brightleaf.example · vantage: EU — France (Paris)Privacy scan report — brightleaf.example
↓ Download PDF (auditor layout)Assessed against Dxtra Privacy Scanner Methodology v1.8 · 48 finding types · 10 commendable practice types · NIST Privacy Framework v1.1 + ISO/IEC 27701:2025 anchoring.
EU — France (Paris) · egress region cdg1 · egressMatched: trueEU vantage chosen because the storefront ships to the EU. Absence of a finding from this vantage is not evidence of compliance in another jurisdiction.
2 high, 5 medium, 1 low — high privacy risk, driven by tracking before consent.
We reviewed brightleaf.example across its public pages, a live browser session and the substance of its privacy notice using our Surface, Browser and Policy AI agents. The High band is driven by advertising and analytics pixels that fire before any consent interaction, alongside a privacy notice that is materially out of date and a contact form that collects personal data with no notice at the point of collection. The consent platform is installed but is not gating non-essential tags. Together these are the gaps a regulator would expect a storefront shipping internationally to have closed.
With Dxtra’s Tag & Consent Management, Notices, Processors, Processing Activity Log in place, every high-severity and most medium-severity finding above would close inside the first onboarding cycle. The 91-point projection assumes the in-product capabilities not externally visible from this scan (such as a DPIA or a breach-response plan) are configured alongside. The risk band, not the number, is the headline.
- Gate your tags behind consent — Meta, Google Ads and GA4 all fire before any consent choice; the Consentmo banner is installed but isn’t blocking them.
- Refresh the privacy notice — it’s 30 months old and no longer describes how data is actually used.
- Add a notice at the contact form — it collects name and email with no privacy notice at the point of collection.
✓ A maintained sub-processor list and a dedicated privacy subdomain are above-baseline practices worth keeping.
Scored against 2 regimes detected on your public surface.
A GDPR (EU) and UK GDPR nexus was detected from the storefront’s shipping destinations and notice references — so EU/UK expectations frame how consent, rights handling and transfers should be documented.
Cross-jurisdictional sites are scored against the most stringent applicable regime. Findings are anchored to the most stringent applicable control framework (commonly GDPR / EDPB) as the benchmark, even where the detected nexus differs.
Target-market caution (informational — not scored): the site’s content suggests it also serves clients connected to US. Those regimes can apply to the individuals whose data you handle even if your establishment is elsewhere. Worth verifying with a privacy professional — this is a caution, not a finding, and does not affect the band.
Live-chat caution (informational — not scored): a chat / conversational widget (Intercom) was detected. These routinely collect personal data in-conversation — verify it shows a pre-engagement privacy notice before collecting data and names the provider as a processor.
10 findings — each with its regulator source and the Dxtra capability that closes it.
6 third-party tags the Browser Agent observed — and when each fired.
Each row is a non-essential third-party host the Browser Agent saw load. Pre-consent means it fired before any consent choice was made; Post-reject means it only fired after a simulated “Reject All”. This is the observed evidence behind the tracker findings above.
| Host | Category | Consent state | Identifier |
|---|---|---|---|
analytics.google.com | Analytics (Google) | Pre-consent | G-BL4F2026 · gcs=G111 |
connect.facebook.net | Advertising (Meta Pixel) | Pre-consent | — |
googleads.g.doubleclick.net | Advertising (remarketing) | Pre-consent | gcs=G111 |
googleadservices.com | Advertising (Google Ads) | Pre-consent | AW-31407742261 |
static.klaviyo.com | Klaviyo · Email/SMS marketing | Pre-consent | Q8R2vT |
googletagmanager.com | Tag manager | Pre-consent | GTM-BLF42 |
How the count breaks down — pre-consent tracker requests by category: Advertising ×18 · Analytics (Google) ×14 · Email/SMS marketing ×7 · Tag manager ×4. A more stable figure is the 6 distinct recognised tracker hosts listed here; the per-run request total (43) swings, that host set barely does.
Identifiers (e.g. G-…, AW-…) are extracted by the Browser Agent from each tag’s request URL; the Google Consent Mode gcs value is the consent state sent with the beacon (e.g. G111 = ad and analytics storage treated as granted before any choice). Hosts shown were observed on the homepage from the EU — France (Paris) vantage on this run; tags fire per-page and probabilistically, so the count varies by page, vantage and run.
3 other third-party hosts observed — not counted toward findings.
These loaded from a third party but Dxtra hasn’t promoted them into the scored tracker set. Recognised hosts are named from Dxtra’s catalogue; the rest are unclassified (and may be benign infrastructure). Either way they’re shown for transparency and do not affect your risk band or finding count. Any host here that receives personal or location data and isn’t named in your privacy notice is relevant to finding M3 (processors not named).
| Host | Category | Consent state |
|---|---|---|
swymrelay.com | Unclassified | Pre-consent |
cdn.judge.me | Unclassified | Pre-consent |
instafeed.nfcube.com | Unclassified | Post-reject |
2 above-baseline signals worth recognising.
A prioritised, track-assigned plan to close the findings above.
Ordered by track, then severity. The Developer track is consent and tag work; the Legal / DPO track is notice and governance work. Each step lists the finding IDs it closes, so the checklist and the findings list stay in sync. Effort is indicative (S / M / L).
| Step | Track | Closes | Effort | Owner |
|---|---|---|---|---|
| Gate advertising tags until opt-in; set Consent Mode default to denied; connect the CMP to the tag manager. | Developer | F7, M2, L4 | M | Developer |
| Publish the referenced standalone cookie policy. | Developer | L1 | S | Developer |
| Regenerate the privacy notice from current processing; re-date it. | Legal | F2 | M | DPO / Legal |
| Name material processors (Swym, Judge.me, Klaviyo) and add cross-border transfer disclosures + a mechanism per destination. | Legal | M3, M9 | M | DPO / Legal |
| Add a point-of-collection notice to every personal-data form. | Legal | M30 | S | DPO / Legal |
| Disclose how GPC / universal opt-out signals are handled. | Legal | M13 | S | DPO / Legal |
| Stand up a Processing Activity Log (ROPA) covering controllers and processors. | Legal | M10 | L | DPO / Legal |
This checklist is generated from the findings above and is a starting point, not legal advice. Sequence and ownership may differ for your organisation.
How your public surface maps to the 13 Dxtra capability areas.
Each area shows one of three states. Gap — the scan surfaced a finding on your public surface. Evidenced — an above-baseline practice was visible. Not assessed — nothing was visible either way, which is not a pass: the scan cannot see internal records, contracts, or anything behind a login, so absence of a finding is not evidence of compliance.
| Capability | Status | What the scan saw |
|---|---|---|
| Notices, Policies & Agreements | Gap | Gap — F2, M30 |
| Tag Management | Gap | Gap — F7, M2, L1 |
| Consents | Gap | Gap — M13 |
| Rights Management | Evidenced | DSAR page and privacy@ contact found |
| Data Subject Support | Not assessed | Nothing visible on the public surface — not a pass |
| Processors | Gap | Gap — M9 (and M3, informational) |
| Processing Activity Log | Gap | Gap — M10 |
| Data Mapping & Profiling | Not assessed | Nothing visible on the public surface — not a pass |
| Assessments (DPIA/PIA) | Not assessed | Nothing visible on the public surface — not a pass |
| Breach & Incident Report | Not assessed | Nothing visible on the public surface — not a pass |
| Transparency Center | Evidenced | Privacy hub on a dedicated subdomain (C1) |
| Settings — Compliance Framework | Not assessed | Nothing visible on the public surface — not a pass |
| AI & Data-Use Governance | Not assessed | Nothing visible on the public surface — not a pass |
How the risk band is reached.
The headline is the risk band (Low / Medium / High), set by the count of confirmed high- and medium-severity findings under Methodology v1.8 Appendix B. The 27/100 figure is a secondary capability-maturity indicator showing distance to the 91/100 verified-badge threshold — it is not the headline and not a regulatory determination. A low score — including 0/100 — is a genuine reading, not an error: it means the scan found few or no privacy controls on the public surface to credit. Commendable practices are recognised but never move the band.
Your free scan showed 31/100; this full report shows 27/100. The number is lower because the deeper policy analysis surfaced additional findings the free surface pass could not confirm — the risk band is unchanged (High).
About this report
What this is. An automated privacy-compliance diagnostic of your public surface, scored against the Dxtra Privacy Scanner Methodology v1.8 (anchored to the NIST Privacy Framework v1.1, ISO/IEC 27701 and ENISA). It reads what a regulator would read — your public pages, live cookie and tracker behaviour, and your privacy notice (often labelled “Privacy Policy”) — and returns a Low / Medium / High risk band, never a single vanity score.
What it produced. Each finding above is mapped to a named regulator source and to the Dxtra capability that closes it, with a projected risk band once the gaps are remediated. Use it as a practical starting point for building or strengthening a privacy compliance programme that meets modern data-protection obligations — for example GDPR and UK GDPR, CCPA/CPRA, Singapore/Malaysia/Thailand PDPA, Brazil’s LGPD and other regimes as they apply to you.
Use of AI. Parts of this analysis are produced by AI — Dxtra’s agents read and interpret your public pages and privacy notice. AI output is grounded in named regulator sources and checked against the methodology, but automated analysis can still miss context or make mistakes. Treat every finding as an indicator to verify, not a verdict.
What it is not. This is not legal advice and not a determination that any law has been breached. The scanner sees only your public surface — it cannot see your contracts, internal records, processing purposes, or anything behind a login, so the absence of something here is a prompt to check, not proof of non-compliance.
Data we keep. The scan reads only public information. To produce your full report we briefly retain the text of your public privacy notice and the scan results server-side — the notice text for up to 7 days, your report for up to 30 days so your link keeps working — after which they expire automatically. The notice text is used only to generate your report and is never published.
Findings are observed from a specific vantage (EU — France (Paris)). A clean result from one vantage is reported as “not observed from this vantage”, never as “compliant” — the experience under another regime may differ. Where a site rate-limits or blocks automated access, the scan is returned as preliminary and access-limited. For material decisions, consult a qualified privacy professional. Tracker and consent evidence is attributed to Dxtra’s Browser Agent; deep policy analysis to Dxtra’s Policy AI.