Privacy Policy Scanner

Privacy policies contain a wealth of information about a company’s AI and automated decision-making practices. TruthVouch’s Privacy Policy Scanner analyzes these documents using AI to automatically discover disclosed AI systems, identify regulatory gaps, and generate actionable compliance insights.

Onboarding Accelerator

During client onboarding, the scanner can analyze the company’s privacy policy in seconds to seed the AI system registry and identify compliance gaps before the first meeting.

How It Works

The scanner uses a two-pass LLM analysis:

1. Extraction Pass — Reads the privacy policy text and identifies all mentions of AI, automated decision-making, profiling, algorithmic processing, and similar technologies. For each discovered system, it extracts the system name, description, data types processed, legal basis, and a verbatim policy excerpt.

2. Gap Analysis Pass — Compares the extracted disclosures against your active compliance frameworks (GDPR, EU AI Act, CCPA, and others) to identify missing or partial regulatory requirements. Each gap references the specific regulatory article.

What You Get

Discovered AI Systems

For each AI/automated processing system found in the policy:

Field	Description
System Name	Inferred name (e.g., “Dynamic Pricing Engine”)
Description	What the system does, from policy text
System Type	Classification, recommendation, prediction, or generation
Data Types	Personal data categories processed
Legal Basis	Cited legal basis (consent, legitimate interest, etc.)
Decision Type	Fully automated, automated with human review, or human-assisted
Third Party	Whether the system is provided by a third party
Confidence	0.0 – 1.0 extraction confidence score

Each discovered system can be one-click registered in your AI System Registry, pre-populated with all extracted metadata.

Regulatory Gap Analysis

For each active compliance framework, the scanner checks disclosure requirements:

Framework	Key Requirements Checked
GDPR	Art. 13(2)(f) automated decision disclosure, Art. 22 right to contest, Art. 35 DPIA for high-risk processing
EU AI Act	Art. 52 transparency obligations, Art. 13 transparency for high-risk systems, Art. 50 general-purpose AI transparency
CCPA	1798.185 profiling disclosure, 1798.100 right to know, 1798.120 opt-out of sale/sharing

Each gap is classified by severity:

• Critical — Missing a required disclosure (e.g., no automated decision-making disclosure under GDPR Art. 22)
• Warning — Partial disclosure that may not meet regulatory standards
• Info — Best-practice recommendations

Completeness Score

An overall score from 0.0 to 1.0 indicating how complete the privacy policy’s AI disclosures are relative to the checked frameworks.

Compliance Profile Hints

The scanner detects jurisdictions and data types mentioned in the policy and cross-references them against your compliance profile. For example:

• “Policy mentions EU data subjects but EU AI Act is not enabled in your compliance profile”
• “Policy references automated credit decisions — consider enabling PSD2 framework”

Entry Points

Standalone Page

Navigate to Compliance > Privacy Policy Scans to scan any URL on demand. Enter the privacy policy URL, select which frameworks to check against, and view results.

AI Systems Hub

From the AI Systems management hub, click Discover from Privacy Policy to scan a policy and register discovered systems.

During Onboarding

When onboarding a new client, the Source Review step identifies privacy-related URLs. Click Scan Privacy Policy next to any privacy policy source to run the analysis.

API

curl -X POST https://api.truthvouch.ai/api/v1/compliance/privacy-policy-scans \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com/privacy-policy"}'

Re-Scanning

Privacy policies change over time. Use the re-scan feature to periodically check for updated disclosures and new gaps. Each scan is stored as a separate record, allowing you to track changes over time.

Limitations

• The scanner analyzes the text content of the page at the given URL. It does not follow links to sub-pages or supplementary documents.
• Results are AI-generated and should be reviewed by a compliance professional before taking action.
• Very long privacy policies are automatically truncated to fit within LLM context limits. Key content at the beginning of the document is prioritized.