Does GDPR apply to your SaaS?
Find your role, risk tier, and next obligations.
This is a structured applicability and risk triage tool built from RuleMesh's citation-backed GDPR requirement model. It is designed for SaaS, product, and engineering-led teams, not for generic legal blog traffic.
Applicability, likely role, risk tier, and the engineering obligations that follow.
Structured determination from RuleMesh's own requirement model, not a freeform LLM answer.
Not legal advice. This is a triage tool that helps technical teams scope the work correctly.
Step 1. Material scope and territorial scope.
GDPR applies when you process personal data and at least one territorial trigger places the activity inside scope.
Do you process personal data?
Collecting names, emails, IP addresses, cookies, or any data that can identify a person, including structured paper records.
Art. 2(1)Are you established in the EU/EEA?
Having an office, branch, subsidiary, or any stable arrangement in an EU/EEA member state.
Art. 3(1)Do you offer goods or services to people in the EU/EEA?
Website in EU languages, accepting EUR, referencing EU customers, shipping to EU addresses, or EU-targeted advertising.
Art. 3(2)(a)Do you monitor the behaviour of people in the EU/EEA?
Tracking individuals online, cookies, fingerprinting, location tracking, or profiling them to predict preferences or behaviour.
Art. 3(2)(b)