If your app is a commercial site served to US users (which most vibe-coded apps with checkout, signup, or lead-capture flows are), then ADA Title III applies. The leading case is Robles v. Domino's (9th Circuit 2019, cert denied), which held that websites can constitute places of public accommodation. Comply Code classifies your site's accommodation status as 'yes', 'no', or 'arguable' before weighting findings.

3,117 ADA web-accessibility lawsuits were filed in US federal court in 2025, per EcomBack's annual report. New York alone accounted for ~32% of filings; Florida and California together accounted for another ~43%. Pre-suit demand letters are estimated 10–20× more common than filings, putting the total at 30,000–60,000 per year.

Pre-suit settlement in 2025 typically ranges $5,000–$25,000 plus a remediation commitment. If matters are filed in federal court, total costs commonly run $15,000–$75,000 including attorney fees. Settlements trend higher in NY, FL, and CA.

The most-cited rules in 2025 demand letters are: missing form labels (WCAG 1.3.1 / 3.3.2), insufficient color contrast (1.4.3), missing alt text on informative images (1.1.1), missing link/button accessible names (2.4.4 / 4.1.2), and keyboard traps in modals (2.1.2). Comply Code's overlay weights these rules higher because they're the ones plaintiff firms actually use.

Title III applies to commercial entities that serve the public. Most US circuits (notably the 9th) now extend this to websites; the 11th remains more restrictive. Internal employee tools, personal blogs, and pure informational forums are typically out of scope. Commercial e-commerce, SaaS, telehealth, edtech, and lead-capture sites are typically in scope.

GDPR applies if you offer services to people in the EU/UK or monitor their behaviour (which includes most ad pixels). If your site has EU-facing copy, accepts orders from EU, or fires ad pixels that may capture EU visitors, GDPR Art. 6(1)(a) and the ePrivacy Directive Art. 5(3) require unambiguous opt-in consent before any non-essential tracking.

It means a tracking pixel (Meta Pixel, TikTok Pixel, Google Ads, GA4, etc.) makes a network request on initial page load — before the user has clicked anything in a consent banner. Under GDPR Art. 4(11), consent must be unambiguous and opt-in by default; pre-consent firing fails that test. Comply Code captures network requests at first render and flags every ad/analytics vendor that fired without verified consent.

Under EDPB Guideline 03/2022, the rejection path must be at least as visible and as easy as the acceptance path. A banner with 'Accept all' and 'Manage preferences' (but no 'Reject all') is not a free choice and is likely non-compliant. Comply Code's cookie-banner symmetry check flags this pattern.

CCPA applies to for-profit businesses serving California consumers above certain revenue or data thresholds, and requires a 'Do Not Sell My Personal Information' affordance. Sharing data with ad pixels can constitute a 'sale' under CCPA. Comply Code flags CCPA risk when (a) the site references California in copy, and (b) PII-handling flows fire ad pixels.

Meta Pixel (Facebook), TikTok Pixel, Google Ads, Google Analytics 4, Google Tag Manager, LinkedIn Insight, Snap Pixel, X/Twitter Ads, Hotjar, FullStory, Mixpanel, Segment, Intercom, HubSpot, PostHog, Amplitude, and Heap. The list is curated based on what vibe-coded apps actually deploy.

Per the US Copyright Office's Part 2 AI Report (January 2025), works without sufficient human authorship are not copyrightable, and prompt-based generation alone does not meet the originality threshold. If your codebase is materially AI-generated, parts of it may have no copyright protection — meaning competitors could legally copy it.

Copyleft licenses (GPL, AGPL, LGPL, MPL) require derivative works to be released under the same license. If your AI assistant generated or imported code that's a near-verbatim copy of a copyleft project's source, you may inherit that obligation — meaning you'd have to open-source your entire app, or remove the contaminating code. Doe v. GitHub (Copilot litigation, Ninth Circuit interlocutory appeal accepted Dec 2024) is the leading case.

We use winnowing fingerprinting (Schleimer/Aiken/Manber, 2003) against a curated corpus of popular copyleft NPM packages. At scan time we fetch your deployed JS bundles, fingerprint them with the same algorithm, and compute containment — how much of a corpus package's code appears in your bundle. Matches above a per-license threshold emit findings with the package name, license, and the obligation triggered.

If you deploy AGPL-licensed code as a network service (which most web apps are), AGPL §13 requires you to make the corresponding source available to users — typically via a link in your app. Failing this is a license violation and can be litigated. Comply Code flags AGPL-containing bundles as Critical.

Increasingly, yes. JP Morgan's 2026 founder guide explicitly lists 'AI code provenance' as a diligence item. Wix's $80M acquisition of Base44 in 2025 was a high-profile example of due diligence for a vibe-coded company. Our $1,999 Acquisition Pack produces a data-room-ready IP provenance attestation specifically for this moment.

No, not for the standard scan. We work from your live URL. We crawl the rendered DOM, run axe-core, capture network requests, and fingerprint deployed JS bundles. Repo connection unlocks the deeper IP Provenance Pack but is never required for the core scan.

Typically 30–90 seconds depending on how many routes need to be crawled and how heavy the page bundles are. The court-reporter log on the scan page shows progress in real time.

No. Comply Code is a risk-triage tool, not legal advice. We surface common patterns and provide citations to the underlying statutes and case law. For specific legal decisions, consult a qualified attorney licensed in your jurisdiction.

axe-core gives you ~90 technical WCAG violations with no context about which ones matter legally. Comply Code adds: site classification (commercial vs informational vs internal), critical-flow detection (which findings sit on checkout / signup / lead-capture vs auxiliary content), jurisdictional weighting, severity recalibration against 2025 demand-letter citation patterns, and framework-specific fix prompts.

CheckVibe is a security scanner — SQL injection, exposed API keys, header misconfigurations. Comply Code is a legal-and-IP scanner — ADA / WCAG demand-letter risk, GDPR pre-consent tracking, copyleft contamination. They're complementary; many teams run both.

Yes — Comply Code exposes five MCP tools (scan, list_findings, get_fix, re_scan, diff_audit). Drop one block into your claude_desktop_config.json or Cursor MCP settings and your agent can run audits, fetch findings, apply fixes, and verify the result in one session.

Free unlimited scans, with all findings and citations. $29/mo Counsel for unlimited fix prompts, MCP server access, and the 'Reviewed by Comply Code' badge. $290/mo Firm for agencies with multiple client projects, white-label PDF, and priority support. $1,999 one-time Acquisition Pack for full pre-fundraise / pre-acquisition diligence including IP provenance attestation.

No. All findings and citations are free to read on the public report page. You only pay if you want to unlock the agent-native fix prompts that translate each finding into a copy-paste instruction for Cursor or Claude Code.

Yes. Counsel and Firm subscriptions are month-to-month with no contract. Cancel from your dashboard.

We store the rendered DOM, screenshot, and network capture for 30 days so the report remains reproducible. We do not store your source code or uploaded files unless you opt into GitHub-connect for the IP Provenance Pack.