← All posts
by Vladan Mijatovićcompliancephilosophyskill-os

Compliance without consultants. GDPR + EU AI Act at Pro tier.

Most compliance work for a solo founder is paperwork plus a checklist. Skill OS ships both, and Fino runs them with you.

Educational reflection. Fino is not a licensed advisor, doctor, lawyer, or therapist.

When you read the GDPR for the first time, the obvious move is to find a consultant. The consultant will charge you $2,200 to $8,800, ask you for everything you have, write a report, and hand you a list of things to do. You then do those things at typing speed, alone, in the same Notion you live in.

We thought: what if the report was a skill, the list was a checklist, the typing was a draft Fino wrote, and the consultant was the editor of last resort?

That is the bet behind shipping compliance work at Pro tier.

What Pro tier actually covers

Three regulatory regimes, baked in:

All figures below are USD (Pro tier $99 / month) and rough industry-survey ranges (Iubenda annual GDPR readiness benchmark + IAPP 2025 consultant rate cards). Your mileage varies by region and complexity.

  • GDPR for any EU-touching data flow. Article 5 principles, Article 13 disclosures, Article 30 records, DPIA when triggered.
  • EU AI Act for any product that uses an AI system. Risk class, transparency obligations, GPAI documentation, internal governance.
  • Consumer-facing safety floors. Telegram + iOS + Play store + DMA-adjacent obligations when you sell direct.

Each of these has a corresponding skill in the base catalog. Each skill knows what to ask, what to draft, what to leave for the human, and what triggers a real lawyer.

How a compliance pass actually runs

You message Fino. "I want to run a GDPR readiness pass on AcmeCo." The skill loads. It asks you 8 to 12 structured questions: where are you registered, where are your servers, who processes payments, which third parties touch user data, what categories of data do you collect, is there any sensitive data, do you target children, do you sell B2C or B2B, what is your retention policy.

You answer in plain language. The skill builds:

  1. A draft processing register (Article 30).
  2. A draft privacy notice (Article 13).
  3. A retention schedule.
  4. A list of DPA gaps (who you need a DPA with).
  5. A risk class for the AI Act if you use AI in the product.
  6. A short list of things that need a real lawyer.

That last point is the load-bearing one. Compliance work has a long tail of cases where a human lawyer is the only correct answer. The skill never pretends otherwise. The framing across every compliance skill is "draft, then human." The skill drafts. The human signs.

The cost math

Median spend for a solo founder to reach GDPR baseline with a consultant: roughly $3,800 + 6 to 10 hours of internal time.

Median spend with Skill OS on Pro tier: $99 / month flat + 2 to 4 hours of internal time, plus an optional 1-hour lawyer consult for the residual risk items (roughly $220 to $440).

The total stays in three digits instead of four. The difference is not because the skill is smarter than the consultant. It is because the skill is faster at the structured work, leaves only the unstructured work to the human, and you pay for the human in 1-hour increments instead of retainers.

What we will not pretend

We will not pretend the skill is a lawyer. The framing on every compliance reply states this in one line. The framing on every advisor-shaped reply (Stoic, Coach) also states this. We are explicit about Fino's role: drafter, not signer.

We will also not pretend the regulatory map is finished. The EU AI Act has rolling deadlines through 2027. National implementations vary. The skill ships with a last_updated date and a valid_until date when applicable, so you know whether the answer is current.

What this unlocks

The most expensive thing about compliance is not the consultant fee. It is the founder hours spent in a state of "I do not know what I do not know." That state is what consultants are paid to remove. A skill can remove the same state at the moment you ask, which is usually 11pm before a launch, not Tuesday during a 90-minute scheduled call.

A founder who knows where they stand sleeps better, ships faster, and onboards their first compliance-sensitive client without an emergency.

Where Pro tier ends

Pro tier covers GDPR + AI Act + consumer safety floors for a single product, a single legal entity, a single country of incorporation. Multi-entity, multi-region, B2B SaaS with enterprise security questionnaires, ISO 27001 readiness, SOC 2 readiness: these belong on Max tier (more structured skills, deeper outputs) or Ultra tier (skills + ongoing human review). We will not upsell you. The catalog tells you which tier each skill lives at.

How to start

The fastest way to feel it is to message Fino "run a compliance readiness pass." The skill asks the structured questions, the draft lands in your inbox in under an hour, and you get a clean view of what is done, what is drafted, and what is residual risk.

You will still want a lawyer for the last 10 percent. You will not need one for the first 90.

Related skills

operatorcoach

Get Fino. 200+ skills pre-installed.

Skill OS routes the right skill at the right moment. No app store. No install button. Pricing starts at $99 / month.

See pricing