gdprlisted

Use when building, shipping, or auditing one of my B2C apps for GDPR/privacy — classify the data posture (offline / Supabase-backed / ships-to-AI-processor), run the decision gates (personal data? lawful basis? processor DPA? transfer? minimization? DSR/erasure?), add a privacy notice, and add privacy-first cookieless analytics without triggering consent. EU GDPR; references security-bar for the controls.
Endika/eskills · ★ 0 · AI & Automation · score 75

Install: claude install-skill Endika/eskills

# gdpr ## Overview Practical GDPR/privacy for my B2C PWAs — **not legal advice**, an engineering checklist. First classify the app's **data posture**, then run the **decision gates**, then apply the guidance for the gaps. Security controls (RLS, secrets, open-write) live in `security-bar` — referenced, not restated. This skill owns privacy/compliance: lawful basis, minimization, retention, data-subject rights, processors, transfers, the privacy notice, and analytics. ## When to use - Building or shipping a feature that collects/stores/transmits personal data. - Auditing an existing app for GDPR gaps, or writing its privacy notice. - Choosing/adding analytics (read the analytics section first — it's coupled to consent). ## Step 1 — classify the data posture My fleet splits three ways; the posture decides how much applies: 1. **Offline / on-device** (e.g. kartaak, converthub) — no server, no egress of user data. **Privacy by architecture.** GDPR surface ≈ minimal; the win is _stating_ it (a "runs on your device, we collect nothing" notice = trust + the easy compliance win). 2. **Server-backed** (e.g. EventSplit, Monete — Supabase) — I'm a **controller**. Personal data of users _and third parties_ (e.g. friends added to an event who never interacted with me). This is the real surface: lawful basis, minimization, retention, DSR, RLS. 3. **Client-side but ships to third-party processors** (e.g. mintza → OpenAI/Anthropic/ Google/Azure) — heaviest: multiple **p