Emberglow Goods is a fictional direct-to-consumer brand — one of ten companies we ran end to end through the live Bylaw system. Fictional company, real run, and deliberately scrappy: five thin documents for a brand that has grown on speed and taste rather than process. If you sell straight to consumers and move fast, read on.

Emberglow is the modern DTC story: a hero product, a subscription, a busy paid-social engine, a Shopify-class storefront, a 3PL for fulfillment, and a five-document compliance footprint written in a hurry between launches. It is not careless; it is fast, and fast companies document last. The risk is that a consumer brand touching payments, personal data, marketing claims, and physical products carries the obligations of all four while keeping the paperwork of none.

What Emberglow wants is to keep growing, protect the brand, keep its payment and platform partners happy, and expand into new states and abroad without tripping a privacy regulator, the FTC, or a product-safety rule. What stands in the way is that the brand cannot yet prove the controls a consumer business is assumed to run — and an FTC inquiry, a state privacy sweep, or a marketplace’s seller review does not grade vibe.

What a DTC brand is actually being asked

Emberglow sits under a surprisingly broad rulebook for its size. PCI-DSS governs how it touches card data through its storefront and processor. The state privacy patchwork — California’s CCPA and CPRA at the front, the growing list of state laws behind it — imposes access, deletion, opt-out, and retention duties that differ by state. The FTC is the live wire for a DTC brand: advertising-substantiation rules for product claims, the ROSCA requirements and click-to-cancel expectations around subscriptions, and an active campaign against dark patterns in checkout and cancellation flows. If Emberglow ships a regulated physical product, CPSC safety and recordkeeping rules apply. GDPR arrives with the first EU customer, and the EU AI Act reaches the recommendation, segmentation, and dynamic-pricing models that power DTC marketing.

Each of those reduces to the same question — can you prove the control operated — and a brand with five documents and no record cannot. That is precisely why Emberglow was worth running: to show what the system does with a consumer business that is under-documented for the obligations it actually carries. The cost of getting it wrong is not theoretical for DTC — an FTC consent order, a multistate privacy action, a marketplace suspension, or a chargeback program that threatens card acceptance can each end a brand’s momentum overnight.

Where the cracks were

Five documents produce fewer contradictions and more silence, and the engine surfaced both. It flagged 76 items of orphan data — a strikingly high count for so few documents, the unmistakable signature of a business running on undocumented practice — and a handful of direct conflicts where the same rule appeared two different ways. The more important finding was absence: whole control areas a consumer brand is assumed to operate — data-subject request handling, retention and deletion, subscription-cancellation discipline, vendor oversight of the 3PL and the marketing stack — with no documented rule at all.

The system does not paper over silence. It names each gap in plain language and routes it for a human decision rather than inventing a control nobody adopted. Of twenty-nine issues raised, nineteen were ruled and recorded during the run; the rest were queued with owners. For a scrappy brand, that honest map of strong, fragile, and missing is the entire value — it is the difference between thinking you are fine and knowing exactly where you are not.

How Bylaw stepped in

We ran the office at Emberglow’s scale, not a retailer’s. The five documents were cleaned into atomic, tagged statements, fitted to the governed template, and mapped to 28 live controls — small and honest, because an accurate 28 is worth more to a growing brand than an aspirational map it cannot stand behind. Each control is a plain sentence with one operator, one expected value, and the live signal it reads. Contradictions went to the Ruling Guide for a human decision; nothing mapped across an unresolved conflict; nothing went live without the three-signature gate.

The early evidence index came in at 39 — among the lowest in the fleet, and completely honest. That number is not a verdict on Emberglow’s product or its taste; it is a true picture of its proof on day one, and a baseline that climbs the moment the record starts running. Emberglow left the run with a sequenced list of the controls to document next to clear a marketplace seller review, an FTC-style inquiry, or a state privacy request — with the evidence for the controls it already had already accumulating. And as everywhere in the fleet, Bylaw held none of Emberglow’s data; the record carries proof, never card numbers, customer records, or order history.

An evidence index of 39 is not a failing grade. It is the truth, on day one, written where the team can act on it — which is more than most fast-moving consumer brands have ever had.

Testing tomorrow before it arrives

A DTC brand’s future is a parade of new states, new channels, and new marketing technology, so the Simulation Lab earned its keep. We ran the five territory packs against Emberglow’s controls, with California standing in for the CCPA/CPRA edge and the EU pack for GDPR and the AI Act, and ran an EU-expansion shock test against the recommendation and dynamic-pricing models a growing brand inevitably adopts. Each run returned a ledger of conflicts and ripple counts that doubles as a roadmap: here is what breaks if you open that state or turn on that personalization feature before these controls exist.

We connected partners, too. Emberglow issued evidence-scoped keys to two counterparties — the shape of a payment processor and a fulfillment partner — and ran partner-versus-company simulations where only evidence crossed: control sentences, verdicts, hashes, never an order or a name. Across its sessions Emberglow ran twelve simulations and exercised an M&A diligence scenario both ways — useful for a brand whose likeliest next chapter is acquisition by a larger platform or holding company, which always begins with someone reading the controls.

What it looks like when the FTC or a marketplace asks

Run it forward. A state attorney general opens a privacy sweep, or the FTC asks about a subscription-cancellation flow, or a marketplace’s trust team reviews Emberglow as a seller. Before Bylaw, that request is a scramble through the storefront admin, the marketing tools, and the processor for screenshots that represent a few moments. With even a small record running, the brand answers from evidence: the control that governs the cancellation flow, the deletion-request process, the retention rule — each with its live signal, its source, and a hash, scoped to exactly what was asked, with no customer data in the exchange. The brand that can show its work, and its plan for the gaps, keeps selling while a competitor that scrambles draws a second, harder look.

Proven, not asserted

Every action passed through the single audited door and chained to the one before it; Emberglow’s workspace built past 160 chained audit records by the reporting session, verifying end to end, with exports held at the locked gate. The three independent audits re-checked Emberglow with the rest of the fleet — rebuilding the chain, proving the gate cannot be bypassed, recomputing every figure — and found no fabrication, including the unflattering 50% pass rate that an honest system reports and a dishonest one would have quietly rounded up.

If this were your brand

If you are growing a consumer brand ahead of your paperwork, the answer is not shame and it is not a binder — it is an embedded office that turns the gap into a sequenced plan and starts proving the controls you do run today. Hiring a governance team is not realistic at your stage; embedding the function through Bylaw is, and it arrives fluent in PCI, the state privacy patchwork, the FTC’s line on subscriptions and dark patterns, and the EU AI Act’s reach into personalization. Emberglow is fictional so we could show the honest version — gaps and all. The fastest way to see your own starting line, before a regulator or a marketplace sees it for you, is a governance review.

What crossed, and what never did

It is worth being precise about how the evidence for Emberglow was collected, because it is the whole difference between Bylaw and the tools that ask for your data. Bylaw never logged in and pulled records. It dispatched worker packets — small, single-purpose, read-only instructions — to the storefront, the payment processor, the marketing and subscription tools, and the fulfillment partner, each asking one question and returning one structured verdict: the operator, the expected value, the observed value, and a content hash. The reasoning happened on the other side of a wall, in a sealed engine reached with a key Emberglow controlled, working only over configuration and event state.

Between Emberglow’s environment and anything that left it sat the edge wall, which rejected every name, email, and identifier before it could cross — to us, to a partner, or into the audit trail. What crossed was proof: statuses, timestamps, and hashes. What never crossed was content — no card number, no order, no customer record. That is not a promise; it is the architecture, and it is why a worst case for Bylaw could never become a data breach for Emberglow or its customers. The record is defensible precisely because it contains evidence of operation and nothing an attacker would want.

Why this matters now

The reason to do this now, rather than after the next audit, is that proof cannot be reconstructed backward. You cannot retroactively show that a control operated last quarter if no one was recording it; the evidence either accrued or it did not. A continuous record is the one compliance asset that is strictly more valuable the earlier it starts, because it compounds — every day it runs, it proves a longer period.

The deadline pressure is real and specific. The EU AI Act’s high-risk obligations are phasing into force through 2026, and for a brand the exposure is concrete the moment personalization or dynamic-pricing AI is in play: logging across the system’s lifetime, demonstrable human oversight, and post-market monitoring — all of them evidence duties, not policy statements. Add the frameworks already on the table and the enterprise buyers who enforce them faster than any regulator, and the company that started keeping the record is simply ready, while the one that waited is assembling screenshots against a clock. That is the whole argument for starting before you are asked.

For a brand whose entire advantage is speed, that is the point: governance that keeps pace with the business instead of pumping the brakes — proof that accrues quietly in the background while the team does what it does best, and is simply there the day a marketplace, a regulator, or an acquirer asks to see it.

If this were your company

We’re ready to step in.

Every figure in this study came from the live system, run against a company built to look like a real one. The fastest way to see where your own proof stands — strong, fragile, and missing — is a structured governance review. No data required; findings in weeks, and yours to keep whatever you decide.

Talk to a Bylaw SpecialistSee how it works
Brandon JunkinFounder, Bylaw Evidence

Brandon spent years alongside hundreds of mid-market companies at GoDaddy and watched the same story on repeat: good teams unable to prove the good work they did, governance buried under tools that demanded data and returned screenshots. He founded Bylaw Evidence to be the guide those teams were missing — someone who maps the rules, keeps the record, and has the answer ready when the auditor asks. BA in Philosophy of Law, Politics and Ethics, Arizona State University; ARM candidate.