The DUAA deadline has passed. Every UK business now needs a complaints procedure by law. Build yours free in 5 minutes →
How it worksFeaturesTrustPricingSign inStart free trial
AI-powered UK GDPR compliance

You know you should sort out GDPR. You just haven't had time.

So we made it specific. Enter your business name and your website. The AI reads your site, finds the tools quietly collecting data, and drafts your records, your policy and your vendor checks. You confirm what it found. The scan takes seconds. Reviewing what it found is designed to take under an hour.

Start your free scan

14 days of everything, then free forever. No credit card.

scanning yourstore.comlive
Google Analytics
Google LLC
needs DPA
Meta Pixel
Meta Platforms, Inc.
joint controller
Stripe
Stripe, Inc.
DPA verified
Mailchimp
Intuit Inc.
needs DPA
Hotjar
Hotjar Ltd
DPA verified
Third parties found on your site5 in 1.2s

Most businesses are running tools they never assessed.

When you added Mailchimp, did anyone check whether its data processing agreement actually covers GDPR? Did you know Meta Pixel makes you a joint controller, which changes the only lawful basis you can use?

Rowpa knows the company behind each tool. Not just “Mailchimp”, but Mailchimp by Intuit Inc., with its DPA status, transfer mechanism and a plain-English risk note. The fog becomes a list. The list becomes a record.

300+

tools in the vendor library, enriched daily from the source, not from training data. When a vendor changes its DPA, your records change with it.

Why Rowpa exists

I spent years building compliance tools for large enterprises. I watched companies with privacy teams and six-figure budgets handle GDPR with consultants, auditors and platforms that cost more than most small businesses make in a month.

Then friends running real businesses - a Shopify store, an eight-person SaaS - would ask me the same quiet question. Do I actually need to worry about this. The answer was always yes, and I had nothing practical to point them to.

The same law applies to a five-person company as to a multinational. The tooling never should have. Rowpa does what a privacy consultant does: builds your records, checks your vendors, flags your risks, drafts your policies. You review all of it. It costs less than a single hour of legal advice.

Tomasz Smieja, founder

Three steps. Designed to be done in under an hour.

01
It discovers your business
Enter your name and website. The AI scans for the tools, trackers and scripts it recognises, classifies your business, and drafts a compliance profile. You confirm what it found and add anything it missed.
02
It builds your ROPA
Your full Article 30 record, mapped from your profile. Every activity gets a legal basis, a retention period, a vendor. Where the AI is unsure, it says so plainly and flags it for you. Never a silent guess.
03
It keeps you compliant
A publish-ready privacy policy generated from your ROPA, a vendor DPA checklist, and daily monitoring of ICO guidance and vendor changes. It tells you when something needs your attention.

Built for businesses like yours

If you handle personal data but don't have a DPO or legal team, Rowpa is built for you.

E-commerce and app developers
Shopify, WooCommerce, or custom stores collecting customer data, running ads, and using analytics.
SaaS startups
Processing user data, integrating third-party tools, and fielding DPA requests from enterprise clients.
Recruiters and consultants
Agencies handling CVs, candidate data, and EU client requirements. Legitimate interest questions answered.
Agencies
Marketing, web, or IT agencies managing compliance across multiple client businesses from one dashboard.

Also: accountants  ·  solicitors

// compliance is no place for a black box

An auditor will ask how you got here. You should have an answer.

Every record, policy, assessment and response is a draft until you approve it. Nothing is published on its own. Every AI action is logged with a timestamp, the model used, what it looked at and what it concluded. When the ICO asks how you arrived at an assessment, that is your answer, with full provenance.

You approve everything

The AI drafts. Where it is less certain, it tells you. Nothing is actioned without your review.

Every decision is logged

Timestamp, model, inputs, conclusion. Regenerate an assessment and the old version is still there.

Vendor data from the source

DPA links and sub-processors come from the vendor's actual site, re-verified, with before and after tracked.

You don't have to be Meta to get fined.

The numbers are real, and they are not the reason to start. They are why a client, a partner, or the ICO will eventually ask.

€6.8bn
in GDPR fines issued since 2018, rising every year
EDPB
£3.07m
the ICO's first fine against a UK data processor, March 2025
ICO
In force
The DUAA complaints-procedure requirement, in force since 19 June 2026. No SME exemption.
DUAA 2025

Your Trust Center: one URL that closes deals.

When a prospect asks “how do you handle our data?” you paste one link. Your Trust Center shows your ROPA summary, sub-processors with DPA links, security overview, privacy policy, DSR submission form, and breach disclosures. All generated from your actual compliance records.

Think of it as a lightweight version of what Vanta charges enterprise teams thousands for.

What changed on 19 June 2026
The Data (Use and Access) Act makes four things mandatory for every UK organisation: provide a complaint form completable electronically, acknowledge each complaint within 30 days, keep records of how complaints were handled, and update your privacy notice. There is no SME exemption. Rowpa generates all of this from your business profile.
trust.yourbusiness.com
Record of Processing Activities current
Sub-processors, with DPA links 12 listed
Security overview auto
Data subject request form live
DUAA complaints intake live

What a privacy consultant would build for you.

ROPA generation
Full GDPR Article 30 record built automatically from your business profile. AI flags anything that needs your input so you know exactly where to focus.
Living privacy policy
Generated from your ROPA, not from a template. Rowpa flags when your policy needs updating after a ROPA change - regenerate with one click.
Vendor DPA library
300+ tools (and growing daily) with verified DPA status, legal entities, transfer mechanisms, and plain-English risk notes. Linked to your ROPA automatically.
Risk radar
New tracker detected on your site? Vendor changed their DPA? ICO issued new guidance? AI flags it with severity ratings and tells you exactly what to do.
AI-drafted DSR responses
Subject Access Request comes in? Our AI drafts a response letter with legal reasoning from your ROPA, and tracks the 30-day deadline.
DUAA complaints procedure
AI generates a DUAA-ready complaints procedure from your business profile. Public intake form, complaint log, 30-day acknowledgement tracking. Required for every UK organisation since 19 June 2026.

Simple, honest pricing.

All paid plans include a 14-day money-back guarantee. No long-term contracts.

vs Vantavs ComplyDogvs ICO templatevs Termlyvs ChatGPT
MonthlyAnnualSave 20%
Free
£0
/month
See what Rowpa can do
  • 1 user
  • 5 ROPA activities
  • 40 vendors in library
  • Draft privacy policy
Start free
Most popular
Starter
£49
/month
+ VAT for UK customers
Get your compliance sorted
  • 2 users
  • Unlimited ROPA activities
  • Full vendor library (300+ and growing)
  • Living privacy policy
  • DSR workflow
  • Risk radar
  • Audit-ready PDF export
Get Starter
Growth
£149
/month
+ VAT for UK customers
Stay compliant, prove it
  • 5 users
  • Everything in Starter, plus:
  • Automated site scanner
  • DPIA tool
  • Breach response planner
  • Compliance score tracking
  • Priority risk alerts
Get Growth
Agency
£299
/month
+ VAT for UK customers
Manage clients at scale
  • Unlimited users
  • Everything in Growth, plus:
  • Unlimited client businesses
  • Client workspaces
  • White-label exports
  • Agency dashboard
  • API access
Contact us
What Rowpa is
  • An AI-powered compliance platform that does the heavy lifting for you
  • AI-generated ROPA, policies, and DSR responses you review, edit, and export
  • A verified, AI-enriched vendor library with legal entities, DPA links, and risk notes
  • Daily monitoring of regulatory changes, vendor updates, and new ICO guidance
What it isn't
  • Legal advice - every output is a draft for your review
  • A substitute for a DPO if you are legally required to appoint one
  • Suitable for special category data without professional oversight
  • A replacement for qualified counsel if you are facing ICO enforcement

Common questions

Does GDPR apply to my business?
If you collect or use personal data from people in the UK or EU, yes. That includes customer emails, employee records, website analytics, contact forms, and payment details. It applies to businesses of any size, not just large companies.
What do I actually need to do?
The core requirements are: keep a record of what personal data you process and why (your ROPA), have written agreements with any tools or services that handle that data (DPAs), publish a privacy policy, and respond to data requests within 30 days. Rowpa builds all of this for you automatically.
What happens if I do not comply?
The ICO can investigate businesses of any size. Fines under UK GDPR go up to 17.5 million pounds or 4% of annual turnover. Under EU GDPR, it is 20 million euros or 4%. Even small organisations have been fined. Beyond fines, customers and partners increasingly expect proof of compliance.
I already have a cookie banner. Am I covered?
A cookie banner handles one small part of GDPR. You also need a Record of Processing Activities, valid legal bases for every way you use data, agreements with your vendors, and a process for handling data requests. Rowpa covers all of this.
Do I need technical knowledge to use Rowpa?
No. Enter your business name and website, and our AI does the rest. You review what we find and confirm. No legal or technical knowledge required.
How accurate is the ROPA it generates?
Our AI uses a curated taxonomy of processing activities for each business type and a verified vendor library. Where the AI is less certain, it tells you plainly and flags the item for your review.
Is this legal advice?
No. Outputs are AI-generated drafts for your review. We are not a law firm and no solicitor-client relationship is created. See our Terms of Service.
What if I use a tool that is not in your library?
You can add any tool manually. We will include it in your ROPA with a note that the DPA status needs manual verification.
Does Rowpa cover EU GDPR as well as UK GDPR?
Yes. The product covers both UK GDPR and EU GDPR. The core obligations are virtually identical. Our vendor library includes transfer mechanisms for both UK and EU adequacy decisions, and we flag where the two regimes differ.
Where is my data stored?
Your data is stored in the EU (Frankfurt, Germany) on Supabase infrastructure with encryption at rest and in transit. We do not share your data with third parties. Your compliance documentation is yours.
Is my data secure?
Yes. We use row-level security so each business can only access its own data. All connections are encrypted with TLS. Authentication uses magic links - there are no passwords to leak.
Can I export my data if I cancel?
Yes. You can export your ROPA as PDF, CSV, or JSON at any time, including after cancellation (for 30 days). Your data is yours and we make it easy to take with you.
How does the 14-day Growth trial work?
When you sign up, you get full access to every Growth-tier feature for 14 days. No credit card required. On day 15, your account moves to the free plan automatically. You keep your ROPA, your privacy policy, and your vendor records. Nothing is deleted. You can upgrade to a paid plan at any time to unlock the full feature set again.
What is a Trust Center URL?
It is a single public page that shows your compliance posture: ROPA summary, sub-processor list with DPA links, security overview, privacy policy, DSR submission form, and optionally any breach disclosures. You share one URL with customers instead of answering vendor questionnaires individually.
Does Rowpa generate a DUAA complaints procedure?
Yes. The Data Use and Access Act 2025 requires every UK organisation to have an accessible complaints procedure (in force since 19 June 2026). Rowpa generates one from your business profile, gives you a public intake form with automatic reference numbers, and tracks the 30-day acknowledgement deadline for each complaint.
How long does setup take?
Setup is designed to be completed in under an hour. The AI drafts everything from your website scan; you review each processing activity, confirm vendors, and add any tools we missed.
From the blog
UK GDPR guides, vendor updates, and compliance advice for small businesses.
Plain-English articles on data protection, ROPA, vendor due diligence, and what the latest ICO guidance means for you.
Read the blog →

The hard part was never the work. It was not knowing where you stood.

Start your free scanDone in under an hour. No card.