Your vibe-coded app is probably violating GDPR right now

Last weekend we scanned 3,030 deployed apps built with Lovable, Bolt, Replit, Vercel, and Netlify. 120 of them (4%) had critical vulnerabilities. The legal exposure is worse than the technical one.

92 apps had Supabase tables with user data (profiles, registrations, orders, clients) readable by anyone with the public anon key. 3 more had API endpoints returning real PII without any authentication. 2 had payment webhooks accepting unsigned events.

Under current privacy law, every one of these is a potential violation with real financial penalties.

What we found

Our scanner ran 80+ modules against each app. 306 critical findings across 120 apps. Here's the kind of data that was exposed:

• Newsletter subscriber emails on a math tutoring app, readable via the Supabase anon key
• 16 financial clients with names, emails, and phone numbers on a net worth tracking app, accessible via GET /api/contacts with no auth
• 18 client emails and 15 phone numbers on a personal trainer app
• Job applicant registrations with emails and phone numbers on a job board
• Restaurant orders and customer data on multiple food delivery apps
• User profiles with phone numbers on an editing platform
• Sales leads in a Firestore collection, readable by anyone without authentication

None of these apps require authentication to access this data. A single curl command returns everything.

GDPR: up to 20 million euros

The EU's General Data Protection Regulation applies to any app that processes data of EU residents, regardless of where the developer is based.

• Article 32 requires "appropriate technical and organisational measures" to ensure security. An open Supabase table with no RLS is the opposite of appropriate.
• Article 33 requires breach notification to the supervisory authority within 72 hours of becoming aware. If you're reading this and your app is affected, the clock may have started.
• Article 34 requires notification to affected individuals if the breach is "likely to result in a high risk." Leaked email addresses and phone numbers qualify.
• Article 83 sets fines up to €20 million or 4% of global annual revenue, whichever is higher.

"I didn't know" is not a defense. The controller is responsible for security regardless of technical expertise. The regulation requires data protection by design and by default (Article 25). An AI-generated app with zero access controls fails this test by definition.

CCPA: consumers can sue you directly

California's privacy laws give consumers a private right of action for data breaches. Statutory damages of $100 to $750 per consumer per incident, no need to prove actual harm. $7,500 per intentional violation. Applies to any business that collects personal information of California residents.

The net worth tracking app we found had 16 records with real names, emails, and phone numbers. If any of those people are California residents, the statutory damages could reach $12,000 from a single unauthenticated API call. A class action could multiply that.

20+ US states, Brazil, and counting

Beyond California, 20+ US states now have comprehensive privacy laws: Texas, Florida, Oregon, Montana, Colorado, Connecticut, Virginia, and more. They all require "reasonable security measures." An app with no access controls on its user database fails every interpretation of "reasonable."

Brazil's LGPD carries fines up to 2% of revenue. One of the apps we found with exposed PII had Portuguese-language content and likely processes Brazilian user data.

Why vibe-coded apps are uniquely exposed

Traditional apps go through some version of security review before production, even if it's informal. Vibe-coded apps skip every checkpoint.

1. The AI optimizes for "it works." When you prompt "build me a fitness tracker with user accounts," the AI builds the CRUD, the UI, the routing, and ships with Supabase tables wide open. Nobody asked it about compliance.
2. Supabase's anon key is designed to be public, but Row Level Security is opt-in. The AI doesn't enable it because the app works without it during development. By the time real users sign up, the vulnerability is in production.
3. No privacy-by-design review happens. No DPO, no privacy impact assessment, no data processing agreement with Supabase. The app goes from prompt to deployed in an afternoon.
4. The developer doesn't know what GDPR requires, and the AI doesn't tell them. When was the last time an LLM said "before we deploy, let's complete a Data Protection Impact Assessment"?
5. No cyber liability insurance. Most vibe-coded apps are built by solo founders or small teams. A single GDPR complaint could cost more than the app will ever earn.

The scale

We scanned 3,030 apps in one weekend. There are hundreds of thousands of vibe-coded apps deployed right now. Lovable alone has 8 million users. If our 4% critical rate holds across the ecosystem, that's tens of thousands of apps exposing user data in violation of privacy law.

Georgia Tech's Vibe Security Radar tracked 35 CVEs from AI-generated code in March 2026 alone, up from 6 in January. Every week, more apps go live without security review.

The 72-hour clock

Once you know your app has exposed personal data, you may have a legal obligation to report it. Under GDPR Article 33, the 72-hour notification clock starts when the controller "becomes aware" of the breach.

If you're running a vibe-coded app with Supabase, check your RLS policies right now. If any table with user data has RLS disabled, and any EU resident has used your app, you likely have a reporting obligation.

How much risk are you actually at?

Not every non-compliant app will get fined. Enforcement is risk-based and complaint-driven. Here's a realistic breakdown:

Enforcement is real though. The EU issued €2.1 billion in GDPR fines in 2025. The trend is more enforcement, not less, and regulators are starting to pay attention to AI-generated applications.

Minimum viable GDPR: 8 things you can do in one hour

You don't need a lawyer to get 80% compliant. Here's the practical checklist:

1. Enable Supabase RLS on every table. Open your Supabase dashboard → Authentication → Policies → enable RLS on each table. This is the single highest-impact fix. It takes 5 minutes and eliminates the most common critical vulnerability we find.
2. Test your own API without auth. Open a terminal and run: curl https://yourapp.com/api/users — if it returns data, you have an auth bypass. Do this for /api/contacts, /api/orders, /api/settings, /api/admin. Add auth middleware to anything that responds.
3. Add a consent checkbox to your signup form. Unchecked by default. Links to your privacy policy. Required to submit. This is your Article 6 legal basis (consent). Takes 2 minutes in your UI code.
4. Add a privacy policy. It doesn't need to be written by a lawyer. It needs to accurately describe: what data you collect, why, who you share it with (Supabase, Stripe, etc.), how long you keep it, and how users can delete their data. Use a template from gdpr.eu and customize it.
5. Add a "delete my account" button. GDPR Article 17 requires it. When clicked, delete the user record and all associated data (scans, orders, profiles). Return confirmation. This can be a single API endpoint.
6. Add a cookie banner. If you use session cookies for auth (you probably do), you need one. It doesn't need to be complex — "We use cookies for authentication. Learn more. [Accept]" is sufficient if you're not running tracking scripts.
7. Check your webhook signatures. If you use Stripe, Paddle, or LemonSqueezy, verify the webhook signature before processing events. This is a security issue AND a compliance issue — accepting forged payment events means your transaction records are unreliable.
8. Remove PII from your frontend bundle. Search your JS bundle for email addresses, API keys, and connection strings. They shouldn't be there. Use environment variables and server-side API calls.

That's it. Eight steps, one hour, and you've addressed the most common violations we see in vibe-coded apps. None of these require a lawyer, a DPO, or a compliance consultant.

Compliance as competitive advantage

GDPR compliance isn't just about avoiding fines. It's a distribution advantage:

• B2B sales. Enterprise customers require vendor security questionnaires, DPAs, and proof of compliance before signing. Having a privacy policy, data export, and account deletion already built puts you ahead of 90% of vibe-coded competitors.
• App store distribution. Apple and Google are tightening privacy requirements. A clear data handling story makes review easier.
• EU market access. 450 million consumers. If your competitor isn't GDPR-compliant and you are, you win that market by default.
• User trust. A "Delete my data" button and a clear privacy policy signal you take users seriously. That matters when you're a new, unknown app.

What we did to our own app

After writing this article, we audited securityscanner.dev against the same checklist. We found gaps.

• No cookie consent banner. Fixed.
• No data export endpoint. Added GET /api/me/data-export.
• No account deletion. Added POST /api/me/delete-account.
• Newsletter storing IP addresses unnecessarily. Removed.
• No cookie policy page. Added /cookies.
• Missing signup consent checkbox. Added.
• Outreach emails missing physical address. Added.

If a company that builds a security scanner had compliance gaps, your vibe-coded app almost certainly does too.

Methodology

We scanned 3,030 apps across Lovable (838), Bolt (917), Netlify (564), Vercel (448), Replit (223), and others (40). Each scan ran 80+ non-destructive modules including Supabase RLS probing (extracts table names from JS bundles, tests each with the anon key), authentication bypass testing, payment webhook verification, and PII exposure detection. All findings were verified with reproducible evidence. Responsible disclosures were sent to identifiable app owners.

Full results: Q2 2026 Security Report