# 21. Privacy Policy, TOS & Legal Pages

meta:
  id: web-production-21
  feature: web-production
  priority: P2
  depends_on: []
  tags: [compliance, legal, production]

objective:
- Create and deploy all required legal pages for production operation

deliverables:
- Privacy Policy page (/privacy)
- Terms of Service page (/terms)
- Cookie Policy page (/cookies)
- Data Processing Agreement (DPA) page
- Legal pages linked in footer

steps:
1. Create Privacy Policy:
   - Data collection practices (what, why, how long)
   - Third-party services (Stripe, Clerk, Twilio, Firebase)
   - User rights (access, rectification, deletion, portability)
   - Contact information for privacy inquiries
   - Last updated date
2. Create Terms of Service:
   - Service description and limitations
   - User responsibilities and prohibited conduct
   - Subscription terms and billing
   - Termination clauses
   - Limitation of liability
   - Dispute resolution
3. Create Cookie Policy:
   - Types of cookies used (essential, analytics, marketing)
   - Purpose of each cookie
   - How to manage cookies
   - Third-party cookies
4. Create Data Processing Agreement:
   - Roles and responsibilities
   - Data security measures
   - Subprocessor list
   - Breach notification procedures
5. Add legal pages to app:
   - Create routes: /privacy, /terms, /cookies, /dpa
   - Add links in Footer component
   - Ensure pages are server-rendered for SEO
6. Review with legal counsel:
   - Have privacy policy reviewed by attorney
   - Ensure compliance with applicable jurisdictions
   - Update based on feedback

tests:
- Unit: Test routes render correctly
- Integration: Verify links in footer navigate correctly
- Compliance: Review with legal counsel

acceptance_criteria:
- Privacy Policy live at /privacy
- Terms of Service live at /terms
- Cookie Policy live at /cookies
- DPA live at /dpa
- All pages linked in site footer
- Pages reviewed and approved by legal counsel
- Last updated date within 30 days of launch
- Contact email for privacy inquiries functional

validation:
- Navigate to /privacy → complete policy displayed
- Click footer links → correct pages load
- Legal counsel approval documented
- Email to privacy@kordant.com → received

notes:
- Consider using Termly or iubenda for generated policies
- Ensure policies cover all data processors (Stripe, Clerk, etc.)
- Update policies when adding new third-party services
- Keep records of user consent to terms