Privacy policy current and complete

Severity: Critical

Your privacy policy is a legal document that must accurately reflect your data practices and include GDPR-required disclosures.

Check automatically:

# Look for privacy policy
find . -maxdepth 3 -name "*privacy*" -name "*.md" -o -name "*privacy*" -name "*.html" 2>/dev/null | grep -v node_modules

# Check for privacy policy route/page
grep -riE "privacy.*policy|/privacy|privacy-policy" src/ app/ routes/ pages/ --include="*.ts" --include="*.js" --include="*.tsx"

# Look for last updated date in policy
grep -riE "last.*updated|effective.*date|updated.*on" public/ docs/ --include="*.html" --include="*.md" 2>/dev/null

# Check for required GDPR disclosures in docs
grep -riE "data.*controller|legal.*basis|data.*retention|your.*rights|contact.*dpo" public/ docs/ --include="*.html" --include="*.md" 2>/dev/null

Ask user:

• "When was your privacy policy last updated?"
• "Does it cover all current data practices?" (new features, new third parties)
• "Who reviews/updates it?" (legal, internal, template?)
• "Does it include GDPR-required disclosures?"

GDPR-required disclosures:

Disclosure	Present?
Identity of data controller
Contact details (DPO if applicable)
Purposes of processing
Legal basis for processing
Data retention periods
User rights (access, deletion, portability, etc.)
Right to lodge complaint with supervisory authority
Third parties data is shared with
International transfers (if applicable)

Pass criteria:

• Privacy policy exists and is accessible
• Updated within last 12 months (or after last significant change)
• Covers GDPR-required disclosures
• Reflects current data practices (not outdated)

Fail criteria:

• No privacy policy
• Policy exists but severely outdated
• Missing key GDPR disclosures
• Doesn't reflect actual practices (says "we don't share data" but uses 10 third-party tools)

Evidence to capture:

• Privacy policy location (URL)
• Last updated date
• Whether GDPR disclosures are present
• Any obvious gaps

---