Skip to content

Commit 9bec002

Browse files
authored
docs: add privacy policy hosting checklist (#435) (#482)
1 parent 53896d7 commit 9bec002

4 files changed

Lines changed: 115 additions & 0 deletions

File tree

docs/Home.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ Welcome to the OnTime-front project documentation! This wiki contains everything
1313
- [Android Release Signing](./Android-Release-Signing.md) - Required keystore inputs and release signing validation
1414
- [Android Release Configuration](./Android-Release-Configuration.md) - Firebase config, signed AAB workflow, and Play internal deploy setup
1515
- [iOS Release Configuration](./iOS-Release-Configuration.md) - Required Dart defines and archive validation
16+
- [Privacy Policy Hosting](./Privacy-Policy-Hosting.md) - Public HTTPS privacy policy hosting checklist and evidence form
1617
- [Google Play Data Safety Worksheet](./Google-Play-Data-Safety.md) - Source-backed Data safety evidence and pending owner inputs
1718
- [Play Pre-Launch Report](./Play-Pre-Launch-Report.md) - Google Play report runbook, triage gate, and evidence template
1819
- [Release Rollout Monitoring](./Release-Rollout-Monitoring.md) - Release ownership, staged rollout gates, and post-launch monitoring

docs/Privacy-Policy-Hosting.md

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
# Privacy Policy Hosting
2+
3+
Use this checklist to complete release issue #435 after the privacy policy text
4+
from #434 is approved.
5+
6+
## Current Status
7+
8+
- Final privacy policy URL: `TBD`
9+
- Hosting status: blocked until #434 provides approved policy text.
10+
- Release owner: `TBD`
11+
- Hosting owner: `TBD`
12+
- Last validation date: `TBD`
13+
14+
Do not mark #435 complete until the final URL is active, public, and recorded
15+
below.
16+
17+
## Hosting Requirements
18+
19+
- Host the approved policy at a public `https://` URL.
20+
- Serve the policy as a normal web page, not as a PDF or downloadable file.
21+
- Do not require login, app installation, team membership, or special network
22+
access.
23+
- Do not publish it as a publicly editable document.
24+
- Do not geofence or otherwise restrict access by country, region, device, or
25+
account.
26+
- Keep the URL stable enough to use in the Google Play privacy policy field and
27+
in the app.
28+
29+
## Recommended Hosting Flow
30+
31+
1. Confirm #434 is complete and the policy text has product/legal approval.
32+
2. Choose the final hosting surface, such as the product website or another
33+
owner-managed static site.
34+
3. Publish the approved text as a standalone HTML page.
35+
4. Validate the URL using the checklist below.
36+
5. Record the final URL in this document, comment it on #435, and use the same
37+
URL for #436 and #437.
38+
39+
## Validation Checklist
40+
41+
- [ ] The URL starts with `https://`.
42+
- [ ] A private/incognito browser session can open the page without signing in.
43+
- [ ] `curl -I <final-url>` returns a successful HTTP status.
44+
- [ ] The response is a web page and not a PDF or file download.
45+
- [ ] The page is read-only for public visitors.
46+
- [ ] The page is reachable from a non-team network.
47+
- [ ] The page is not blocked by country, account, or device restrictions.
48+
- [ ] The visible page title clearly identifies it as OnTime's privacy policy.
49+
- [ ] The page content exactly matches the approved policy text from #434.
50+
- [ ] The final URL is recorded in this document and in the #435 issue thread.
51+
52+
## Evidence Form
53+
54+
Fill this out when the page is live.
55+
56+
| Field | Value |
57+
| --- | --- |
58+
| Final privacy policy URL | `TBD` |
59+
| Approved policy source | `#434` |
60+
| Hosting surface | `TBD` |
61+
| Release owner | `TBD` |
62+
| Hosting owner | `TBD` |
63+
| Validation date | `TBD` |
64+
| HTTP status from `curl -I` | `TBD` |
65+
| Browser validation notes | `TBD` |
66+
67+
## Handoff To Follow-Up Issues
68+
69+
- #436: add the final URL as the in-app privacy policy link.
70+
- #437: enter the final URL in the Google Play Console privacy policy field.
71+
- #441: check Data safety answers against the approved policy and hosted page.

docs/Release-Checklist.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,8 @@ flutter build appbundle --release
152152
target stores.
153153
- Use `docs/Google-Play-Listing-Copy.md` as the draft source for Google Play
154154
short and full descriptions until product/design approve final copy.
155+
- Use `docs/Privacy-Policy-Hosting.md` to validate and record the final public
156+
privacy policy URL before entering it in store metadata.
155157
- Use `docs/Google-Play-Listing-Graphics.md` as the checklist for Play app
156158
icon, feature graphic, screenshot asset requirements, and launcher-icon
157159
consistency evidence.
Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
# Issue 435 Privacy Policy Hosting Plan
2+
3+
Parent track: #464
4+
Sub-issue: #435 - Host the privacy policy on a public HTTPS URL
5+
6+
## Decision
7+
8+
#435 cannot be completed in this repository right now because prerequisite #434
9+
is still open and there is no approved privacy policy text to publish. Publishing
10+
also requires access to the chosen public hosting surface.
11+
12+
The repo-side work that legitimately advances #435 is to provide the release
13+
owner with a hosting checklist and evidence form, then link it from release
14+
documentation.
15+
16+
## Blockers
17+
18+
- #434 must provide product/legal-approved privacy policy text.
19+
- A human release owner must choose or confirm the hosting surface.
20+
- A human with hosting access must publish the page at the final public HTTPS
21+
URL.
22+
23+
## Implementation
24+
25+
1. Add `docs/Privacy-Policy-Hosting.md` with the hosting requirements,
26+
validation checklist, and final URL evidence form.
27+
2. Link the document from `docs/Home.md`.
28+
3. Reference the document from `docs/Release-Checklist.md` so release owners do
29+
not miss the privacy policy URL gate.
30+
31+
## Verification
32+
33+
- Run markdown/link-oriented checks only; no app code should change.
34+
- Do not run Flutter tests unless app code changes.
35+
36+
## Out Of Scope
37+
38+
- Drafting or approving the privacy policy text for #434.
39+
- Publishing a website or changing hosting infrastructure.
40+
- Adding the in-app link for #436.
41+
- Entering the URL in Play Console for #437.

0 commit comments

Comments
 (0)