Building a complex SaaS was the easy part. Now I need proof.
I've spent the last several months building PrivacyKit, a GDPR consent management platform SaaS.
I built it because I became frustrated with how most CMPs stop at collecting consent and leave enforcement and validation to the customer.
Most compliance scans I've tested tell you which cookies they found. The more important question is which trackers are running, when they're running, and whether they're respecting user consent. That's the problem I built PrivacyKit to solve.
PrivacyKit combines consent collection, consent enforcement, and runtime compliance validation in one platform.
The challenge now isn't visibility, it's proof.
I genuinely believe I have something better than most of the alternatives I've looked at. The problem is that being right about the product doesn't make people buy it.
What I need most right now is proof that real websites are using PrivacyKit, proof that it works in production, and proof that founders trust me enough to put it on their own sites.
If you're a founder running your own website using Google Analytics, Google Advertising, Meta Pixel, HubSpot, or similar tracking technologies, preferably with a real brand and real traffic, I'd love to work with you.
In return, you'll get 6 months free, direct access to me as the developer, and my full attention when it comes to onboarding, support, and feedback.
My goal is simple: help a handful of founders improve their GDPR compliance, learn from real-world usage, and build the references and case studies needed to earn trust in the market.
If that sounds interesting, I'd love to hear from you.
The point about one specific workflow getting 3x more replies than what do you think landed. I tested something similar with cold outreach and the more specific the ask the more useful the response.
The case study advice here is right, I'd just add that proof has a shelf life problem with compliance specifically. A before/after that shows trackers firing pre-consent is strong the day you capture it, but a buyer's first thought is 'does it keep working when my site changes'. So the proof that converts isn't only the catch, it's the catch plus evidence it held over a few weeks of the site being live. If you can show one site where you flagged something, they fixed it, and it stayed clean through later changes, that's the version a nervous buyer actually trusts. Harder to produce, much harder to argue with.
You hit the mark!
Most CMPs seem to assume: configure once → compliant forever.
The challenge is that websites don't stand still. Marketing teams add tags, developers deploy changes, agencies install integrations, and a setup that was compliant last month may not be compliant today.
That's what led me to build PrivacyKit's Compliance Monitor.
For PrivacyKit, the real payoff isn't whether a site is compliant today, but whether it remains compliant as the site evolves over time.
The gap you identified between collecting consent and actually enforcing it is real. Most CMPs are checkbox compliance, not actual enforcement. That's a legitimate product edge and you're right that being right about the product doesn't make people buy it.
On getting that first proof: the fastest path I've seen is finding one person at a SaaS company who's personally nervous about a GDPR audit. Not the company in general — one specific person who will lose sleep over it. That person becomes your reference customer because they have personal skin in the game, not just organisational buy-in.
The 6 months free offer is the right instinct. What does your outreach look like right now — cold email or warm intro?
Thank you for taking the time to understand the product and the gap I'm trying to address. Most conversations about CMPs quickly end up focusing on consent banners, while the enforcement side is largely ignored.
Right now my outreach is mostly cold. I've been reaching out directly to website owners with realtime findings from their websites - the response rate is remarkably low even though these are serious GDPR issues that normally will be reviewed further under a privacy or GDPR compliance audit.
For a complex SaaS, proof usually matters more than feature depth.
I’d try to get evidence in the simplest possible format: before/after workflows, time saved, fewer manual steps, cleaner output, or a specific decision the user could make faster because of the product.
Early users don’t always need a huge case study. Sometimes one clear example is enough: “before, this took 40 minutes; now it takes 5” or “before, this process was scattered across 3 tools; now it is one workflow.”
If the product is complex, the proof should be simple.
I agree with the principle. The challenge with compliance software is that the proof usually isn't measured in minutes saved or fewer clicks.
For PrivacyKit, the simplest proof tends to be something like: "Google Analytics was firing before consent was granted. Now it isn't." Or "A tracker was operating in a way that was inconsistent with the user's consent choice. Now it isn't."
In that sense, I think the strongest proof is often a single concrete finding and its resolution rather than a long feature list.
The "proof" problem is real and underrated. I hit a version of it with EarningsScores — 6 users, all from organic search, but I couldn't tell if they found value or just never came back. "People signed up" is not proof. "People came back" is.
One thing that worked for me: instead of asking users to try the product, I asked them to try one specific workflow and tell me where it broke. That framing gets 3x more replies than "what do you think?" It also generates the kind of testimonial that sounds real — "I ran it on my site and it caught a tracker I didn't know was firing" beats "great tool, highly recommend."
For the proof you actually need — you don't need 100 sites. You need 3 sites where you can document exactly what PrivacyKit caught that their current setup missed. Case studies beat signups at this stage.
That's actually very close to how I've been approaching it. Rather than asking for general feedback, I've been identifying specific tracker behavior on real websites and sharing the findings with the site owners.
The interesting part is that even when I can provide evidence that a website appears to be operating in a way that is inconsistent with GDPR consent requirements, the response rate is still remarkably low. Sometimes it feels less like I'm offering help and more like I've shown up carrying a contagious disease.
I like that you said being right about the product doesnt make people buy, thats the part founders usually learn last. People usually patch this with Hotjar or Typeform first, I built ScoresPulse because I wanted one cheap pulse after onboarding that shows what almost convinced someone and what blocked trust. tbh your first proof probably comes from 3 manual onboarding calls and the same objection repeating, not more feature work.
Thank you for the feedback. The irony is that getting someone to spend 30 minutes discussing GDPR compliance has proven harder than building the platform itself.
The line about being right not making people buy is the whole game. The first references rarely come from a pitch. They come from you doing the onboarding by hand for one founder and turning what you learn into the case study. One thing on the 6-months-free offer though: reference customers who pay nothing tend to give nothing back, no urgency to integrate and thin feedback. You might get sharper signal asking for a small fee plus a written case study as the trade, so the people who say yes have some skin in it. For a compliance tool the proof that actually converts is probably a before and after on one real site, trackers firing pre-consent and then not.
Appreciate the thoughtful reply. I agree that a real before-and-after on a production site is probably stronger proof than a generic testimonial, especially for a compliance product.
Where I differ slightly is on the free offer. PrivacyKit isn't really a novelty or productivity app that people try for a week and forget about. It's infrastructure. If someone puts it into production, they're trusting it to help manage compliance risk on their website going forward.
That's why I see a production deployment as meaningful proof in itself. Whether the first customer pays on day one is less important to me than whether they're getting real value from the product and are willing to stand behind it as a reference or case study.
'I genuinely believe I have something better than most of the alternatives I've looked at. The problem is that being right about the product doesn't make people buy it.' You are right.
"Being right about the product doesn't make people buy it."
That line hit hard.
I'm Minchul, 57, former construction manager from Korea.
Built Slash it — an Email Decision OS.
Product is live. Proof is what I'm chasing too.
Good luck finding your first real users.
Thanks, Minchul. Sounds like we're both at the proof stage. I tried looking up Slash It but couldn't find it online. If you have a website up, I'd be happy to take a look and give you some feedback, if that's something you'd find useful.
Appreciate it! Here you go:
https://ai-basket.vercel.app/slash-en
Would love your feedback.
Thanks for sharing. I left some feedback on your own post, so I'll keep this thread focused on PrivacyKit. 🙂
This is a strong problem, but I think the risky part is the offer shape.
“6 months free” is generous, but for this kind of product the founder’s real hesitation is not price. It is trust, implementation risk, and whether putting a compliance layer on their live site creates more anxiety than confidence.
So the proof problem is not just getting users. It is getting the right first websites where the trust story becomes believable.
I would not solve that loosely in the thread because the wrong first users can give you activity without creating usable proof.
Send me your email and I’ll put the tighter first-proof path together properly.
Good point. That's also why I'm looking for a handful of founders rather than trying to maximize adoption. The goal isn't activity for activity's sake - it's building proof that future customers can trust. I'm confident in the product, but confidence isn't proof. Real-world usage, references, and feedback are.
Exactly. That’s the right distinction.
Confidence helps you keep building, but proof has to be designed more carefully. Otherwise you can get usage and feedback that feels useful but does not actually make the next customer trust the product faster.
I’d turn this into a clean first-proof path rather than more general founder outreach.
If useful, share your email and I’ll write the tighter version properly.
Thanks. I agree that credible proof matters more than raw adoption. That's exactly why I'm looking for a small number of real production websites rather than trying to maximize signups.
If you're running a website that uses analytics or marketing trackers yourself, I'd be happy to take a look at it as well.
I get that.
Just to be clear, I usually do this as a paid written pass, not as free product testing. I’ve done similar first-proof / positioning work for other founders too, where the useful part is turning the early traction path into something specific and usable.
If you want that tighter first-proof path, happy to write it properly. Otherwise no worries.
Thanks for clarifying. I appreciate the offer. For now I'm going to continue focusing on finding a handful of credible production deployments and building proof through real-world usage, references, and case studies. Best of luck with your positioning work.
Totally fair. That sounds like the right focus for where you are now.
Good luck with the production deployments.