in 24 languages · ROPA builder.
Privacy Center
Hosted trust hub at privacy.yourdomain.com · DSR inbox · versioned policies · sub-processor register.
DSA Representative
Article 13 rep · notice-and-action endpoint · statement-of-reasons filings · transparency reports.
AI Act Representative
Article 22 · Annex IV technical file · conformity assessment · post-market monitoring.
NIS 2 Representative
Article 26 rep · 24 / 72 h incident reporting · risk management framework · board training.
GPSR Representative
Article 16 responsible person · Safety Gate monitoring · marketplace compliance · recall playbooks.
What pre-launch founders ask us first.
Do we really need Art. 27 before our first paying EU customer?
Yes — GDPR applies to processing, not purchasing. The moment your site loads analytics for a visitor in France or your sign-up form collects an email from Germany, you're processing EU personal data. Article 27 applies to any non-EU controller or processor "regularly" targeting the EU. Waiting for paid conversion is a compliance posture that doesn't hold up under DPA scrutiny.
What if we're still pre-revenue?
Revenue is irrelevant to the obligation. DPAs have fined companies that weren't monetized — free analytics, a newsletter signup, or a login form is enough to trigger GDPR. The good news: our pre-launch pricing starts at the same $127 / mo as any other customer. There's no penalty for being early.
How fast is "in 48 hours" actually?
For a standard SaaS with no AI or UGC: signed Monday, live Wednesday. GDPR Representative filing is same-day. Privacy Center with DSR inbox and privacy notice goes live within 36 hours. The 48-hour number is the full compliance-live milestone — including DPA notification if one is required.
Do we need a separate rep in every member state?
No. One Art. 27 representative in one EU member state covers all 27. Our entity sits in Croatia and is on record in every DPA across the EU. You get one address, one contact, one response protocol — not twenty-seven.
What about the UK?
UK GDPR is separate from EU GDPR and requires its own representative if you serve UK residents. We cover both EU and UK as add-ons to the same engagement — same terms, same desk, one invoice.
Can we self-serve the Privacy Center without a call?
Privacy Center starts free and can be stood up same-day. The GDPR Representative piece needs a brief call — usually 20 minutes — because the mandate is a legal appointment that requires a conversation, not a checkout flow.
Your launch, compliant on Day 0.
30-minute discovery call. We'll look at your launch date, your product shape, and scope the Day-0 stack in writing — usually within the same day.