Building PolicyPal: what we made, why it matters (and what is next)
If you have ever tried to read GDPR on a Friday afternoon…. We kept hearing the same story from small businesses: we are drowning in rules, we do not have a lawyer, and Google is not cutting it. That is the seed of PolicyPal, a lightweight, GenAI-powered helper that turns legalese into plain, cited answers you can actually use.
The problem
We mapped the SME reality: they are 99% of EU businesses, yet they carry a huge chunk of compliance work. Most teams either outsource (expensive), copy templates (risky), or just… wait out consequences. Add to that a flood of new EU regulations, GDPR, CSRD, the AI Act, each written in dense legal language and updated regularly. For small companies without in-house lawyers, figuring out what actually applies to them can take hours, sometimes days. The result? Missed deadlines, mounting costs, and a constant low-level anxiety about getting something wrong.
Some facts we found out
- 99% of all EU businesses are SMEs — employing over two-thirds of the workforce.
- SMEs carry ~90% of total EU administrative compliance costs (≈ €200 billion/year).
- 55% of SMEs say regulation is their biggest barrier to growth.
- 43% have delayed expansion or digitalisation because of legal complexity.
- The global RegTech market is expected to grow from $16 billion (2024) to over $33 billion (2029).
- 49% of surveyed SMEs already use technology for 11 or more compliance activities, showing both awareness and room for smarter tools.
What we built (so far)
Our prototype is a simple chat-style Q&A. You ask normal questions (“Do we need a DPO?”), and PolicyPal pulls from official Dutch GDPR texts, then drafts a short answer that makes complicated questions simple. Under the hood, we use retrieval-augmented generation (RAG): retrieve first, generate second, show your work. It is not wired to a live backend yet, but the experience, from question to cited answer to quick export, is there.
Who it is for
We are starting with Dutch SMEs, SaaS/IT, e-commerce, agencies, accountancies, and small clinics. The primary users are IT and HR managers who need fast, paste-ready answers with sources for tickets, policies, and stakeholder updates. Freemium lets teams try basic answers; upgrades unlock things like memo exports and audit trails.
What surprised us
Even without direct SME testing, a few things stood out while building and discussing the concept. First, how huge the gap still is between regulatory language and what small business owners actually understand it is wider than we expected. Second, the number of existing “compliance tools” that claim to simplify things but end up just moving the complexity somewhere else. And third, how many SMEs openly admit they rely on guesswork or outdated templates to stay “compliant enough.” It confirmed our hunch that the real problem is not access to information, it is access to clarity.
The rough edges
It is a front-end demo for now. Risks are designing around: hallucinations, privacy, and over-reliance. We are aligning with ISO/IEC 27001 practices and the NIST AI RMF. For edge cases, there is the possibility of adding an optional human review layer to the business; however, that is not the main scope.
What we learned
Working on PolicyPal showed us that solving a regulatory problem is not just about adding AI; it is about understanding how people experience complexity. Our research made clear that SMEs do not suffer from a lack of information, but from a lack of structure and confidence in using it. Regulations are written for legal professionals, not small business owners, and technology alone cannot fix that gap without thoughtful design.
We also learned that transparency matters as much as accuracy. Features like citations, disclaimers, and visible sources are not just “nice to have”; they determine whether users trust the answer at all. In that sense, PolicyPal became less about automation and more about building digital trust in an area where mistakes are costly.
Finally, this project helped us understand how business models and technology choices shape each other. RAG-based systems, freemium adoption, and compliance verification are not just technical or commercial decisions; they reflect how a tool positions itself between accessibility and accountability. For us, that intersection of design, trust, and value creation is the most important insight we are taking from the work.
