YORA App Exposes Major Legal Risk: Privacy Policy Is Placeholder Notes, Not CCPA-Compliant

A critical privacy policy page on the YORA app is not a legally compliant document but a placeholder containing only three bullet points of notes. The page, accessible at `/privacy`, fails to meet basic requirements of the California Consumer Privacy Act (CCPA), exposing the company to significant legal and regulatory risk. The missing elements include defined data categories, retention periods, third-party disclosures, and the explicit rights of users under CCPA, such as the right to know, delete, and opt-out of data sales.

The issue is traced to the source code, where the page (`app/privacy/page.tsx`) pulls content from a constants file (`lib/constants.ts`) containing only three generic statements. These statements describe that birth data is used for readings, that YORA is not professional advice, and that results are framed as patterns. This placeholder content directly contradicts the project's own Product Requirements Document (PRD), which in section 23.2 mandates a full CCPA-compliant privacy policy. The PRD explicitly requires disclosure of collected data categories like name, birth details, email, IP, and device information, along with the purpose for each collection.

The gap between the placeholder and the required policy is stark. The expected legal document must outline specific data retention periods—such as 24 hours for unpaid users, permanent storage for paid users, and 30 days for emails—which are currently absent. The absence of a defined data breach notification policy further compounds the compliance failure. This oversight represents a foundational legal vulnerability for the platform, putting user data practices under immediate scrutiny and creating potential for regulatory action.