Privacy policy page exists

GDPR Article 13, CCPA §1798.100, and Brazil's LGPD Article 9 all require that users be informed about data collection before or at the time their data is collected. Any application that uses analytics, session cookies, contact forms, or authentication collects personal data — which triggers mandatory disclosure requirements. Operating without a privacy policy exposes the business to regulatory fines (GDPR penalties reach 4% of global turnover) and removes the legal basis for processing user data at all. Courts and regulators treat absence of a privacy policy as evidence of willful non-compliance.

Create a route at /privacy or /privacy-policy and link it from your site footer. The policy must disclose what data is collected, why, how long it's retained, and how users can request deletion.

// app/privacy/page.tsx — required disclosure page
export default function PrivacyPage() { /* policy content */ }

// components/footer.tsx
import Link from 'next/link'
<Link href="/privacy">Privacy Policy</Link>

For a SaaS with EU users, include: legal basis for processing under GDPR Art. 6, data subject rights (access, erasure, portability), third-party processors (Stripe, Vercel, analytics vendors), and data retention periods. Services like Termly or Iubenda generate jurisdiction-appropriate policy text if writing from scratch is impractical.

• ID: privacy-policy

• Severity: critical

• What to look for: Count all privacy-related pages and links. Enumerate whether a privacy policy page exists and is linked from the footer or signup flow. Search for a route or page that serves a privacy policy. Look for files matching patterns like privacy.tsx, privacy/page.tsx, privacy-policy.tsx, legal/privacy.tsx. Check for navigation links to a privacy page in layout components. Check for any links in footer components pointing to a privacy URL.

• Pass criteria: A privacy policy page exists at a reachable route (e.g., /privacy, /privacy-policy, /legal/privacy). At least 1 privacy policy page must exist and be linked from the site footer.

• Fail criteria: No privacy policy page found anywhere in the project routes.

• Skip (N/A) when: Skip only if this is a purely internal tool with no external users and no data collection of any kind. Signal: project type is api or cli with no user-facing pages and no analytics or tracking dependencies.

• Cross-reference: For terms of service, see terms-of-service. For cookie consent, see cookie-consent.

• Detail on fail: "No privacy policy page found — required for any project that collects user data, uses analytics, or processes personal information"

• Remediation: A privacy policy is legally required in most jurisdictions (GDPR, CCPA, CalOPPA) for any application that collects personal data, uses cookies, or employs analytics tools. This is not optional for a public launch:

  // components/footer.tsx — privacy policy link
  <Link href="/privacy">Privacy Policy</Link>
  // Ensure app/privacy/page.tsx exists
  

  1. Create a page at /privacy or /privacy-policy.
  2. Your privacy policy must disclose: what data you collect, why you collect it, how long you keep it, who you share it with (including third-party services like Google Analytics, Stripe, etc.), and how users can request deletion.
  3. For a SaaS in the US with EU users, you need GDPR compliance language including data processing basis and user rights.
  4. Use a service like Termly, Iubenda, or PrivacyPolicies.com to generate a policy appropriate to your stack if writing from scratch is impractical.
  5. Link the privacy policy in your site footer on every page.