# Rachel Kowalski, Director of Privacy & Compliance at Fieldstone Health — read of Massachusetts Privacy Compliance Auditor, June 11 2026

> 9 years in privacy and compliance, currently covering HIPAA, CCPA, and now three new state privacy laws for a 140-person Boston-area health tech company that I am increasingly convinced exists only to give me anxiety.

## How I got here

Our outside counsel sent us a two-paragraph email in April flagging the Massachusetts location data provisions and saying "you should look at your vendor stack." That was it. Two paragraphs. So I started searching for something that could actually inventory our location data exposure without me spending six weeks inside OneTrust building custom workflows. Searched "Massachusetts location data compliance tool" and this came up in the second page of results. Clicked it because the title matched exactly what I was looking for, which almost never happens.

## What I clicked first

The hero is clean. "Audit location data handling under Massachusetts privacy law" is specific and direct, which already puts this ahead of 80% of the compliance vendor pages I have looked at this month. The "Data Collection Map" feature description pulled me in: "Discover every source collecting location data: analytics, mobile SDKs, location services, third-party vendors. See what you're actually gathering." That is the actual pain. That sentence describes a real problem I have. I scrolled down expecting to see a product.

## Where I paused

The "Honest disclosure" block stopped me completely. "We don't have live customers on this idea yet. We shipped the strategy package; you ship the customer conversations." I had to read that twice. So this is not a product. This is a product idea that someone is selling me the blueprint to build. The "Start Free Audit" button in the hero is effectively a bait and switch. I am not a developer entrepreneur looking for my next SaaS to build. I have a compliance problem that is real and exists today. This page spent its first half pretending to be a tool I could use and its second half revealing that it is a dossier I could buy to build the tool myself for $99. That is a significant pivot mid-scroll.

## What I distrusted

"SOC 2 Type II Certified" appears in the procurement summary box but there is nothing here to certify. There is no product. There is no data being processed. Putting SOC 2 Type II in the procurement at-a-glance for a product that does not exist yet feels like putting a gold star on a proposal document. Also: "Trusted by" followed by nothing. Genuinely nothing. Not a logo, not a company name, not a testimonial. Just the words "Trusted by" floating there. That is either a template placeholder that shipped to production or a conscious choice that is worse than a placeholder. The Fermi math showing "Year-1 take-home: -$16,700" and "1 in 11 Meaningful-success odds" is admirably honest but it also made me feel like I was looking at a pitch deck for a startup that has not started rather than a compliance tool I can deploy.

## What would convince me

A single video of someone walking through an actual scan of a real company's tech stack, even a demo environment, showing the system identify an undisclosed location SDK and generate the vendor notification template. That is it. I do not need a case study. I do not need a logo. I need to see the thing work one time on real data to know whether the underlying logic is sound or whether "automated scan against Massachusetts' precise location data ban" is a marketing sentence wrapped around a glorified checklist.

## What I'd ask in an email reply

1. When you say "automated scan," are you running something against actual network traffic and SDK dependencies, or is this a guided questionnaire that I fill out manually and you score on the backend?
2. The "vendor notification templates" - are these generic legal letter templates or are they pre-populated based on specific vendors you've already mapped to the law's requirements?
3. Is there anyone I can talk to who has actually used this on a real tech stack, even in a pilot, even someone you know personally who tested it?

## Verdict: on-the-fence

The first half of this page describes a product I genuinely want to exist. The second half reveals that it does not exist yet and they are selling me the blueprint to build it myself, which is not what I need. I respect the honesty. I might check back in six months.

---
*Memo by skeptic persona, generated 2026-06-11. Studio breaks own self-grading loop.*
