ueberpruefen
This commit is contained in:
103
SECURITY.md
Normal file
103
SECURITY.md
Normal file
@@ -0,0 +1,103 @@
|
||||
# Security Policy
|
||||
|
||||
## Data Storage and Privacy
|
||||
|
||||
### Local Storage
|
||||
All user data is stored locally on the device using SQLite:
|
||||
- No cloud sync by default
|
||||
- No external server communication (except optional news feed)
|
||||
- Data encrypted at rest by iOS/Android OS security
|
||||
|
||||
### Permissions
|
||||
|
||||
#### iOS
|
||||
- **Camera**: Take photos of pottery projects (optional, on-demand)
|
||||
- **Photo Library**: Save and load project photos (optional, on-demand)
|
||||
|
||||
#### Android
|
||||
- **Camera**: Take photos of pottery projects
|
||||
- **Storage**: Read/write for photo management
|
||||
|
||||
All permissions are requested only when needed, not at app launch.
|
||||
|
||||
### Analytics
|
||||
|
||||
Analytics are **opt-in only** and disabled by default:
|
||||
- When disabled: No data collection whatsoever
|
||||
- When enabled: Only anonymous usage events (no PII)
|
||||
- Events tracked: app opens, feature usage (see analytics.ts)
|
||||
- No advertising identifiers or device fingerprinting
|
||||
|
||||
### Third-Party Services
|
||||
|
||||
Current implementation uses:
|
||||
- **No analytics services** (prepared for Sentry/Amplitude if user opts in)
|
||||
- **No ad networks**
|
||||
- **No social login providers**
|
||||
- **Optional news feed**: Fetches public JSON from CDN (read-only)
|
||||
|
||||
### Data Export
|
||||
|
||||
Users can export their data:
|
||||
- Format: JSON (plain text)
|
||||
- Contains: Projects, steps, custom glazes, photos (as file URIs)
|
||||
- No encryption in export (user responsible for secure storage)
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
### For Users
|
||||
1. Keep your device OS updated
|
||||
2. Use device lock screen (PIN/biometric)
|
||||
3. Back up data regularly via export
|
||||
4. Be cautious when sharing exported data (may contain personal notes)
|
||||
|
||||
### For Developers
|
||||
1. Never commit API keys or secrets to repo
|
||||
2. Review all dependency updates for vulnerabilities
|
||||
3. Run `npm audit` regularly
|
||||
4. Keep Expo SDK and React Native updated
|
||||
5. Test permissions on both iOS and Android
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you discover a security vulnerability:
|
||||
|
||||
1. **DO NOT** open a public GitHub issue
|
||||
2. Email: security@potterydiaryapp.com (placeholder - replace with actual)
|
||||
3. Include:
|
||||
- Description of the vulnerability
|
||||
- Steps to reproduce
|
||||
- Potential impact
|
||||
- Suggested fix (if any)
|
||||
|
||||
We will respond within 48 hours and work with you to resolve the issue.
|
||||
|
||||
## Compliance
|
||||
|
||||
### CCPA (California Consumer Privacy Act)
|
||||
- **Data Collection**: Minimal (only with opt-in analytics)
|
||||
- **Data Sale**: Never. We do not sell or share personal data.
|
||||
- **User Rights**: Users can delete all data by uninstalling the app or via in-app data export/delete
|
||||
|
||||
### COPPA (Children's Online Privacy Protection Act)
|
||||
- **Age Rating**: 4+ (content), but app not directed at children under 13
|
||||
- **No Data Collection**: No PII collected from any users
|
||||
- **Parental Controls**: Device-level restrictions apply
|
||||
|
||||
### App Store Requirements
|
||||
- **Privacy Nutrition Label** (iOS):
|
||||
- Data Not Collected: Yes (if analytics disabled)
|
||||
- Data Linked to You: No
|
||||
- Data Used to Track You: No
|
||||
|
||||
## Changelog
|
||||
|
||||
### v1.0.0 (2025-01-15)
|
||||
- Initial release
|
||||
- Local-only data storage
|
||||
- Opt-in analytics framework (not yet active)
|
||||
- No third-party services
|
||||
|
||||
---
|
||||
|
||||
Last Updated: 2025-01-15
|
||||
Reference in New Issue
Block a user