Privacy and Data

Compliance checks that govern how components collect, store, transmit, and process personal and sensitive data. These checks ensure respect for user privacy, compliance with data protection principles, and responsible data stewardship.

Applicability

Any recipe or guideline that collects, stores, transmits, or processes personal or sensitive data.

Checks

data-minimization

Components MUST collect only the minimum data necessary for their functionality.

Applies when: a component requests, collects, or stores user data.

Guidelines:

Privacy

Personal data collection MUST be preceded by informed user consent.

Applies when: a component collects personal or identifiable information from the user.

Guidelines:

Privacy

secure-data-storage

Personal and sensitive data MUST be stored using platform-specific secure storage.

Applies when: a component persists personal or sensitive data locally or remotely.

Guidelines:

no-pii-in-logs

Personally identifiable information MUST NOT appear in log output at any level.

Applies when: a component writes log output and has access to personal data.

Guidelines:

data-retention-policy

Components handling personal data MUST define retention duration and deletion behavior.

Applies when: a component stores personal data beyond the current session.

Guidelines:

Privacy

data-portability

Users SHOULD be able to export their personal data in a standard format.

Applies when: a component stores significant amounts of user-generated or personal data.

Guidelines:

Privacy

third-party-disclosure

Data sharing with third parties MUST be disclosed and require user consent.

Applies when: a component transmits user data to external services or analytics providers.

Guidelines:

Privacy

encryption-at-rest

Sensitive data stored locally MUST be encrypted at rest.

Applies when: a component persists sensitive data to the local filesystem or database.

Guidelines:

Change History

Version	Date	Author	Summary
1.0.0	2026-03-28	Mike Fullerton	Initial creation