Catch leaked secrets and trust gaps before launch.

LaunchTrust is a passive public-surface scanner for security-aware app developers, vibecoders and ecommerce operators. It looks for exposed frontend secrets, open .env/.git paths, SPF/DMARC and security headers, then layers in AI notices, privacy pages, refunds, accessibility, app-store signals and signed evidence records.

Run free scan Get the free AI notice

Compliance aid, not legal advice. Paid checkout stays paused until the dashboard is live.

27 detectorsPassive public-surface checks

35 rulesSourced and fact-checked registry

39 countriesChoose target markets before launch

ECDSA logSigned evidence records planned for Pro

Security first: public code, exposed files and email-auth posture

The first pass looks at what anyone can already fetch: JavaScript bundles, source-map references, public files, DNS email-auth records and HTTP response headers. It helps catch accidental exposure before a buyer, reviewer or attacker sees it.

Frontend secret exposure

LaunchTrust flags risky public patterns for OpenAI, Anthropic, Stripe live, AWS, Google, GitHub and private-key material. Findings stay framed as review signals with evidence, because false positives are possible in static pattern scans.

OpenAIAnthropicStripe liveAWSGoogleGitHubprivate keys

Exposed files and domain hygiene

The public-surface pass also checks reachable .env and .git paths, CSP, frame protections, MIME-sniffing defense, referrer policy, HTTPS/HSTS, security.txt, SPF and DMARC.

.env.gitCSPSPFDMARCHSTSsecurity.txt

Passive public-surface checks only. No intrusive testing, private crawling or credentialed access.

One scanner for the public promises around your launch

LaunchTrust does not replace counsel or platform review. It turns visible launch risks into a practical, source-backed checklist before you submit an app update, publish a landing page, or open an ecommerce checkout.

AI disclosure

Checks whether an AI chatbot, assistant, companion or copilot is clearly disclosed at the right moment.

Rules: EU AI Act Art. 50, Apple 5.1.2, US and California chatbot duties.
Example finding: "The page includes an AI feature but no first-interaction notice."

Privacy and data protection

Looks for privacy-policy access, deletion paths and clause coverage for data handling claims.

Rules: GDPR, KVKK/Türkiye, privacy-policy clause review and app-store privacy wording.
Example finding: "Policy exists, but AI processing and deletion workflow are not clearly described."

Cookie and tracking consent

Flags visible consent language, common tracking scripts and cases where controls do not match trackers.

Rules: ePrivacy-style cookie consent expectations and analytics disclosure hygiene.
Example finding: "Marketing scripts appear before a clear reject/settings path."

Consumer and ecommerce

Reviews refund, return, cancellation and withdrawal surfaces for stores and paid SaaS flows.

Rules: EU/UK 14-day withdrawal cues, TR mesafeli satış/cayma hakkı cues, cancellation clarity.
Example finding: "Checkout mentions returns, but the cancellation window and refund timing are missing."

Accessibility

Runs basic checks for language, title, image alt text, form labels and zoom behavior.

Rules: EAA and WCAG-oriented public-page signals.
Example finding: "Signup form has inputs without associated labels."

Security and exposed secrets

Looks for public frontend leaks and security headers using passive public-surface checks.

Signals: OpenAI, Anthropic, Stripe live, AWS, Google, GitHub and private-key patterns, exposed .env/.git, CSP, HSTS, mixed content, security.txt, SPF and DMARC.
Example finding: "A bundled script appears to expose a live API key pattern."

App-store readiness

Looks at public App Store and Play surfaces for privacy links, data-safety cues and listing alignment.

Rules: Apple App Store privacy expectations, Google Play Data safety and listing consistency.
Example finding: "Store listing links to a privacy page that does not explain the AI feature."

Signed evidence record

Pro will preserve a dated record of what LaunchTrust saw, signed for later verification.

Trust layer: Public URL scan, page hash, detector results and signed canonical record.
Example finding: "Evidence record created for the public page before submission."

Choose markets, then monitor what changes after launch day

LaunchTrust Pro is planned as a set-and-watch layer for public launch surfaces. It focuses on passive scans: public pages, headers, store listings, DNS email-auth records, policy links and visible JavaScript bundles. Deeper testing would require separate ownership and authorization controls.

Security hook

Catch accidental frontend secret exposure

Flag risky patterns such as API keys, private-key blocks, open .env files, exposed .git paths and missing email-auth records before customers or reviewers find them.

Continuous monitoring

Know when a public promise changes

Planned alerts notify by email, Slack or CI webhook when a signed scan changes: policy text disappears, a header regresses, a tracker appears, or a store listing no longer matches the site.

Market registry

Select your target markets

The upcoming /api/jurisdictions registry maps 39 countries across 8 categories so a founder can choose markets and see the relevant public-surface checks.

United StatesEuropean UnionUnited KingdomTürkiyeCanadaBrazilJapanAustralia

Free AI notice check

The first free module is still AI Notice Kit. Answer four questions to see whether your app likely needs a visible AI notice, then copy the no-tracking badge snippet.

LaunchTrust Pro will add the broader signed scan when the paid dashboard opens.

1. Does your product have an AI chatbot, assistant, companion or copilot that talks to users?

Designed for evidence, not vibes

LaunchTrust is strongest when it can show exactly what was visible at scan time. The Pro record is designed around 27 detectors, 35 sourced rules, selected markets and an ECDSA-signed canonical evidence log.

ScanFetch the public page, DNS signal or store listing.

DetectRun AI, privacy, commerce, a11y, appsec, email-auth, security and store checks.

RecordStore dated findings with public evidence and page hash.

AlertNotify by email, Slack or CI webhook when monitored evidence changes.

VerifyDownload a signed record that can be independently checked.

issuerLaunchTrust

modulepre-submission trust scan

scopepublic signals only

legal frameaid, not advice

{"signed_at":"2026-06-18","version":"v1"} Verify a signed record

AI Notice Kit is now the AI-disclosure module

The free badge stays available. It runs in the visitor's browser, sends us nothing about your users and gives you a clear notice for AI chat, companion, copilot and assistant surfaces.

Localized notice text with a small badge.
Works as a drop-in web snippet.
Use the same copy in mobile app UI before submission.

AI Notice Kit snippet

<script src="https://launchtrust.co/disclose.js"
        data-disclose data-lang="auto"></script>

Primary endpoint for the free AI Notice Kit module.

Paid scans reopen after the dashboard is live

Free AI disclosure remains open. Pro and Studio stay paused until LaunchTrust dashboard, entitlement and signed-record flows are fully deployed. After subscribing, customers sign in at app.launchtrust.co.

Free

AI Notice Kit web badge
Four-question AI notice check
No badge telemetry

Start free

Pro

$19/mo

or $190/yr

27-detector public-surface scans
Passive secret exposure, SPF/DMARC and header checks
39-market rule registry with selected-market reports
Continuous monitoring with email change alerts
Signed dated evidence records

Pro coming soon

Studio

$49/mo

or $490/yr

Multi-app and client dashboard
Client-ready signed scan records
White-label notice copy review
Priority rule-update review
Slack or CI webhook alert routing

Studio coming soon

Rule map, translated into product checks

LaunchTrust keeps the public copy plain: each row is a check surface, not a legal conclusion. The backend registry is designed around 39 jurisdictions and 8 categories.

EU AI Act Art. 50AI interaction disclosure and generated-content transparency. Source

Apple 5.1.2Personal-data sharing and third-party AI disclosure cues. Source

California SB243Covered companion chatbot notice and safety duties. Source

EU consumer withdrawalOnline buyers usually have a 14-day withdrawal path. Source

UK distance sellingCancellation, information and refund surfaces for online traders. Source

TR mesafeli satışCayma ve iade bilgilendirmesi for distance sales. Source

Email authenticationSPF and DMARC records reduce spoofing risk for launch-domain mail.

Secret exposurePassive public checks for risky frontend key patterns and exposed files.

Straight answers

Is LaunchTrust legal advice?

No. LaunchTrust is a compliance aid that helps you find visible public-surface gaps and keep evidence. It is not legal advice or certification.

Why keep AI Notice Kit?

AI disclosure is still a strong wedge and a real free utility. LaunchTrust is the parent platform; AI Notice Kit is the disclosure module inside it.

Does the badge collect user data?

No. The free badge runs in the browser and does not send us page views, user identifiers, prompts, conversations or device data.

Does LaunchTrust scan private dashboards?

No. The product is designed around public launch surfaces and public store pages. Do not submit credentials, unpublished pages or private customer data.

Does LaunchTrust run intrusive security tests?

No. LaunchTrust focuses on passive public checks: visible bundles, public headers, DNS records and exposed files. Deeper testing would require explicit ownership and authorization controls.

Can ecommerce sites use it?

Yes. The expanded scanner includes refund, return and cancellation surfaces, especially for online stores and paid SaaS checkout flows.

Prepare the public surface before the next launch.

Start with the free AI notice, then move to passive secret checks, market-aware scans and signed monitoring when Pro reopens.

Run free scan Pro coming soon