We build tools for regulated domains — healthcare, compliance, financial operations. Two of those tools, RuleBrief and PrivacyPeep, look like they serve completely different audiences. One monitors regulatory changes for businesses. The other scores privacy policies for consumers, journalists, and compliance teams. But they solve the same underlying problem, and the design decisions behind both reveal how we think about building evidence-first AI tools.
The gap nobody sees
The U.S. regulatory environment is not static. Federal agencies — the FTC, DOL, OSHA, SEC, and dozens of others — publish rule changes, enforcement actions, and guidance updates on a near-daily cadence. State attorneys general across all fifty states issue their own. The EU layers on GDPR enforcement, the AI Act, and sector-specific directives. For a business operating across multiple states with even modest regulatory exposure, the volume is unmanageable without a dedicated legal team or a monitoring system.
Privacy policies, meanwhile, are static. Most were written once — often from a template — and updated only when a lawyer flags a problem or a breach forces a rewrite. The result is a structural lag: regulations move forward, but the public-facing document that describes a company's data practices stays frozen in time.
This creates two problems simultaneously. The business doesn't know what changed until a fine arrives. And the user reading the policy doesn't know that the promises on the page may no longer reflect what the law actually requires. The gap between those two states — what regulators demand and what companies publicly promise — is where risk accumulates for everyone involved.
Upstream: Watching what regulators change
RuleBrief is the upstream half. It monitors over eighty regulatory sources daily — twenty-seven federal agencies, fifty-plus state attorney general offices, and EU regulatory bodies — and translates what it finds into plain-English summaries that a business owner can review without wading through legal jargon. The briefs are informational — not legal advice and not a substitute for consulting a licensed attorney — but they give operators a structured starting point for understanding what changed and why it might matter to their business.
The pipeline works in stages. An automated feed ingestion layer pulls new regulatory publications from structured data sources across federal and state agencies. An AI summarization layer processes each item, extracting who it may apply to, what action may be relevant, how time-sensitive it appears, and when stated deadlines fall. Each item gets a traffic-light classification: RED for items that may warrant prompt attention, YELLOW for items to plan around, GREEN for general awareness. A personalization engine then filters the output to each subscriber's specific profile — their industry, their states of operation, their employee count, whether they have EU customer exposure.
The output is a weekly brief delivered every Monday morning, organized by urgency. When something hits RED, a push alert goes out within twenty-four hours. The brief also includes an enforcement watch — recent fines and cases from relevant agencies — and a forward-looking calendar of deadlines within the next ninety days.
The key design decision was relevance filtering, not volume. Regulatory firehoses already exist. The Federal Register is public. State attorney general feeds are public. Agency press releases are public. The problem was never access — it was signal-to-noise. A restaurant owner in Texas does not need to know about a California data broker registration law. A SaaS company with no physical employees doesn't need OSHA construction safety updates. RuleBrief's value is not in the monitoring. It is in the match.
Downstream: Evaluating what companies promise
PrivacyPeep is the downstream half. While RuleBrief watches what regulators require, PrivacyPeep evaluates what companies actually say in their privacy policies — the public-facing document that most users accept without reading.
The tool uses approximately one hundred detection patterns derived from publicly available privacy law frameworks — including GDPR, CCPA, HIPAA, and BIPA — and consumer-rights best practices. It produces a score across six dimensions: Data Collection, Data Sharing, Data Retention, User Rights, Transparency, and Security. Each dimension is weighted by its potential impact on the user. Data Sharing carries the highest weight at twenty-five percent, because how a company distributes your information to third parties is typically the most consequential practice a policy can describe. All scores, grades, and findings are expressions of automated opinion based on pattern matching — not legal conclusions, compliance determinations, or findings of violations by any company.
Pattern matches are classified by severity. A critical-severity match — such as language indicating biometric data collection without opt-in, indefinite data retention, or data selling without an opt-out mechanism — deducts twenty points from its category. Warnings deduct ten. The result is a letter grade from A to F and a detailed list of pattern matches, each quoted directly from the policy text with the specific sentence that triggered it. The tool analyzes what policies say, not what companies do in practice — a score reflects the text of a document, not the conduct of an organization.
The architecture decision that shaped everything else was client-side processing. Policy text entered into PrivacyPeep never leaves the user's browser. There is no server-side analysis, no upload, no storage. The entire pattern library, scoring engine, and NLP layer run in JavaScript on the user's device. This was not a performance optimization. It was a trust decision. A tool that asks people to paste sensitive legal documents into a text box — and then sends those documents to a server — undermines the premise it claims to stand on. If you're going to build a privacy tool, the tool itself should respect privacy by default.
PrivacyPeep also uses pattern-based detection rather than a language model for analysis. Every match traces to a specific, documented regex pattern and a specific sentence in the policy. This makes the scoring auditable in a way that probabilistic outputs are not. When a user or a company disputes a result, the answer is not "the model said so." The answer is: here is the pattern, here is the sentence it matched, here is the category weight and deduction value. Agree or disagree, but the reasoning is on the table. Results are provided for informational and educational purposes only — they are a starting point for awareness, not a substitute for professional legal counsel.
Three design decisions that connect them
RuleBrief and PrivacyPeep were built at different times for different audiences. But three design principles turned out to be the same in both.
Explainability
Every output traces to a source. A RuleBrief summary links to the original Federal Register notice or state attorney general press release. A PrivacyPeep result quotes the specific sentence in the policy that triggered the pattern match. Neither tool asks you to trust a score without showing you where it came from. This is not a feature we added later. It is a structural constraint we designed around from the start, because in regulated domains, an answer without provenance is not useful — it is a liability.
Local-first where it matters
PrivacyPeep runs entirely in the browser. RuleBrief delivers to your inbox and dashboard — no portal login required to receive the brief. In both cases, the design minimizes the amount of sensitive information the user has to entrust to us. PrivacyPeep never sees your policy text. RuleBrief never asks for your company's internal compliance posture. We monitor public regulatory sources and deliver personalized output; we do not collect or store the private information that makes your compliance situation unique.
Published methodology
PrivacyPeep's scoring rubric — the category weights, deduction values, and grade thresholds — is documented and available for scrutiny. RuleBrief's regulatory sources are listed. When an output disagrees with your expectation, you can examine the inputs and judge for yourself. We do not claim authority. We show the work and let the output stand on its own.
Why both, and why now
The regulatory environment after GDPR, CCPA, and the EU AI Act moves faster than most small and mid-size businesses can track. The FTC has restructured its enforcement posture around data practices multiple times in recent years. State privacy laws are proliferating — not just California, but Colorado, Connecticut, Virginia, and others, each with different requirements and timelines.
At the same time, consumers have been told for twenty years to "just read the privacy policy." Most people know this is impractical. The average privacy policy runs several thousand words at a graduate reading level. The suggestion was always a polite deflection: if you're harmed by a company's data practices, the company can point to the policy you accepted.
These two products are not separate ideas. They are the same problem — the distance between what regulations require and what users are told — addressed from two sides. RuleBrief helps the business stay informed about regulatory changes that may be relevant to their operations. PrivacyPeep helps everyone else evaluate what a company's privacy policy actually says. Together, they surface both sides of the compliance conversation: what changed, and what the public-facing document currently promises.
What this reveals about how we build
The pattern behind both products is the same one behind everything we ship: the output must be traceable, the methodology must be visible, and the user should not have to take our word for it.
We build for domains where getting it wrong has consequences — fines, enforcement actions, broken trust. In those domains, a tool that produces an answer without showing its reasoning is not useful. It creates a new kind of dependency without the accountability framework that comes with professional licensure. Neither RuleBrief nor PrivacyPeep replaces licensed professionals — they are information tools that surface what changed and what a document says, so the people responsible for compliance decisions have better inputs when they consult their own advisors.
The shared standard is that the system can explain itself. It means the inputs are cited, the scoring is documented, and the output includes enough context for someone to disagree with it intelligently. That principle applies whether the system is summarizing a regulatory notice, scoring a privacy policy, or ranking a financial signal. The domain changes. The standard does not.
Both tools are live. RuleBrief delivers personalized regulatory briefs for businesses operating in regulated environments. PrivacyPeep is free, runs in your browser, and requires no account. If you're building compliance workflows and want to discuss how evidence-first design applies to your domain, reach out →
Important notice
This article is for informational and educational purposes only and does not constitute legal, regulatory, or professional advice. RuleBrief is an information service, not a law firm. It does not provide legal counsel or create an attorney-client relationship. Summaries and classifications are general in nature, may not be complete or current, and are not a substitute for advice from a licensed attorney with knowledge of your specific situation. You assume full responsibility for all compliance decisions you make. PrivacyPeep produces automated, opinion-based scores generated by pattern-matching algorithms. All scores, grades, and findings are expressions of opinion — not statements of fact, legal conclusions, determinations of compliance or non-compliance, or findings of violations by any company. PrivacyPeep analyzes what policies say, not what companies do in practice. Results are not a substitute for professional legal counsel. Neither tool provides advice related to HIPAA, GDPR, CCPA, or any other specific regulation. Consult a licensed attorney for guidance specific to your situation. See each product's full terms: RuleBrief Terms · PrivacyPeep Terms · PrivacyPeep Disclaimer.