# compliance-pages — AI agent skill

> Scan the codebase, then generate the privacy policy, terms, support, and contact pages it actually needs — plus a cookie banner that gates your real trackers.

- Category: Compliance
- Version: 1.0.0 (updated July 2026)
- License: MIT
- Author: Alex Kharchenko — Mavens Tech Lab (https://mavenslab.tech/)
- Tested on: Claude Code
- Also compatible with: Cursor, Codex, GitHub Copilot, Windsurf, dozens more via skills.sh
- Source: https://github.com/Mavens-Tech-Lab/skills/tree/main/compliance-pages
- Human-readable page: https://mavenslab.tech/skills/compliance-pages

## Install

Claude Code (plugin):

```
/plugin install compliance-pages@mavens-skills
```

Any other agent (Cursor, Codex, and 70+ more) — via the skills.sh CLI:

```
npx skills add Mavens-Tech-Lab/skills --skill compliance-pages
```

Or add the whole Mavens Tech Lab marketplace once, then pull any skill on demand:

```
/plugin marketplace add Mavens-Tech-Lab/skills
```

## What it does

It reads your codebase first — trackers, forms, auth, payments, cookies, email infrastructure — and only then writes the compliance pages: Privacy Policy, Terms of Use, Support, Contact, and a cookie consent banner that gates exactly the scripts it found. Every claim in the generated pages is traceable to something in your code; every unknown becomes a loud, greppable `[[FILL: …]]` placeholder instead of an invented fact.

It also knows when to stop — and when not to. A static site with no analytics gets a one-page privacy notice and short-form terms — not a 13-section GDPR/CCPA treatise, and no consent banner with nothing to manage. But when the triggers fire, it covers the pages most generators forget: an accessibility statement for EU/EAA audiences, and refund & shipping policies when it detects you take payments — card networks require a visible refund policy, and EU distance-selling adds withdrawal rights.

> The output is a well-grounded template, not legal advice — every generated legal page carries a visible notice that it needs attorney review before you rely on it.

## When to use it

Before a launch, when the "boring pages" are the last thing between you and shipping. When you inherit a site whose privacy policy claims "no analytics" while `gtag.js` sits in the layout. Or when you need tracking scripts gated behind consent that actually blocks them from firing — not a banner that pops up after the pixels already loaded.

## What you get

- **A codebase scan report** (`compliance-scan.md`) listing every tracker, form field, processor, and cookie your site actually uses.
- **One short round of questions** informed by the scan — entity name, audience, governing law — with defaults you can wave through.
- **Compliance pages in your stack's conventions** — Next.js, React Router / Remix, Nuxt, SvelteKit, Astro, SSGs like Hugo or Eleventy, server-template stacks like Laravel, Django, or Rails, plain HTML, or paste-ready files for CMS-hosted sites — styled to match the site.
- **A consent banner that really gates**: scripts converted to consent-gated loading, Google Consent Mode v2 where GTM is involved, equal-prominence Accept/Reject — plus a runtime network check that nothing fires pre-consent, when browser tooling is available.
- **The conditional extras when warranted**: accessibility statement (EU/EAA), refund & shipping policies (e-commerce), `security.txt` — each traceable to a trigger, never padding.
- **An honest closing report**: every file written, every remaining `[[FILL]]`, everything deliberately omitted with the reason, and the checklist of things code can't do for you.

---

Built by [Mavens Tech Lab](https://mavenslab.tech/) — a software studio that builds, deploys, and maintains custom agent skills. Need this wired into your stack? info@mavenslab.tech
