Legal Practices

Most freelance-tier site builders, document generators, and outreach tools quietly leave compliance to the user. We don’t. Every Dekimu app is built against a named regulation, and every published artefact (a tenant site, a generated policy, a sent reminder) inherits that posture by default.

This page is the map. Each entry below cites the regulation, says what we actually do, and points to the Dekimu feature that implements it. If a feature is on the roadmap but not yet shipped, we mark it.

What the law requires. Anyone whose personal data you process has the right to access it, correct it, delete it, port it, restrict its use, object to it, and not be subject to purely automated decisions. Article 12 obliges you to make these rights easy to exercise — typically a discoverable channel on your site.

What Dekimu does. Designer auto-injects a Data Request link in the footer of every published site. The link resolves to the tenant’s miniterms DSAR inbox if available, falling back to a Hub-hosted intake. Requests get logged, ack’d within 72 hours, and tracked against the 30-day response clock per Article 12(3).

Implemented by: Designer · Auto-DSAR Footer Link · miniterms DSAR inbox.

What the law requires. When you collect personal data, you must tell the data subject who you are, why you’re collecting, the legal basis, retention period, recipients, and their rights. The information must stay accurate as your processing changes.

What Dekimu does. miniterms generates the Privacy Policy from a structured business profile — every Article 13 item is enforced as a required field at intake. When the policy is published to a Designer site, Designer pins the document version and marks the section edit-locked. Drift between what miniterms signed off on and what visitors see becomes structurally impossible.

Implemented by: miniterms generator · Designer Edit-Locked Legal Sections.

What the law requires. Non-essential cookies and similar storage need prior, specific, informed consent. Pre-ticked boxes are not consent. The user must be able to withdraw as easily as they granted. Spain’s AEPD fined 13 sites in 2025 for pre-ticked banners alone.

What Dekimu does. dekimu-site emits a granular consent banner with category-level toggles (necessary, analytics, marketing), no pre-ticked boxes, Google Consent Mode v2 signals, and a Hub-side audit log keyed by visitor hash. Withdrawal lives at a stable URL on every published site.

Status: on the Designer roadmap (Phase 4.5). Until shipped, dekimu-site published sites do not set non-essential cookies of their own.

What the law requires. Deployers of AI systems must disclose AI use in a clear and distinguishable way, by the deadline set per Article 50. Synthetic content must be marked as such; emotion recognition and biometric categorisation need explicit notification.

What Dekimu does. Hub’s BusinessProfile collects an AI use declaration (model class, purpose, human-review policy, training-data scope). Designer auto-emits a footer block and dedicated /ai-disclosure page on the published site, bilingual EN + ES. Tenants who declare no AI use get nothing rendered — silence is a valid disclosure when accurate.

Implemented by: Hub BusinessProfile.aiUse field · Designer AI Act Transparency Block (Phase 4.5).

What the law requires. The European Accessibility Act applies to most B2C digital products from 28 June 2025. The benchmark is WCAG 2.2 level AA — alt text, contrast ratios, focus states, heading order, lang attributes, form labels.

What Dekimu does. Designer runs a publish-time scanner that blocks publishing on critical WCAG fails and auto-fixes trivial issues (default alt from caption, lang from snapshot locale). The full report surfaces in the publish dashboard with per-section drilldown, so tenants can fix issues at source.

Status: on the Designer roadmap (Phase 7). Until shipped, Lighthouse + axe pre-publish lint runs as a soft check.

This is not legal advice. It is a description of engineering posture. Compliance ultimately depends on how each tenant operates — what data they collect, what they tell users, what they actually do with it. Dekimu makes the right defaults easy and the wrong defaults hard, but it does not replace counsel.

This is not a SOC 2 / ISO 27001 attestation. Dekimu is not yet certified against either framework. The internal compliance posture is tracked at dekimu.com/about.

This is not a Verifactu commitment. InvoiceUp is a follow-up tool, not a Sistema Informático de Facturación under Spain’s RD 1007/2023. Users issue invoices in their real accounting system; InvoiceUp tracks payment.

Questions, corrections, or concerns about a specific regulation: hello@dekimu.com.

EU residents have the right to lodge a complaint with their national supervisory authority (in Spain, the AEPD). Lodging a complaint with Dekimu first is not required.