You shipped an app with AI in it. Maybe a chatbot. Maybe AI-generated text or images. Now the EU AI Act asks you to prove it is honest with users. This checklist shows you how.
The EU AI Act is already in force. The European Parliament passed it in 2024. Its AI rules start to apply on August 2, 2026. That is about 34 days away. If your app reaches users in the EU, these rules apply to you, even if your company sits elsewhere.
Most founders have never read the text. You do not need to. Below is what the law asks, who it covers, and an 8-point checklist you can work through today. Run a free check first if you want to see your gaps before you read on.
Does Article 52 Apply to Your SaaS?
Two simple tests decide it. If you answer yes to both, the transparency rules apply.
- Do EU users reach your app? If people in the EU can sign up or use it, yes. Your office location does not matter. Your users' location does.
- Does your app use AI to talk to users or make content? Chatbots, AI assistants, AI-written text, AI images, recommendations, deepfakes. If any of these are in your product, yes.
This catches almost every vibe-coded app. Built on Lovable, Bolt, Cursor, or Replit, and added an AI feature? You are in scope. The good news: most of these apps are "limited-risk." The rules are clear and quick to meet.
The 8-Point Article 52 Compliance Checklist
Here are the eight duties at the heart of Article 52 transparency disclosure, in plain English. Work through them one by one. Each gap is fixable once you can see it.
- Tell users at the first hello. When a user opens your chatbot, they must know it is a machine. This one line is the core of EU AI Act chatbot compliance. Add a clear note in the chat window: "You are chatting with an AI assistant." Do not bury it in your terms of service.
- Label AI-generated content. If your app makes text, images, or audio, mark it. A visible label works best: "Generated by AI." A machine-readable tag in the file helps too. Do not hide the label in metadata alone.
- Flag any face or mood scanning. Does your app read faces? Does it spot mood from a camera? Tell users first, and get their consent. This counts as biometric data. It is "special category" data under GDPR Article 9, so take extra care.
- Disclose deepfakes. If your app makes fake video or audio of a real person, label it as fake. The label must be clear and stay with the content. There is no wiggle room here.
- Keep an internal AI system register. List every AI system you use. What it does. Where it runs. Who owns it. A simple spreadsheet is enough to start. This is the record an auditor or a buyer will ask to see.
- Offer a human option where you can. If a person could do the task instead of the AI, give users that choice. If the AI is essential and no opt-out is feasible, write down why. The point is informed choice.
- Write down your purpose and risk class. The Act sorts AI into risk tiers: minimal, limited, high, and banned. Most SaaS apps are limited-risk. High-risk AI systems carry extra duties, such as risk assessments and human oversight. Write down your class and the reason. Confirm it; do not guess.
- Name a contact for AI questions. Users need a real human to reach if the AI behaves badly. Add a monitored email address to your privacy policy. A no-reply inbox does not count.
52 checks · under 2 minutes · no code access
See your Article 52 gaps before the deadline
Launch Ready Code runs 52 automated compliance checks across GDPR, EU AI Act Article 52, SOC 2 foundations, and ISO 27001 foundations, delivering results in under 2 minutes. Start with the free scan.
Where Article 52 Meets GDPR
These transparency obligations do not stand alone. They sit next to GDPR. So Article 52 work and GDPR compliance for SaaS founders go hand in hand. If your AI touches personal data, you need both. Here is how they connect.
GDPR Article 13: tell people at collection
Article 13 says you must explain what data you collect and why, at the moment you collect it. If your AI reads user input, you have to disclose that. Who holds the data? Why? How long? Answer these in plain words.
GDPR Article 17: the right to be forgotten
Article 17 lets a user ask you to delete their data. If your AI stored that data, you must be able to remove it. From your database. From your logs. From anywhere a copy lives. Plan for this before someone asks.
The pattern is simple. The EU AI Act asks you to be open about the AI. GDPR asks you to be careful with the data. For a deeper GDPR walkthrough, read our GDPR compliance guide for vibe-coded apps.
What the Fines Actually Are
The €35M headline gets quoted a lot. It is real. But it is not the fine for a missing chatbot banner. The Act has three fine levels. Match the right one to the right breach.
| Violation type | Maximum fine |
|---|---|
| Banned AI practices, e.g. social scoring (Article 5) | €35M or 7% of global annual turnover |
| Transparency & most other duties (incl. Article 50/52) | €15M or 3% of global annual turnover |
| Giving regulators wrong or misleading information | €7.5M or 1% of global annual turnover |
So a breach of these rules sits in the middle tier. The fine can reach €15M or 3% of turnover, whichever is higher. That is still bigger than the GDPR cap. Each EU country enforces it. Source: EU AI Act, Article 99 (Penalties).
How to Implement the Checklist
Knowing the rules is half the job. Here is how to act on the four points founders ask about most.
- Point 1 — the AI banner. Add one line to your chat interface: "You are interacting with an AI. Please verify important information." In Lovable or Cursor, this is a five-minute change.
- Point 2 — content labels. Add a visible "AI-generated" label near any AI output. Add a hidden tag in the file where you can. Both together is best.
- Point 5 — the AI register. Open a doc. List each AI service you call, such as OpenAI or Anthropic, plus any AI tool you embed. Note what it does and the data it sees. Review it monthly.
- Point 8 — the contact. Add an address like ai@yourdomain.com to your privacy policy. Make sure a person reads it. No auto-responder.
Most apps can clear the full list in a day or two of focused work. The hard part is not the fixing. It is finding every gap in the first place.
Common Article 52 Mistakes
We see the same traps again and again. Avoid these four.
- Assuming it does not apply. If EU users touch your AI, it applies. Where you are based does not change that.
- Hiding the AI. A "Powered by AI" badge in the footer is not enough. The user must be told right away.
- Treating it as one-and-done. Every new AI feature can add a new gap. Your status drifts over time. Re-check after each release.
- Waiting for a perfect plan. You do not need a full audit to start. Add the AI banner. Run a scan. Fix the worst gaps first.
Get Ready Before August 2
The rules are clear and the list is short. Disclose the AI. Label the content. Keep a register. Offer a human option. Document your risk class. Name a contact. Six habits, eight checks, one deadline.
You built something people use. The last step is proving it is honest about the AI inside it. Start with the free scan, fix the gaps it finds, then keep an eye on each release.
launchreadycode.com · 34 days to August 2
Check your Article 52 status in under 2 minutes
A 52-check scan covers GDPR, EU AI Act Article 52, SOC 2, and ISO 27001 foundations. It is advisory analysis only. We find the gaps. You fix them with a clear plan.