Sometimes, people who try to monetize the AI hype might inadvertently break the law. However, in most such cases, it’s not only the law that’s not observed, but the lack of transparency is an insult to the potential users and a breach of their rights. Today, such an example.

Reddit, the social network where I discovered NOLO

I’ll be succinct, and I’ll only give you some links:

NOLO, the app and the service

This is a freemium service, as expected:

But the claims are false. The free plan should include 3 Pro prompts per day. Trying to use Pro asks you to upgrade to a paid plan:

The chat I had with Gemini

Because NOLO itself is pathetic in its free tier, I asked Gemini:

Ludditus: Many small, independent online services, including AI chatbot web interfaces that are actually self-hosted or reselling results based on paid queries made to big LLMs or LLMs hosted by 3rd parties, do not disclose:

  • The actual identity of the company or individual offering the service.
  • The registered address of the said company.
  • Any physical address or phone.

For instance, one such service only states:

  • An e-mail contact address.
  • Boilerplate ToS with the only specific info as follows: “These terms are governed by the laws of Romania and applicable European Union regulations, including the GDPR.”

Question: How is this even legal in the European Union? This is a freemium service, and not knowing who you’re paying to should be illegal.

Gemini: The short answer is: It isn’t legal. If a service is operating within the European Union or targeting EU consumers—especially when money is changing hands—it is subject to strict transparency requirements. The scenario you described, where a provider hides behind a generic email and a boilerplate “governed by Romanian law” clause, is a direct violation of several EU directives and national laws.

Here is a breakdown of why this practice is illegal and how the law is supposed to work.

1. The e-Commerce Directive (2000/31/EC)

This is the “grandfather” of internet law in the EU. Under Article 5, any “information society service” (which includes AI wrappers and SaaS) must provide easy, direct, and permanent access to:

  • The name of the service provider (the legal entity or full name of the individual).
  • The geographic address where the provider is established.
  • Contact details, including an email address, that allow for rapid communication.
  • Registration details, such as a trade register number (e.g., a Romanian CUI/J number) and VAT identification number if applicable.

2. The Consumer Rights Directive (2011/83/EU)

Since this is a “freemium” service involving payments, the Consumer Rights Directive kicks in. Before a consumer is bound by a contract, the trader must provide in a clear and comprehensible manner:

  • Their identity (trading name).
  • The geographical address of their place of business.
  • The total price of services (including taxes).

If you are paying a “ghost” entity, you have no way to exercise your right of withdrawal (the 14-day “cool-off” period) or file a legal claim if the service fails.

3. GDPR Requirements (General Data Protection Regulation)

You mentioned their ToS references the GDPR. This is ironic because Articles 13 and 14 of the GDPR mandate that the “Data Controller” must be identified. A privacy policy that doesn’t state who is collecting your data (the legal person) is, by definition, not GDPR-compliant.

4. The Digital Services Act (DSA)

As of 2024, the Digital Services Act further tightened these rules. Even small providers must provide a single point of contact and be transparent about who is running the service to ensure accountability for content and user safety.

The “Reality Gap”: Why do they do it?

If it’s so illegal, why is your screen full of these “ghost” services? Usually, it comes down to three things:

  • Enforcement Lag: Regulators (like the ANPC in Romania) usually act on complaints. If no one reports a small AI site, it flies under the radar.
  • Regulatory Arbitrage: Many of these services are “fly-by-night” operations. They use a generic ToS to look professional, but they operate from jurisdictions where EU law is hard to enforce, even if they claim they are “governed” by it.
  • Low Barrier to Entry: Setting up an AI reselling site takes 20 minutes. Registering a company, getting a VAT ID, and setting up legal compliance takes weeks and costs money.

Summary Table: What should be there vs. what you saw

RequirementLegally MandatedWhat You Found
IdentityFull Legal Company NameMissing
Physical AddressFull Registered Office AddressMissing
ContactEmail + Physical AddressEmail Only
RegistrationTrade Register / VAT NumberMissing
Data ControllerExplicitly Named EntityVague Reference to GDPR

A Note of Caution: If a service asks for your credit card but refuses to tell you who they are or where they are located, they are not just breaking EU transparency laws—they are presenting a massive security risk. Without a legal identity, you have no recourse for double-billing, data leaks, or sudden service termination.

Are you looking to report one of these services to the relevant authorities, or are you trying to vet a specific tool before subscribing?

Ludditus: This is the service: nolo-landing.vercel.app and www.nolo-app.com

Gemini: Based on an analysis of the links you provided, you have identified a textbook example of a service that is operating in non-compliance with EU transparency and consumer protection laws.

If these sites are indeed targeting EU users and claiming to be governed by Romanian law, they are failing several legal requirements. Here is a breakdown of the specific legal red flags for the “Nolo” service:

1. Violation of the “Impressum” (Legal Notice) Requirement

Under the EU e-Commerce Directive (and specifically Romanian Law 365/2002), any commercial website must have a clearly accessible “Legal Notice” or “Impressum.”

  • The Violation: The sites you linked do not list a legal entity name (e.g., Nolo Tech S.R.L.), a physical headquarters address, or a registration number (CUI/J in Romania).
  • The Risk: Without this, a consumer has no way to know who actually has their credit card data or who to sue if the service is a scam.

2. GDPR Non-Compliance (Identity of Data Controller)

The site claims to be GDPR compliant, yet the primary requirement of GDPR (Articles 13 & 14) is that the Data Controller must be identified.

  • The Violation: You cannot have a valid Privacy Policy that says “We value your privacy” without stating exactly who “We” are. A user must know the legal identity of the entity processing their prompts and personal information.
  • The Romanian context: Since they mention Romania, they are under the jurisdiction of the ANSPDCP (The National Supervisory Authority for Personal Data Processing). Failing to identify the controller is a fineable offense.

3. Payment Transparency

If a user clicks “Subscribe” or “Buy,” the service must disclose the total price and the identity of the seller before the transaction is completed.

  • The Loophole: Many of these services use Stripe or Paddle as a payment processor. While Stripe verifies the identity of the business internally, the landing page itself is still legally required to disclose that identity to the consumer before they reach the checkout.

4. Why the “.vercel.app” URL is a Red Flag

The fact that one of the main links is a vercel.app subdomain suggests this is a “hobbyist” or “low-overhead” deployment. Vercel is a hosting platform. Professional, legally compliant companies usually:

  1. Use a custom domain for all public-facing assets.
  2. Have a “Company” or “About Us” page that lists leadership or a registered office.

How to take action (if you are concerned or have paid money):

If you have already paid this service and feel misled, or if you simply want to report the lack of transparency, you have several options in the EU:

  1. Report to ANPC (Romania): Since they claim to be governed by Romanian law, you can file a complaint with the National Authority for Consumer Protection (ANPC) at anpc.ro. They are quite active in fining sites that lack mandatory contact info.
  2. Report to the Romanian Data Protection Authority: If you provided an email or data, you can report the lack of “Controller Identity” to the ANSPDCP.
  3. Check the Stripe Checkout: If you go to the payment page (without completing the purchase), look at the “Pay [Name]” section. Often, the real name of the individual or the shell company will appear there, even if it’s hidden on the landing page.
  4. Domain Whois: While most info is redacted, sometimes the “Registrant Organization” field is left public.

Verdict: This service is operating as a “Ghost SaaS.” While it might be a legitimate tool built by a well-meaning developer, it is currently operating illegally within the EU framework by failing to provide the mandatory “Company Identification” details. Using such a service for sensitive data or recurring payments is risky.

No, you wouldn’t know who you’d be paying for the service!