The moment a product lands on .com, EU users land with it. GDPR Article 27 kicks in at the first non-EU company serving EU residents — not at the first paying customer, not at the first marketing campaign. We appoint the representative, stand up your Privacy Center, and publish your privacy notice — typically in 48 hours. You launch compliant, not apologetic.
Launching to Europe from outside the EU triggers multiple regimes at once — and none of them forgive "we're pre-revenue" or "we're just testing". Here's what's legally on from the first visitor.
Every non-EU company processing EU personal data (which is nearly every SaaS, every mobile app, every e-commerce product) must designate a representative in writing, in the EU, before processing begins.
You need a published privacy notice in each relevant language and a working channel for data-subject requests (access, erasure, portability) with a 30-day SLA — from the first visitor, not the first customer.
If EU users can post, list, buy, or sell on your product — marketplaces, forums, UGC, review sites — you need a named EU legal representative and a working notice-and-action endpoint.
Providers of high-risk AI systems and GPAI models above the compute threshold must appoint an EU authorised representative and maintain an Annex IV technical file.
For a standard pre-launch SaaS, this is the default cadence. More complex products (AI Act, DSA VLOP scale, regulated verticals) add days — but the Art. 27 piece always lands first.
One-page mandate per product, plus the master service agreement.
Our EU entity is your Art. 27 contact. Address goes on your privacy policy.
privacy.yourdomain.com with DSR inbox, policies, sub-processors, consent.
Notice drafted in your reader languages, sub-processor register published, CMP integration brief for your ad-tech team.
Compliance checklist cleared, named lead on Slack, handover documents filed.
Hours 0–12 are legal. You sign a one-page Art. 27 mandate, our EU counsel files us as your representative, and the address goes on your privacy policy.
Hours 12–36 are technical. We spin up privacy.yourdomain.com, wire the DSR inbox to our desk, publish your privacy notice + sub-processor register, and hand your ad-tech team an integration brief for whichever CMP you're using.
Hours 36–48 are handover. One Slack channel, one named lead, one monthly summary — and a clean compliance artifact you can show to any enterprise buyer who asks "are you GDPR-ready?"
For a plain-vanilla SaaS shipping to EU users, two products clear the Day-0 bar: GDPR Representative + Privacy Center. Add specialty representations only if the regulation applies to your shape of product.
Article 27 coverage · named EU entity · DPA correspondence in 24 languages · ROPA builder.
Hosted trust hub at privacy.yourdomain.com · DSR inbox · versioned policies · sub-processor register.
Article 13 rep · notice-and-action endpoint · statement-of-reasons filings · transparency reports.
Article 22 · Annex IV technical file · conformity assessment · post-market monitoring.
Article 26 rep · 24 / 72 h incident reporting · risk management framework · board training.
Article 16 responsible person · Safety Gate monitoring · marketplace compliance · recall playbooks.
Yes — GDPR applies to processing, not purchasing. The moment your site loads analytics for a visitor in France or your sign-up form collects an email from Germany, you're processing EU personal data. Article 27 applies to any non-EU controller or processor "regularly" targeting the EU. Waiting for paid conversion is a compliance posture that doesn't hold up under DPA scrutiny.
Revenue is irrelevant to the obligation. DPAs have fined companies that weren't monetized — free analytics, a newsletter signup, or a login form is enough to trigger GDPR. The good news: our pre-launch pricing starts at the same $127 / mo as any other customer. There's no penalty for being early.
For a standard SaaS with no AI or UGC: signed Monday, live Wednesday. GDPR Representative filing is same-day. Privacy Center with DSR inbox and privacy notice goes live within 36 hours. The 48-hour number is the full compliance-live milestone — including DPA notification if one is required.
No. One Art. 27 representative in one EU member state covers all 27. Our entity sits in Croatia and is on record in every DPA across the EU. You get one address, one contact, one response protocol — not twenty-seven.
UK GDPR is separate from EU GDPR and requires its own representative if you serve UK residents. We cover both EU and UK as add-ons to the same engagement — same terms, same desk, one invoice.
Privacy Center starts free and can be stood up same-day. The GDPR Representative piece needs a brief call — usually 20 minutes — because the mandate is a legal appointment that requires a conversation, not a checkout flow.
30-minute discovery call. We'll look at your launch date, your product shape, and scope the Day-0 stack in writing — usually within the same day.