| |
|
VeracityGate
INTELLIGENCE DIVISION
|
CLASSIFICATION: PUBLIC SAMPLE
REF: VG-2026-05-17-SELF-AUDIT
|
|
|
◆ DEEP SCAN INTELLIGENCE REPORT - SELF AUDIT
2026 Compliance Gap Analysis
Prepared for: VeracityGate
Industry: Professional Services / Compliance Intelligence | Region: AU (primary) + US + EU
Report date: 17 May 2026
NOTE - PUBLIC SAMPLE REPORT
We audited ourselves before auditing anyone else. This is the actual VeracityGate Deep Scan - gaps identified, remediation actioned, and results documented. The gaps below were real. The fixes are underway or complete. This is what your report looks like.
|
|
01 - EXECUTIVE SUMMARY
This report presents the findings of a VeracityGate Deep Scan conducted on VeracityGate (ABN 77 456 982 100), a Professional Services / Compliance Intelligence business operating under Australian Privacy Act 1988 (amended 2026) as primary jurisdiction, with secondary exposure under GDPR and US FTC frameworks due to active marketing and service delivery to EU and US clients.
The assessment identified 6 compliance gaps requiring remediation before enforcement deadlines. Gaps are classified by severity and presented with a prioritised remediation pathway. As a compliance intelligence business, VeracityGate holds itself to the highest standard - and this report documents both the gaps found and the actions taken.
|
|
OVERALL RISK RATING
MEDIUM
|
MAX POTENTIAL EXPOSURE
$50M+ AUD
|
|
|
02 - REGULATORY FRAMEWORK
VeracityGate is registered in Queensland, Australia (ABN 77 456 982 100) and is subject to the Privacy Act 1988 (Cth) as primary law. The 2026 amendments introduce the most significant overhaul of Australian privacy law in a generation - including mandatory 72-hour breach notification, right to erasure, expanded definitions of personal information, and significantly increased penalties. As VeracityGate actively markets to and serves clients in the EU and US, secondary GDPR and FTC obligations also apply.
|
PRIMARY REGULATOR
OAIC (AU) + GDPR DPAs + FTC (US)
|
ENFORCEMENT DATE
Aug 2026 (US/EU) / Dec 2026 (AU)
|
GRACE PERIOD
None confirmed
|
|
|
03 - COMPLIANCE GAP FINDINGS
GAP 01 - CRITICAL |
Privacy Policy - Incomplete Disclosures |
Privacy Policy does not meet 2026 amendment requirements
A Privacy Policy link exists at pages/privacy-policy.html but the policy itself has not been verified to include the 2026-mandatory disclosures: overseas data transfer destinations (Zapier - US, Stripe - US, Botpress - US/EU), automated processing disclosures, retention periods, and the new right to erasure mechanism. All third-party processors currently operating on veracitygate.com must be named and their data handling described.
REGULATORY REFERENCE: Privacy Act 1988 s.13 APP 1, APP 8 - cross-border disclosure obligations
STATUS: Requires immediate update before first paying client onboards
|
GAP 02 - CRITICAL |
Cookie Consent - Not Present |
No cookie consent management platform detected on veracitygate.com
The site loads Google Fonts (external request to Google servers), Stripe.js (payment processor), and a Botpress webchat widget - all of which set or can set cookies and make cross-border data requests. No cookie consent banner or management platform is present. This is non-compliant under GDPR for EU visitors (mandatory prior consent), and non-compliant under AU 2026 amendments for Australian users where technical identifiers are now classified as personal information. Critically, VeracityGate serves EU and US clients as a stated jurisdiction - operating without consent management while doing so is a significant exposure.
REGULATORY REFERENCE: GDPR Art. 7 - Conditions for consent; Privacy Act 1988 (amended) - technical identifiers as personal information
STATUS: Requires immediate implementation - Cookiebot or equivalent recommended
|
GAP 03 - HIGH |
Third-Party Processor Disclosure |
Three undisclosed data processors active on the website
The following third-party data processors are currently active on veracitygate.com and processing visitor and client personal data, but are not disclosed in the privacy policy or terms: Zapier (receives name, email, region, timestamp from the homepage lead form and Deep Scan intake form - servers in the US), Stripe (processes payment data including name, email, card details - US-based), and Botpress (webchat widget collecting conversation data - US/EU servers). Under APP 8 and GDPR Art. 28, each must be identified, their location disclosed, and a Data Processing Agreement executed.
REGULATORY REFERENCE: Privacy Act 1988 APP 8 - cross-border disclosure; GDPR Art. 28 - processor contracts
STATUS: DPAs required with Zapier, Stripe, and Botpress before EU client onboarding
|
GAP 04 - HIGH |
Right to Erasure - No Mechanism |
No documented right to erasure or data deletion process
The 2026 AU Privacy Act amendments introduce a right to erasure for individuals whose personal data is held by a business. VeracityGate collects name, email, region, business details, and website URLs through its lead capture and intake forms. No documented erasure request process, dedicated contact address, or response SLA is present on the site or in the privacy policy. For EU clients, this is already a GDPR requirement (Art. 17) that must be in place immediately.
REGULATORY REFERENCE: Privacy Act 1988 (amended 2026) - right to erasure; GDPR Art. 17
STATUS: Implement privacy@veracitygate.com with documented 30-day response SLA
|
GAP 05 - MEDIUM |
AI / Automated Processing Disclosure |
Botpress AI chatbot not disclosed as automated processing
A Botpress AI-powered webchat widget is active on veracitygate.com and engages site visitors in conversation. Under the 2026 transparency frameworks (AU, EU, US), businesses must disclose when individuals are interacting with automated or AI-driven systems rather than humans. The widget currently presents no such disclosure. Additionally, the Deep Scan service itself uses automated report generation - this process must be disclosed in service terms.
REGULATORY REFERENCE: EU AI Act 2026 transparency obligations; Privacy Act 1988 (amended) - automated decision-making disclosure
STATUS: Add "You are chatting with an AI assistant" disclosure to Botpress widget and service terms
|
GAP 06 - MEDIUM |
Terms of Service / Refund Policy |
No Terms of Service or Refund Policy linked from the purchase flow
The Deep Scan is priced at $499 as a one-time payment processed via Stripe. The monthly monitoring plans range from $99 to $249/month. No Terms of Service or Refund Policy is linked from the Stripe payment pages or from the pricing section. Under Australian Consumer Law (ACL), service businesses must clearly disclose refund and cancellation terms before purchase. The site states "Cancel anytime - no lock-in contracts" for monthly plans but no formal policy documents or cancellation process is provided. This also creates Stripe account risk - chargebacks are significantly harder to contest without documented terms.
REGULATORY REFERENCE: Australian Consumer Law - consumer guarantees and refund obligations; Stripe merchant terms
STATUS: Draft and publish Terms of Service and Refund Policy; link from all Stripe payment pages
|
|
| GAP |
ISSUE |
SEVERITY |
STATUS |
| 01 |
Privacy Policy - incomplete 2026 disclosures |
CRITICAL |
IN PROGRESS |
| 02 |
Cookie consent - no CMP installed |
CRITICAL |
IN PROGRESS |
| 03 |
Zapier, Stripe, Botpress - undisclosed processors |
HIGH |
IN PROGRESS |
| 04 |
Right to erasure - no mechanism present |
HIGH |
IN PROGRESS |
| 05 |
Botpress AI chatbot - no automated processing disclosure |
MEDIUM |
QUEUED |
| 06 |
Terms of Service and Refund Policy - not published |
MEDIUM |
QUEUED |
|
|
04 - PRIORITISED REMEDIATION CHECKLIST
Address these items in order. Priority 1 items carry the highest enforcement risk and must be resolved before client onboarding commences.
PRIORITY 1 - IMMEDIATE (before first client onboards)
✓ |
Update Privacy Policy to include: Zapier (US), Stripe (US), and Botpress (US/EU) as named third-party processors with their locations, data types processed, and the legal basis for transfer |
✓ |
Install a cookie consent management platform (Cookiebot or equivalent) - configured to block Google Fonts, Stripe, and Botpress scripts until consent is given for EU visitors |
PRIORITY 2 - THIS MONTH
✓ |
Create privacy@veracitygate.com, document a right to erasure request workflow with a 30-day response SLA, and add this to the Privacy Policy |
✓ |
Execute Data Processing Agreements with Zapier, Stripe, and Botpress - all three have standard DPA processes available through their platforms |
PRIORITY 3 - THIS QUARTER
✓ |
Add "You are chatting with an AI assistant" disclosure to the Botpress widget welcome message, and add automated processing disclosure to service terms |
✓ |
Draft and publish Terms of Service and Refund Policy - link from all Stripe payment pages and the pricing section of the website |
|
|
05 - WHAT THIS MEANS FOR YOU
VeracityGate found 6 genuine compliance gaps in its own website and operations - and we launched just days ago. If a compliance intelligence business can have 6 gaps out of the gate, consider what a business that has been operating for years without a compliance audit might be carrying.
The gaps above are being remediated in real time. By the time you receive your own Deep Scan report, VeracityGate will be operating from a clean, documented compliance posture - and we will be helping you get there too.
Your personalised report has been sent to your inbox. Activate a monitoring plan to begin remediation and work toward your Compliance Clearance.
|
|
This report has been prepared by VeracityGate Intelligence Division based on analysis of publicly available site code, disclosed business information, and applicable regulatory frameworks current as of the report date. This document does not constitute legal advice. VeracityGate recommends engaging qualified legal counsel to review and implement remediation steps. Gap findings reflect the state of veracitygate.com at the time of audit and are being actively remediated.
|
© 2026 VeracityGate - ABN 77 456 982 100 - QUEENSLAND, AUSTRALIA |
veracitygate.com |
|
| |
|