What is a Fractional General Counsel?

A Fractional GC gives you senior-level legal leadership — the kind of judgment you'd get from a $250K+ in-house hire or $900/hour Big Law partner — on a predictable monthly retainer. You get the expertise without the overhead.

What types of startups do you work with?

We work primarily with venture-backed startups from pre-seed through Series B across SaaS, fintech, healthtech, and emerging technology.

How is this different from a traditional law firm?

Traditional firms bill by the hour, staff junior associates on your work, and take days to respond. Flux provides senior counsel directly, charges a flat monthly fee, and communicates on Slack, email, or video — however your team works.

What does flat-fee pricing include?

Each tier includes a defined scope of legal support. No hourly tracking, no surprise invoices. If something falls outside your plan, we'll tell you upfront before any additional work begins.

Can you help with fundraising?

Yes — from SAFEs and convertible notes to priced equity rounds. We handle investor negotiations, term sheet review, deal documentation, and closing execution for Seed through Series B.

What's the relationship between Flux and Rubicon Law?

Flux is a productized offering powered by Rubicon Law, a boutique firm with 20+ years of experience advising hundreds of startups. You get Rubicon's depth of experience in a streamlined, subscription-based format.

How quickly can I get started?

Book a free intro call. If we're a fit, most clients are onboarded within a week. No lengthy engagement letters or committee approvals.

What Is a Data Privacy Policy and Does Your Startup Need One?

Your startup needs a privacy policy the moment it collects any personal information — and if you have a website with analytics, that moment was launch day. U.S. state privacy laws, GDPR, and sector-specific regulations like COPPA require you to disclose what data you collect, how you use it, and what rights users have. Non-compliance carries fines, litigation risk, and increasingly, deal-killing consequences during enterprise sales and fundraising due diligence.

When You Need a Privacy Policy (Spoiler: Immediately)

There's a common misconception that privacy compliance is a growth-stage problem — something you worry about after product-market fit. This is wrong for three reasons:

First, the legal trigger is low. If your website uses Google Analytics, you're collecting IP addresses, browser fingerprints, and behavioral data. If you have a signup form, you're collecting email addresses and names. If you use cookies for session management, you're processing personal data. Almost every startup crosses the threshold at incorporation.

Second, enterprise customers will ask. B2B startups encounter privacy requirements during their first enterprise sales process. Procurement teams send security questionnaires that ask about your privacy policy, data processing practices, and compliance certifications. Not having answers kills deals.

Third, investors check. Due diligence increasingly includes privacy compliance review. A seed-stage company isn't expected to have a full-time DPO, but it is expected to have a published privacy policy and basic data handling practices.

The U.S. State Privacy Law Patchwork

Unlike the EU, the United States has no comprehensive federal privacy law. Instead, a growing number of states have enacted their own privacy legislation, creating a patchwork of obligations that varies by state, data type, and business size.

California: CCPA/CPRA

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most consequential U.S. privacy law. It applies to for-profit businesses that:

Have annual gross revenue exceeding $25 million, OR
Buy, sell, or share the personal information of 100,000+ California consumers/households, OR
Derive 50%+ of annual revenue from selling or sharing personal information

Even if you don't meet these thresholds today, you likely will as you scale. Building compliant practices early is cheaper than retrofitting later.

Key CCPA/CPRA requirements:

Right to know — consumers can request what personal information you've collected about them
Right to delete — consumers can request deletion of their personal information
Right to opt out — consumers can opt out of the sale or sharing of their personal information
Right to correct — consumers can request correction of inaccurate personal information
Right to limit use of sensitive personal information — covers precise geolocation, race, health data, etc.
Non-discrimination — you can't penalize consumers who exercise their rights
Data minimization — collect only what's reasonably necessary for the disclosed purpose

Your privacy policy must disclose each category of personal information collected, the purpose for collection, categories of third parties with whom you share data, and the specific rights available to California consumers.

Virginia: VCDPA

The Virginia Consumer Data Protection Act applies to businesses that control or process data of at least 100,000 Virginia consumers, or 25,000 consumers if the business derives 50%+ of revenue from data sales. Similar consumer rights to CCPA but with some differences — notably, no private right of action (enforcement is through the Attorney General only).

Colorado: CPA

Colorado's Privacy Act applies to businesses operating in Colorado that control or process data of 100,000+ consumers, or 25,000+ consumers if the business derives revenue from data sales. Colorado requires universal opt-out mechanisms and recognizes global privacy control signals.

Connecticut, Oregon, Texas, Montana, and Others

The list keeps growing. Connecticut's CTDPA, Oregon's OCPA, Texas's TDPSA, and Montana's CDPA all went into effect in 2024–2025. Each has slightly different thresholds, definitions, and enforcement mechanisms. The practical implication: if your startup has users across the U.S., you need a privacy program that satisfies the most stringent state requirements.

The Practical Approach for Startups

Rather than tracking every state law individually, adopt a highest-common-denominator approach: comply with CCPA/CPRA and GDPR requirements, and you'll satisfy virtually every other state law. This is simpler and more defensible than trying to apply different standards to users in different states.

GDPR: If You Serve EU Users

The General Data Protection Regulation applies to any organization that processes personal data of individuals in the European Economic Area (EEA), regardless of where the company is located. If your SaaS product has users in Germany, your website has visitors from France, or you market to EU customers, GDPR likely applies.

Key GDPR Requirements

Lawful basis for processing. Unlike U.S. state laws that primarily focus on disclosure and opt-out rights, GDPR requires a lawful basis for every processing activity. The six lawful bases are: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests. For most startups, "contract performance" (processing necessary to provide the service) and "legitimate interests" (processing for business purposes that don't override user rights) cover the majority of activities. Marketing emails typically require consent.

Data Protection Impact Assessments (DPIAs). Required for high-risk processing activities — large-scale profiling, processing sensitive data, systematic monitoring of public areas.

Data breach notification. You must notify supervisory authorities within 72 hours of becoming aware of a personal data breach, and notify affected individuals if the breach poses a high risk to their rights.

Data Processing Agreements. Every vendor that processes personal data on your behalf (cloud hosting, analytics, email marketing) must sign a Data Processing Agreement (DPA) with you. This isn't optional — it's a legal requirement. See the DPA section below.

Right to data portability. Users can request their data in a structured, machine-readable format.

Right to erasure ("right to be forgotten"). Users can request deletion, with limited exceptions.

International data transfers. Transferring personal data from the EU to the U.S. requires a valid transfer mechanism. The current EU-U.S. Data Privacy Framework provides adequacy for certified organizations. If you're not certified, you'll need Standard Contractual Clauses (SCCs).

Do You Need an EU Representative?

If your company doesn't have an establishment in the EU but is subject to GDPR, you're required to appoint a representative in the EU. This is often overlooked by early-stage startups. An EU representative is a designated contact point for supervisory authorities and data subjects.

Cookie Consent Requirements

Cookies are a surprisingly complex compliance area. The requirements vary significantly by jurisdiction:

United States: California requires disclosure of cookies and tracking technologies in your privacy policy. Colorado recognizes global opt-out signals (like the Global Privacy Control browser setting). There's no federal cookie consent law, but the FTC has enforcement authority over deceptive practices — if your privacy policy says you don't use tracking cookies but you do, that's a Section 5 violation.

EU/UK: The ePrivacy Directive requires affirmative opt-in consent before placing non-essential cookies. This means a real consent mechanism — not a "by continuing to browse, you agree" banner. Users must be able to reject cookies as easily as they accept them, and the site must function (at a basic level) without non-essential cookies.

Practical implementation: Use a consent management platform (CMP) that blocks non-essential cookies until consent is obtained. Configure it to respect GPC signals for U.S. users and implement granular consent categories (necessary, analytics, marketing, functional) for EU users.

Children's Data: COPPA

The Children's Online Privacy Protection Act applies if your service is directed at children under 13 or you have actual knowledge that you're collecting data from children under 13. COPPA requirements are strict:

Verifiable parental consent before collecting children's data
Limited data collection (only what's necessary)
Special privacy policy disclosures
No behavioral advertising to children

Even if your product isn't designed for children, if children use it (common with consumer apps), you may trigger COPPA obligations. The FTC actively enforces COPPA, and penalties are significant — Epic Games paid $275 million in 2022 for COPPA violations.

If your product could attract users under 13, build age-gating into your signup flow and implement COPPA-compliant data handling for underage users.

DPA Requirements from Enterprise Customers

When selling to enterprise customers, you'll encounter Data Processing Agreements (DPAs) in virtually every procurement process. A DPA is a contract between a data controller (your customer) and a data processor (you) that governs how you handle their data.

Enterprise DPAs typically require:

Processing only on instructions — you can only use customer data for the purposes they specify
Subprocessor management — you must disclose (and sometimes get approval for) every third-party service that processes customer data
Security measures — specific technical and organizational security requirements
Breach notification — often with shorter windows than regulatory requirements (24–48 hours)
Data return and deletion — obligations upon contract termination
Audit rights — the customer can audit your data handling practices (usually satisfied by SOC 2 reports)
International transfer mechanisms — SCCs or Data Privacy Framework certification for EU data

Startup tip: Create a standard DPA template that satisfies common enterprise requirements. Negotiating DPAs from scratch for every customer is expensive and slow. A well-drafted template DPA that you can offer proactively signals maturity and accelerates sales cycles.

SOC 2 as Table Stakes

SOC 2 (Service Organization Control 2) is an auditing standard that evaluates a company's controls related to security, availability, processing integrity, confidentiality, and privacy. It's not a privacy law — it's an industry standard that enterprise customers treat as a minimum requirement.

Type I vs. Type II

SOC 2 Type I evaluates whether your controls are designed appropriately at a specific point in time. It's a snapshot. You can achieve Type I in 2–4 months.

SOC 2 Type II evaluates whether your controls operated effectively over a period (typically 6–12 months). This is what enterprise customers actually want. Plan for 6–12 months from starting the process.

When to Pursue SOC 2

For B2B SaaS startups, the trigger is typically your first enterprise customer requiring it — usually at the Series A stage, sometimes earlier. The investment is significant ($30K–$100K+ for the first audit), but the alternative is losing enterprise deals.

Practical approach: Start with a SOC 2 readiness assessment at the seed stage. Implement foundational controls (access management, encryption, logging, incident response) early. It's cheaper to build securely from the start than to retrofit later.

Practical Compliance Roadmap for Early-Stage Startups

Day One (Pre-Launch)

Publish a privacy policy — it doesn't need to be 20 pages, but it must accurately describe your data practices
Implement cookie consent — use a CMP that handles U.S. and EU requirements
Configure analytics privacy settings — use IP anonymization, limit data retention
Add a DPA template — have one ready before your first enterprise prospect asks

Seed Stage

Map your data flows — document what data you collect, where it goes, who processes it, and how long you keep it
Review vendor DPAs — ensure your cloud providers, analytics tools, and email services have signed DPAs with you
Implement data subject request handling — build a process (even if manual) for responding to deletion, access, and correction requests within statutory timeframes (30–45 days depending on jurisdiction)
Train your team — basic privacy awareness training for everyone who handles user data

Series A and Beyond

Begin SOC 2 readiness — engage an auditor for a gap assessment
Appoint a privacy lead — doesn't need to be full-time, but someone should own privacy compliance
Implement data retention policies — don't keep data forever; define retention periods by data category
Conduct a privacy impact assessment — evaluate high-risk processing activities
Review international transfer mechanisms — if you have EU users, ensure you have valid transfer mechanisms in place

Ongoing

Update your privacy policy when practices change — a stale policy that doesn't match reality is worse than no policy
Monitor regulatory changes — new state laws take effect regularly; subscribe to privacy law updates
Review vendor relationships — new tools and integrations may create new data flows that need disclosure
Practice incident response — have a breach notification plan and test it

Common Mistakes Startups Make

Copy-pasting another company's privacy policy. Your privacy policy must accurately describe your data practices. A copied policy is almost certainly inaccurate, which creates enforcement risk and undermines credibility during due diligence.

Ignoring GDPR because "we're a U.S. company." GDPR applies based on where your users are, not where you're incorporated. If your Delaware C-Corp has users in the EU, GDPR applies.

Treating privacy as a legal-only problem. Privacy compliance requires engineering (building deletion capabilities, consent management, access controls), product (designing privacy-respectful user experiences), and operations (training, vendor management, incident response). Legal can draft the policy, but engineering and product must implement it.

Not having a breach response plan. When (not if) a breach occurs, you'll have 72 hours (GDPR) or "expedient" timeframes (state laws) to notify regulators. Building a response plan during an active breach is a recipe for missed deadlines and increased penalties.

Privacy compliance isn't a one-time project — it's an ongoing operational discipline. Start simple, build incrementally, and treat privacy as a product feature rather than a legal burden. Your enterprise customers and investors will notice the difference.