tknuth
/
pottery-diary
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
pottery-diary/SECURITY.md

3.0 KiB
Raw Blame History

Security Policy

Data Storage and Privacy

Local Storage

All user data is stored locally on the device using SQLite:

  • No cloud sync by default
  • No external server communication (except optional news feed)
  • Data encrypted at rest by iOS/Android OS security

Permissions

iOS

  • Camera: Take photos of pottery projects (optional, on-demand)
  • Photo Library: Save and load project photos (optional, on-demand)

Android

  • Camera: Take photos of pottery projects
  • Storage: Read/write for photo management

All permissions are requested only when needed, not at app launch.

Analytics

Analytics are opt-in only and disabled by default:

  • When disabled: No data collection whatsoever
  • When enabled: Only anonymous usage events (no PII)
  • Events tracked: app opens, feature usage (see analytics.ts)
  • No advertising identifiers or device fingerprinting

Third-Party Services

Current implementation uses:

  • No analytics services (prepared for Sentry/Amplitude if user opts in)
  • No ad networks
  • No social login providers
  • Optional news feed: Fetches public JSON from CDN (read-only)

Data Export

Users can export their data:

  • Format: JSON (plain text)
  • Contains: Projects, steps, custom glazes, photos (as file URIs)
  • No encryption in export (user responsible for secure storage)

Security Best Practices

For Users

  1. Keep your device OS updated
  2. Use device lock screen (PIN/biometric)
  3. Back up data regularly via export
  4. Be cautious when sharing exported data (may contain personal notes)

For Developers

  1. Never commit API keys or secrets to repo
  2. Review all dependency updates for vulnerabilities
  3. Run npm audit regularly
  4. Keep Expo SDK and React Native updated
  5. Test permissions on both iOS and Android

Reporting a Vulnerability

If you discover a security vulnerability:

  1. DO NOT open a public GitHub issue
  2. Email: security@potterydiaryapp.com (placeholder - replace with actual)
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

We will respond within 48 hours and work with you to resolve the issue.

Compliance

CCPA (California Consumer Privacy Act)

  • Data Collection: Minimal (only with opt-in analytics)
  • Data Sale: Never. We do not sell or share personal data.
  • User Rights: Users can delete all data by uninstalling the app or via in-app data export/delete

COPPA (Children's Online Privacy Protection Act)

  • Age Rating: 4+ (content), but app not directed at children under 13
  • No Data Collection: No PII collected from any users
  • Parental Controls: Device-level restrictions apply

App Store Requirements

  • Privacy Nutrition Label (iOS):
    • Data Not Collected: Yes (if analytics disabled)
    • Data Linked to You: No
    • Data Used to Track You: No

Changelog

v1.0.0 (2025-01-15)

  • Initial release
  • Local-only data storage
  • Opt-in analytics framework (not yet active)
  • No third-party services

Last Updated: 2025-01-15