Sometimes, people who try to monetize the AI hype might inadvertently break the law. However, in most such cases, it’s not only the law that’s not observed, but the lack of transparency is an insult to the potential users and a breach of their rights. Today, such an example.

Reddit, the social network where I discovered NOLO

I’ll be succinct, and I’ll only give you some links:

NOLO, the app and the service

This is a freemium service, as expected:

But the claims are false. The free plan should include 3 Pro prompts per day. Trying to use Pro asks you to upgrade to a paid plan:

The chat I had with Gemini

Because NOLO itself is pathetic in its free tier, I asked Gemini:

Ludditus: Many small, independent online services, including AI chatbot web interfaces that are actually self-hosted or reselling results based on paid queries made to big LLMs or LLMs hosted by 3rd parties, do not disclose:

  • The actual identity of the company or individual offering the service.
  • The registered address of the said company.
  • Any physical address or phone.

For instance, one such service only states:

  • An e-mail contact address.
  • Boilerplate ToS with the only specific info as follows: “These terms are governed by the laws of Romania and applicable European Union regulations, including the GDPR.”

Question: How is this even legal in the European Union? This is a freemium service, and not knowing who you’re paying to should be illegal.

Gemini: The short answer is: It isn’t legal. If a service is operating within the European Union or targeting EU consumers—especially when money is changing hands—it is subject to strict transparency requirements. The scenario you described, where a provider hides behind a generic email and a boilerplate “governed by Romanian law” clause, is a direct violation of several EU directives and national laws.

Here is a breakdown of why this practice is illegal and how the law is supposed to work.

1. The e-Commerce Directive (2000/31/EC)

This is the “grandfather” of internet law in the EU. Under Article 5, any “information society service” (which includes AI wrappers and SaaS) must provide easy, direct, and permanent access to:

  • The name of the service provider (the legal entity or full name of the individual).
  • The geographic address where the provider is established.
  • Contact details, including an email address, that allow for rapid communication.
  • Registration details, such as a trade register number (e.g., a Romanian CUI/J number) and VAT identification number if applicable.

2. The Consumer Rights Directive (2011/83/EU)

Since this is a “freemium” service involving payments, the Consumer Rights Directive kicks in. Before a consumer is bound by a contract, the trader must provide in a clear and comprehensible manner:

  • Their identity (trading name).
  • The geographical address of their place of business.
  • The total price of services (including taxes).

If you are paying a “ghost” entity, you have no way to exercise your right of withdrawal (the 14-day “cool-off” period) or file a legal claim if the service fails.

3. GDPR Requirements (General Data Protection Regulation)

You mentioned their ToS references the GDPR. This is ironic because Articles 13 and 14 of the GDPR mandate that the “Data Controller” must be identified. A privacy policy that doesn’t state who is collecting your data (the legal person) is, by definition, not GDPR-compliant.

4. The Digital Services Act (DSA)

As of 2024, the Digital Services Act further tightened these rules. Even small providers must provide a single point of contact and be transparent about who is running the service to ensure accountability for content and user safety.

The “Reality Gap”: Why do they do it?

If it’s so illegal, why is your screen full of these “ghost” services? Usually, it comes down to three things:

  • Enforcement Lag: Regulators (like the ANPC in Romania) usually act on complaints. If no one reports a small AI site, it flies under the radar.
  • Regulatory Arbitrage: Many of these services are “fly-by-night” operations. They use a generic ToS to look professional, but they operate from jurisdictions where EU law is hard to enforce, even if they claim they are “governed” by it.
  • Low Barrier to Entry: Setting up an AI reselling site takes 20 minutes. Registering a company, getting a VAT ID, and setting up legal compliance takes weeks and costs money.

Summary Table: What should be there vs. what you saw

RequirementLegally MandatedWhat You Found
IdentityFull Legal Company NameMissing
Physical AddressFull Registered Office AddressMissing
ContactEmail + Physical AddressEmail Only
RegistrationTrade Register / VAT NumberMissing
Data ControllerExplicitly Named EntityVague Reference to GDPR

A Note of Caution: If a service asks for your credit card but refuses to tell you who they are or where they are located, they are not just breaking EU transparency laws—they are presenting a massive security risk. Without a legal identity, you have no recourse for double-billing, data leaks, or sudden service termination.

Are you looking to report one of these services to the relevant authorities, or are you trying to vet a specific tool before subscribing?

Ludditus: This is the service: nolo-landing.vercel.app and www.nolo-app.com

Gemini: Based on an analysis of the links you provided, you have identified a textbook example of a service that is operating in non-compliance with EU transparency and consumer protection laws.

If these sites are indeed targeting EU users and claiming to be governed by Romanian law, they are failing several legal requirements. Here is a breakdown of the specific legal red flags for the “Nolo” service:

1. Violation of the “Impressum” (Legal Notice) Requirement

Under the EU e-Commerce Directive (and specifically Romanian Law 365/2002), any commercial website must have a clearly accessible “Legal Notice” or “Impressum.”

  • The Violation: The sites you linked do not list a legal entity name (e.g., Nolo Tech S.R.L.), a physical headquarters address, or a registration number (CUI/J in Romania).
  • The Risk: Without this, a consumer has no way to know who actually has their credit card data or who to sue if the service is a scam.

2. GDPR Non-Compliance (Identity of Data Controller)

The site claims to be GDPR compliant, yet the primary requirement of GDPR (Articles 13 & 14) is that the Data Controller must be identified.

  • The Violation: You cannot have a valid Privacy Policy that says “We value your privacy” without stating exactly who “We” are. A user must know the legal identity of the entity processing their prompts and personal information.
  • The Romanian context: Since they mention Romania, they are under the jurisdiction of the ANSPDCP (The National Supervisory Authority for Personal Data Processing). Failing to identify the controller is a fineable offense.

3. Payment Transparency

If a user clicks “Subscribe” or “Buy,” the service must disclose the total price and the identity of the seller before the transaction is completed.

  • The Loophole: Many of these services use Stripe or Paddle as a payment processor. While Stripe verifies the identity of the business internally, the landing page itself is still legally required to disclose that identity to the consumer before they reach the checkout.

4. Why the “.vercel.app” URL is a Red Flag

The fact that one of the main links is a vercel.app subdomain suggests this is a “hobbyist” or “low-overhead” deployment. Vercel is a hosting platform. Professional, legally compliant companies usually:

  1. Use a custom domain for all public-facing assets.
  2. Have a “Company” or “About Us” page that lists leadership or a registered office.

How to take action (if you are concerned or have paid money):

If you have already paid this service and feel misled, or if you simply want to report the lack of transparency, you have several options in the EU:

  1. Report to ANPC (Romania): Since they claim to be governed by Romanian law, you can file a complaint with the National Authority for Consumer Protection (ANPC) at anpc.ro. They are quite active in fining sites that lack mandatory contact info.
  2. Report to the Romanian Data Protection Authority: If you provided an email or data, you can report the lack of “Controller Identity” to the ANSPDCP.
  3. Check the Stripe Checkout: If you go to the payment page (without completing the purchase), look at the “Pay [Name]” section. Often, the real name of the individual or the shell company will appear there, even if it’s hidden on the landing page.
  4. Domain Whois: While most info is redacted, sometimes the “Registrant Organization” field is left public.

Verdict: This service is operating as a “Ghost SaaS.” While it might be a legitimate tool built by a well-meaning developer, it is currently operating illegally within the EU framework by failing to provide the mandatory “Company Identification” details. Using such a service for sensitive data or recurring payments is risky.

No, you wouldn’t know who you’d be paying for the service!

UPDATE: I continued the chat with Gemini!

Ludditus: Nuance: The 14-day right of withdrawal can’t work for digital services the same way it works for remote purchases of physical products.
For instance, if you purchased a 1-month subscription to ChatGPT or Claude, you can’t get your money back after 14 days because you have already used a part of your quota of tokens. You should only be reimbursed if the service literally didn’t work at all or the benefits of a paid plan never materialized, so to speak.
What could be implemented by honest vendors is this: for subscriptions that are cheaper per month if paid yearly (or quarterly, etc.), such a proviso would make sense: “The customer has the right to cancel within the first month, in which case the payment will be reimbursed, minus the fee for one month at the higher value that was available at the time of purchase for payments made per month.”

Gemini: You’ve hit on the exact technicality that these “ghost” services use to confuse consumers, but EU law actually has a very specific mechanism for this called “Proportionate Payment.”

Your intuition is correct—you can’t “un-consume” AI tokens—but the law accounts for that differently depending on whether the product is classified as Digital Content or a Digital Service.

1. The Critical Distinction: Content vs. Service

In the EU, how you lose your refund rights depends on which category the AI falls into:

  • Digital Content (e.g., a movie download or a PDF): You lose your right to withdraw the second the download or streaming starts, provided you gave express consent and acknowledged you’d lose the right.
  • Digital Service (e.g., a subscription to an AI interface): This is treated more like a gym membership or a phone plan. You do have a 14-day right of withdrawal, even if you’ve started using it. However, the vendor is allowed to deduct a proportionate amount for the period you actually used the service (as confirmed by the ECJ in Case C-641/19).

How a “Proportionate Refund” works in practice:

If you pay €30 for a 30-day AI subscription and cancel on day 3, the vendor should technically refund you €27. They are allowed to keep the €3 for the 3 days of service provided.

2. Your “Yearly vs. Monthly” Nuance

Your proposed “honest vendor” model (refunding a yearly sub minus one full month at the higher rate) is actually a very fair business practice, but legally, it’s a bit of a gray area:

  • The Pro-Rata Rule: EU law generally expects the deduction to be strictly pro-rata (based on the total price agreed). If you paid €120 for a year, a 1-day use should cost roughly €0.33.
  • The “Monthly Rate” Penalty: If a vendor tried to charge you a full month’s “Premium Rate” for a 2-day trial before refunding a yearly plan, a strict regulator might call that a “hidden penalty.”
  • However, if the vendor clearly states that the yearly discount is contingent on the full term, they can sometimes argue that the “value” of the service consumed was the standard monthly rate.

3. Why “Ghost” Services ignore this

The services you linked (like Nolo) usually bypass this entire legal framework in two ways:

  1. The Forced Waiver: During the “Pay” step, they likely have a tiny, pre-checked box (illegal in the EU!) or a line of text saying: “By clicking ‘Pay’, you request immediate performance and waive your 14-day right of withdrawal.”
  2. No Identity = No Enforcement: If they don’t provide a physical address or a real company name, you can’t send them a Model Withdrawal Form (the standard EU document used to cancel). You can’t even threaten them with a small claims court because you don’t know who the defendant is.

4. The 2026 “Withdrawal Button”

As of 2024–2026, the Digital Services Act and updated Consumer Directives (like 2023/2673) mandate that any site selling to EU consumers must have a “Withdraw from Contract” button that is as easy to find as the “Buy” button.

The Verdict: An “honest” service should allow you to cancel within 14 days and refund you the remaining balance of your month/year. A service that provides no identification and no way to withdraw is essentially banking on the fact that you won’t bother chasing a €20 refund across international borders.

Do you think these AI wrappers are intentionally staying “anonymous” to avoid these refund requests, or is it more about avoiding the tax and registration costs of a real business?

Ludditus: I believe that the “proportionate” clause in the EU law is a bit abusive. The same way a 12-month subscription results in a cheaper per-month cost than a subscription when you pay each month, you cannot honestly assume a per-day rate. A per-day rate would make sense if a subscription where you pay daily existed, but this is extremely rarely the case. Therefore, a “proportionate” payment invented by EU law creates a per-day subscription at a cheaper rate than it would have existed if offered by the vendor.

Gemini: You’ve highlighted a classic friction point between contractual freedom and consumer protection. You’re right: from a business perspective, the EU’s “proportionate” rule effectively forces a vendor to offer a “daily subscription” price that they never actually put on their menu.

Legal theorists call this a “regulatory intervention in the price mechanism.” Here is how the law justifies this and the tiny bit of wiggle room vendors actually have.

1. The Mathematical Collision

Under the Consumer Rights Directive (Article 14.3), the amount the consumer pays is indeed strictly proportionate to what has been provided up to the moment of withdrawal.

If the vendor’s business model is built on “blocks” (Monthly or Yearly), the law usually ignores those blocks. The formula typically enforced by regulators is:

Why this feels “abusive” to a vendor:

  • Infrastructure Costs: Setting up a user account, GPU provisioning, and API overhead often happen in a “burst” at the start. A 2-day user might cost the vendor 50% of the monthly margin, but the law only lets them keep $2/30$ of the price.
  • Arbitrage: A user could technically buy a subscription, run a massive batch of AI tasks in 48 hours, and then withdraw, paying only a pittance for thousands of dollars of compute value.

2. The “Market Value” Escape Hatch

There is one tiny silver lining for vendors. If the total price of the service is considered excessive, the proportionate amount can be calculated based on the market value of the service provided.

However, this is a double-edged sword. Regulators usually interpret this to protect the consumer (i.e., if a scammer charges €500 for a €10 service, the consumer only pays the “market” proportion of €10). It is very rare for a vendor to successfully argue that they should be allowed to charge more than the pro-rata rate because their “daily value” is higher.

3. How “Honest” Vendors Avoid the Risk

Most transparent services don’t fight the “proportionate” math; they simply use the Legal Waiver allowed under Article 16(m).

When you subscribe to a major service like Spotify or a compliant AI tool, you often see a checkbox that says:

“I consent to the immediate performance of the contract and acknowledge that I will lose my right of withdrawal once the service has started.”

If a vendor gets that explicit consent, the 14-day window vanishes entirely the moment you hit “Generate” or “Chat.” This is the “honest” way to protect the business model without hiding your identity or address.

4. The “Ghost” Service Strategy

The reason the sites you found (like Nolo) are problematic is that they want it both ways. They don’t want to:

  1. Identify themselves (which is mandatory to even make a contract valid).
  2. Explicitly ask for a waiver (because it might lower conversion rates).
  3. Offer refunds (because they lack the administrative infrastructure).

By remaining anonymous, they aren’t just avoiding “per-day” rates; they are avoiding the entire legal framework of the European Single Market.

Summary of the Conflict

ViewpointLogic
The Vendor“I sold you a year for the price of 8 months. If you leave after 3 days, you broke the deal that made the discount possible.”
The EU Law“The consumer shouldn’t be trapped in a 12-month commitment if they realize within 2 weeks the product is junk. The exit fee must be fair (pro-rata).”

You’re absolutely correct that this creates an artificial “daily rate” that is cheaper than the vendor’s actual costs. It is one of the many “hidden taxes” of doing business in the EU—the cost of consumer confidence is shifted onto the seller’s balance sheet.

Do you think the 14-day right of withdrawal should be scrapped entirely for AI services, given that the “value” (the answer to a prompt) is delivered instantly?

Ludditus: NOLO’s Terms of Service don’t include such a waiver. The only relevant statement is this one: “Refunds: all payments are final and non-refundable. Please try the free plan before subscribing.”

Gemini: The statement “all payments are final and non-refundable” is what consumer protection lawyers call a “Blacklisted Clause.” Under EU law, specifically the Unfair Contract Terms Directive (93/13/EEC) and the Consumer Rights Directive (2011/83/EU), a vendor cannot simply “contract out” of mandatory legal obligations.

If NOLO operates as you’ve described—without a specific waiver checkbox and with no identity disclosure—their “non-refundable” clause is not only legally void, but it actually triggers a massive penalty against them.

1. The “Waiver” they are missing

As we discussed, for digital services, the 14-day right of withdrawal can only be waived if the vendor follows a two-step process at the point of sale:

  1. The consumer gives express consent to start the service immediately.
  2. The consumer acknowledges that they lose their right of withdrawal once the service has started.

NOLO’s “Try the free plan” suggestion does not count. A suggestion to “try before you buy” is a marketing tip; it is not a legal substitute for the statutory right to change your mind within 14 days. Without that explicit checkbox during checkout, the 14-day right remains fully intact.

2. The 12-Month Penalty (Article 10)

This is the most powerful tool for a consumer in this situation. According to Article 10 of the Consumer Rights Directive (and OUG 34/2014 in Romania):

  • If a vendor fails to inform you about your right of withdrawal (which they have done by saying it doesn’t exist), the withdrawal period is extended by 12 months.
  • This means you don’t just have 14 days; you have one year and 14 days to change your mind and demand your money back.

3. “Unfair Terms” are not binding

In the EU, a term in a boilerplate contract is considered unfair if it creates a significant imbalance between the parties (trader vs. consumer).

  • The Law: Terms that exclude or hinder the consumer’s right to take legal action or exercise a legal right (like a refund) are automatically considered unfair.
  • The Result: Under EU law, unfair terms are not binding on the consumer. Legally, it is as if that “non-refundable” sentence was never written.

Summary of Legal Non-Compliance

NOLO’s StrategyLegal Reality (EU/Romanian Law)
“Payments are final”Void. Cannot override the Consumer Rights Directive.
“Try the free plan”Irrelevant. Doesn’t meet the “Express Waiver” criteria.
Hiding IdentityIllegal. Violates Art. 5 of the e-Commerce Directive.
No “Withdrawal” infoPenalty. Extends your refund right to 12 months + 14 days.

How to get a refund from a “Ghost” service

Since you can’t find their address, you can’t easily send a registered letter. However, you have two highly effective technical “hammers” in 2026:

A. The Payment Processor Dispute (Stripe/PayPal)

Instead of arguing with the anonymous email support, file a dispute with your bank or payment processor. Use this specific phrasing:

“The merchant is in violation of EU Directive 2011/83/EU and Romanian OUG 34/2014. They failed to provide mandatory identification (Art. 5 e-Commerce Directive) and failed to provide a valid waiver for the 14-day right of withdrawal. Under Article 10 of the Directive, my withdrawal period is extended by 12 months. I am exercising my right to withdraw.”

B. The ANPC Complaint (Romania)

Since they explicitly mention Romanian law, you can report the URL to the ANPC (anpc.ro). In early 2026, the ANPC has been aggressively fining sites that “unjustifiably restrict the right of return.” Even if the owners are outside Romania, the ANPC can work with the European Consumer Centres (ECC-Net) to flag their payment accounts.

Wit’s End: It’s almost poetic—by trying to be “extra protected” with a “no refunds” clause, these services actually end up giving their customers a year-long window to ask for their money back.

Do you think these developers are intentionally ignoring the law, or are they just copying-and-pasting “Terms of Service” from US-based startups without realizing the EU has a much sharper set of teeth?