# Privacy And Compliance

Privacy discipline for handling user data responsibly.

## Rules

1. **Collect the minimum.** Every field you store is a field you must protect, explain, and potentially delete. If you don't need it, don't collect it.

2. **PII gets identified and protected.** Names, emails, addresses, payment data, health information — know where it lives, who can access it, and how it's encrypted at rest and in transit.

3. **Deletion is a feature.** Users can request their data removed. Know what cascades, what anonymizes, and what must be retained for legal reasons. "We can't delete it" needs a documented why.

4. **Consent before tracking.** Analytics, cookies, marketing emails — opt-in where required, transparent everywhere. Silent data collection is a liability, not a growth hack.

5. **Retention limits are real.** Data older than its purpose should be purged or archived. Infinite retention of user data is infinite liability.

6. **Cross-border transfers need awareness.** Where data is stored, processed, and replicated matters for GDPR, CCPA, and sector-specific rules. Don't accidentally replicate EU user data to a non-compliant region.

## What This Replaces

Collecting everything "just in case," storing PII in logs and analytics, and treating deletion requests as edge cases.