Your privacy policy says one thing. Your website does another.

The problem

Here's what usually happens. A lawyer writes you a privacy policy. It's a fine document. It says you handle data responsibly, honor opt-outs, and limit your tracking.

Then nobody checks whether the website actually does any of that.

So the policy promises one thing while the site quietly does another: cookies firing before anyone consents, an ad-network pixel shipping visitor data to a third party you've never vetted, a contact form collecting more than you disclose, an email platform holding lists under terms nobody has read. Every one of those gaps is the kind of thing a regulator, a class-action lawyer, or a security-conscious customer looks for first, because the policy is the promise, and the site is the evidence you broke it.

The gap exists because privacy sits between two people who don't cross over. The lawyer writes the words but can't read the code. The web developer wrote the code but doesn't know the law. You're left holding a document and a website that don't match, and no one whose job is to make them.

What we do differently

We do both halves. I came up through engineering and ran technology as a CTO, so I can open the browser's network tab and see exactly what your site is doing: every tag that fires, every request that leaves, every cookie that gets set, and where the data goes. And I know what the law requires, so I can tell you which of those things is a problem and which is fine.

Then we close the gap. We don't hand you a list of findings and a roster of vendors to go chase. We rewrite the policy so it's accurate, reconfigure the consent and tracking setup so the site matches it, and tell your developer exactly what to change, or change it with them. One person, accountable for the whole thing lining up.

That's the difference between privacy advice and privacy work. Most of the market sells you one or the other. We do the part in between, where the document meets the machine.

What the review covers

• Cookies and consent. What's set, when it fires, whether consent actually gates it, and whether your banner does what it claims.
• Tracking pixels and analytics tags. Every third-party tag on the site, ad networks, analytics, social pixels, what data each one collects, and where it's sent.
• Data-collection forms. What you ask for, what you actually need, what you disclose, and whether the two match.
• Privacy-policy accuracy. A line-by-line check of what the policy promises against what the site does, and a rewrite where they diverge.
• Email and marketing data. How lists are collected, stored, and handled, and whether your platform's terms hold up.
• Applicable-law fit. Everything above checked against the obligations that actually apply to you: CCPA/CPRA, GDPR where you have EU visitors, and HIPAA's Privacy Rule if you're in healthcare.

What you get

A clear report you can act on: what's exposed, ranked by how much it matters, with a plain-language explanation of each gap and exactly what to do about it. An accurate, rewritten privacy policy. A corrected consent and tracking configuration, done with you or handed to your developer as precise instructions. And a short call to walk you through it, so you understand your own site better than you did before.

Not a document that sits in a drawer. A site that matches its promises.

Who this is for

You collect customer information through your website, most businesses do. You've got a privacy policy you're not certain is accurate, or a cookie banner someone installed once and never checked, or a nagging sense that you don't actually know what your marketing tags are sending where. You're in healthcare, e-commerce, financial services, or any field where a privacy complaint would be expensive. Or a customer, partner, or new privacy law just put the question in front of you and you need a real answer, not a template.

Proof

I handled website and email privacy for a healthcare diagnostics company, exactly this work, in a field where the Privacy Rule and real customer data raise the stakes.

Scope

The Website & Digital Privacy Review is a fixed-scope engagement: the site, the policy, the tracking and consent setup, the forms, and the email/marketing data handling, checked against the laws that apply to you, then corrected. No hourly meter, no scope that drifts.

Larger needs, a full privacy-program build, company-wide data mapping, formal consumer-rights (DSAR) processes, or vendor data-processing terms, are scoped separately. This review is the front door, and it's usually where the real picture starts.