Privacy policy published

A missing privacy policy is not just an oversight — it is a legal violation under GDPR Article 13 (disclosure at point of collection), CCPA §1798.100 (right to know), and NIST 800-53 rev5 PT-1 (Privacy Policies, Agreements, and Processing). FedRAMP rev5 PT-1 requires agencies and their cloud providers to maintain and publish privacy notices. Users have no way to exercise data access, correction, or deletion rights without a published policy describing those rights. Regulators in California and the EU routinely issue fines for absent or incomplete policies even when no breach has occurred.

Publish a privacy policy at /privacy and link it from the footer on every page. At minimum cover the six sections required by GDPR Art. 13 and CCPA §1798.100.

# Privacy Policy

## What We Collect
- Account data: email, name, role
- Usage data: pages visited, actions performed, audit submissions
- Technical data: IP address (hashed), browser type, timestamps

## How We Use It
To operate the service, improve reliability, and comply with legal obligations.

## Who We Share It With
Subprocessors only (list them: Supabase, Vercel, Stripe) — no sale of data.

## Your Rights
Access, correction, deletion, and portability requests: privacy@yourcompany.com

## Retention
Account data retained while active; deleted within 30 days of account closure.
Audit logs retained 90 days.

## Contact
privacy@yourcompany.com

Have counsel review the final policy. Add a <link rel="privacy-policy" href="/privacy"> tag to your root layout's <head> for machine-discoverability.

• ID: privacy-policy-published

• Severity: low

• What to look for: Look for a privacy policy page in the public site (usually /privacy or linked from footer). Count the number of required sections present: data collected, data usage, data sharing, user rights (access, deletion, portability), retention period, and contact information. Check whether it's complete and up-to-date.

• Pass criteria: A privacy policy is published and publicly accessible. It describes at least 4 of the following sections: what data is collected, how it's used, who it's shared with, user rights (access, deletion, portability), retention periods, and contact information for privacy inquiries.

• Fail criteria: No privacy policy found, or it covers fewer than 4 required sections.

• Skip (N/A) when: Never — privacy policy is legally required for most projects handling user data.

• Detail on fail: "No privacy policy page found. Footer does not link to /privacy."

• Cross-reference: For incident response and security reporting procedures that complement the privacy policy, see the incident-response-plan check in this category.

• Remediation: Create a privacy policy page:

  # Privacy Policy
  
  ## Data Collection
  We collect the following information:
  - Account information: email, name, role
  - Usage data: actions performed, audit logs
  - Technical data: IP address, browser information
  
  ## Data Usage
  - To provide and improve our service
  - To comply with legal obligations
  - To monitor security and prevent abuse
  
  ## Data Retention
  - Active user data is retained while your account is active
  - Audit logs are retained for 90 days
  - Deleted accounts' data is permanently deleted after 30 days
  
  ## Your Rights
  - Access: Request a copy of your data
  - Correction: Update your information
  - Deletion: Request permanent deletion
  - Portability: Export your data
  
  To exercise these rights, contact privacy@company.com