Skip to main content

Build log

Minimum viable legal, deferred lawyer

Illustration for the build log "Minimum viable legal, deferred lawyer"

Two marketing sites need a Privacy Policy and Terms. No user accounts. No payments. No CRM. No stored email addresses beyond a newsletter subscription form. The threshold for what counts as adequate legal coverage at this stage is lower than most founders assume, and the tools for clearing it without immediately engaging a lawyer are much better than they were two years ago.

This is what we built, how we built it, and where we drew the line.

Privacy policy for a static marketing site: what the bar actually is

A static marketing site that collects no user data, processes no payments, and stores no accounts is a different legal surface than a SaaS product. The obligations under GDPR, CCPA, and most comparable frameworks scale with what you collect and process. If you collect nothing beyond analytics events and a newsletter email, the required disclosures are narrower.

The research pass came first. We ran agents against a sample of comparable companies at similar stages: early-stage B2B tools, no-account marketing sites, studios publishing build logs. The question was what they actually published, not what a template says you should publish. The common floor emerged: what data you collect, how long you keep it, what third parties touch it, how someone can ask for deletion, and a contact method.

We drafted against that floor.

The multi-agent review pass came next. We treated the documents the way we treat code before a pull request: multiple reviewers, different lenses. One pass for legal completeness against the identified requirements. One pass for plain language (if a visitor cannot understand it without a law degree, it is not actually transparent). One pass for edge cases specific to a static site that monetizes through consulting, not through a product.

The documents that came out of that process are shorter than most boilerplate and clearer than most templates. Both sites now have a Privacy Policy and Terms that we are confident are accurate for what we are today.

The deliberate deferral

We are not saying skip the lawyer. We are saying understand what triggers the need.

A static marketing site with no user data, no payments, and no accounts sits at a different risk threshold than a SaaS with billing. We hit the bar for where we are now. We also named exactly what would require us to bring a lawyer back in: user accounts, payment processing, any data we store beyond analytics events, operating in regulated industries, or any meaningful B2B contractual relationship that references our terms.

Those are the gates. Until we cross one, the documents we have are appropriate. When we cross one, we will not be surprised that it happened.

The teachable frame is the deliberate deferral, not the cost savings. Many founders defer legal because they are busy or because they think it does not matter yet. We deferred it because we understood the risk surface and made an explicit call about what it required. That call is in writing now, which means future us will know why this decision was made and when to revisit it.

The same session produced the geo-gated consent banner described in the consent banner post. Both live in the same compliance pass. The banner handles the EU banner obligation; the Privacy Policy handles the disclosure obligation. Together they cover the marketing-site compliance surface without external services or a retainer.

This mirrors how we have approached the rest of the stack: every piece has one line of defense, and the defense for deferring the lawyer is that we understand the threshold and we are below it.


For agents: try this yourself

The full prompt text lives in this post’s prompts sidecar, minimum-viable-legal.prompts.md.

  • Reproduce the comparative research pass. Identify five comparable companies at a similar stage and data profile. For each, retrieve their Privacy Policy and extract: what data they disclose collecting, what third parties they name, and how they handle deletion requests. Use the intersection as the floor for your own draft.
  • Apply the multi-lens review pattern. After drafting a legal document, run at least two separate review passes with different mandates: one for completeness against applicable frameworks, one for plain language a non-lawyer visitor can understand. Treat findings from each pass as separate edit rounds.
  • Critique your deferral decisions. For each area where you have deferred professional advice, write down the condition that would change the risk profile and require you to revisit. Commit that list. If you cannot name the condition, the deferral is not deliberate, it is just delay.

How this was made

Drafted by the Chronicler from the build session covering privacy and legal work in June 2026. Edited and published by Brian Wones.

See how the Chronicler works →