Add privacy policy

[oscarvz]

Adds privacy policy to /privacy-policy

Summary by CodeRabbit

• New Features
  • Added a new Privacy Policy page providing privacy and data handling information for the application.

[coderabbitai]

Walkthrough

A new privacy policy page is added to the Astro site at src/pages/privacy-policy.astro. The page uses StarlightPage layout and includes a Termly policy embed with a script that loads the Termly SDK while preventing duplicate initializations.

Changes

Cohort / File(s)	Summary
New Privacy Policy Page src/pages/privacy-policy.astro	Adds privacy policy page with StarlightPage template, Termly embed placeholder div, and self-invoking script to load Termly policy SDK with duplicate-load guard

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Review for proper Astro page structure and frontmatter configuration
• Verify Termly SDK script guard logic prevents duplicate loading
• Confirm external script source URL is correct and secure

Poem

🐰 A privacy page hops into view,
Termly's shield now shines through,
With guards to stop the script replay,
Protection blooms, hooray! Hooray! 🌿

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Add privacy policy" is concise, clear, and directly reflects the main change in the pull request. The changeset adds a single new Astro page file at src/pages/privacy-policy.astro that implements a privacy policy page with Termly SDK integration. The title accurately captures this primary change without vague language or unnecessary details, and it is specific enough that a teammate reviewing the repository history would immediately understand that a privacy policy page was added to the project.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fp-5354-add-privacy-policy-to-new-docs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f2e4e8d and 498052e.

📒 Files selected for processing (1)

• src/pages/privacy-policy.astro (1 hunks)

🔇 Additional comments (2)

src/pages/privacy-policy.astro (2)

1-11: LGTM!

The Starlight page configuration is appropriate for a privacy policy page.

---

12-13: ****

Termly's official documentation specifies the name="termly-embed" attribute is required for the embed to function. The @ts-expect-error comment appropriately suppresses TypeScript's validation error for this necessary non-standard attribute. Using id instead would break the Termly embed functionality. The code is correct as written.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Consider privacy implications of third-party embed.

Loading a third-party service (Termly) on your privacy policy page may result in user tracking or data collection by Termly. Ensure this is compliant with your privacy policy and consider whether visitors should be notified.

You may want to review Termly's privacy practices:

---

🌐 Web query:

What data does Termly collect from embed-policy.min.js visitors?

💡 Result:

Short answer — Termly's embed-policy.min.js (the script used to embed Termly-hosted policies) collects minimal visitor and device/usage data needed to render and log consent. According to Termly's docs and privacy info this includes things like:

• consent logs and cookie preferences (what the visitor accepted/declined). [1][2]
• technical/browser/device identifiers: IP address, browser and device characteristics, OS, language, user-agent. [1][3]
• request/usage metadata: referring URL, timestamps, pages visited and other basic log/usage data. [1][3]
  Termly also says it minimizes/anonymizes visitor data and offers an EU-only data storage option for consents. [1][2]

Sources: Termly support & privacy pages summarizing “visitor data” and embed usage. [1][2][3]

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Check the full privacy-policy.astro file for any disclosure about Termly or third-party tracking
cat src/pages/privacy-policy.astro | head -80

Length of output: 812

---

Ensure Termly's data collection is properly disclosed on the privacy policy page.

The privacy-policy.astro file loads Termly's embed script without visible disclosure. Termly collects consent logs, IP address, browser and device identifiers, OS, language, user-agent, referring URLs, timestamps, and pages visited. Since visitors come to this page specifically to review privacy practices, consider adding a disclosure about this third-party tracking or verify that Termly's hosted policy embedded on this page adequately discloses this data collection.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Add Subresource Integrity (SRI) for external script.

Loading the Termly SDK without Subresource Integrity verification creates a security risk. If the external domain is compromised, malicious code could be injected into your privacy policy page.

Consider adding SRI attributes. First, check Termly's documentation for their recommended implementation:

If SRI is not available from Termly, consider these alternatives:

1. Host the Termly script on your own CDN with SRI
2. Implement a Content Security Policy (CSP) to restrict script sources
3. Contact Termly support to request SRI support

Additionally, verify your site's CSP allows scripts from app.termly.io:

---

🏁 Script executed:

#!/bin/bash
# Description: Check for Content Security Policy configuration

echo "Searching for CSP configuration..."
rg -n "Content-Security-Policy" -A 5
rg -n "script-src" -A 3

Length of output: 34

---

🌐 Web query:

Does Termly provide Subresource Integrity hash for embed-policy.min.js?

💡 Result:

Short answer: No — Termly’s documentation and embed snippets do not provide a Subresource Integrity (integrity) hash for embed-policy.min.js. Their examples use a plain src to https://app.termly.io/embed-policy.min.js (or newer app.termly.io resource URLs) without an integrity attribute. [1][2]

If you need SRI, you can fetch the file yourself, compute the SHA256/384/512 hash, and add an integrity attribute — but note that Termly may update that hosted file (breaking the hash) unless you self-host a stable copy. [1][2]

Sources:

• Termly embed (React) example showing script src (no integrity). [1]
• Termly CMP embed script versions (lists hosted script URLs; no integrity/hash provided). [2]

---

I need to check for CSP configuration at the deployment/build level, as it may not be in the source code directly.

---

🏁 Script executed:

#!/bin/bash
# Description: Search for deployment and build configuration files

echo "Searching for deployment configuration files..."
fd -e "astro.config" -o -e "astro.config.mjs" -o -e "astro.config.ts" -o -e "netlify.toml" -o -e "vercel.json" -o -e "_headers" -o -e "_redirects" 2>/dev/null

echo ""
echo "Checking for astro integrations or middleware that might set headers..."
rg -n "setHeader|addHeader|middleware" --type ts --type js -B 2 -A 2 2>/dev/null | head -30

echo ""
echo "Looking for security-related configuration..."
rg -n "secure|security|header" --type ts --type js --type toml --type json -i 2>/dev/null | head -20

Length of output: 167

---

Add Subresource Integrity (SRI) or implement Content Security Policy for external Termly script.

Termly does not provide a Subresource Integrity (integrity) hash for embed-policy.min.js, and no Content Security Policy is configured in the codebase to restrict the script source. Loading this external script without protection creates a security risk—if app.termly.io is compromised, malicious code could be injected.

Recommended mitigations:

1. Self-host the Termly script on your own CDN with SRI verification
2. Implement a Content Security Policy (CSP) header to restrict script-src to approved domains
3. Contact Termly support to request they provide an SRI hash for the hosted script

🤖 Prompt for AI Agents

In src/pages/privacy-policy.astro around lines 15 to 28 the external Termly
script is injected without Subresource Integrity or any Content Security Policy,
exposing the app to supply-chain/script injection risk; fix this by either
self-hosting the embed-policy.min.js on your CDN and adding an integrity hash
and crossorigin attribute to the script include, or implement a CSP header (or
meta CSP) that restricts script-src to trusted origins and/or uses nonces for
inline script execution; if you must keep the remote script, request an SRI hash
from Termly and include it (or else add a strict CSP that only allows
app.termly.io and your CDN), and ensure you test that the script still loads and
that crossorigin is set appropriately for SRI verification.

[oscarvz]

We're doing it directly in Framer so no need for this approach!