A linked, non-placeholder privacy policy is a baseline legal obligation under GDPR Art. 13, CCPA §1798.130, and Google/Apple store policy — any app that collects email, names, or analytics identifiers without disclosing the fact fails each of those regimes. It is also gating for third-party integrations: Stripe requires a published policy before activating a live account, Google OAuth verification rejects apps without one, and the App Store/Play Store will remove listings on takedown. AI coding tools routinely scaffold a sign-up form and an analytics library but skip the policy page entirely, or leave an unlinked /privacy route with "Coming soon" boilerplate that never gets written. The failing shape is invisible in development — the site works, users sign up, and the legal gap is discovered at launch review or on first takedown notice.
Medium because the missing or unlinked policy blocks real downstream gates (Stripe activation, OAuth verification, store review) but authoring a compliant page and adding one footer link is a short, well-templated task.
Create a privacy policy page (templates available at termly.io, gdpr.eu) and add a link in your footer component.
Deeper remediation guidance and cross-reference coverage for this check lives in the gdpr-readiness Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.
project-snapshot.legal.privacy-policy-linkedmediumapp/privacy/page.tsx, app/privacy-policy/page.tsx, pages/privacy.tsx, public/privacy.html, or equivalent. Then check whether the site footer or main layout contains a link to that route. Count both."No public web surface detected (project type: {type}).""Privacy policy at {path}; linked from {locations}.""No privacy policy page found at app/privacy/, app/privacy-policy/, or pages/privacy.tsx" or "Privacy page exists at app/privacy/page.tsx but no link found in footer/header".