Missing or incomplete privacy policy
A privacy policy explains what data your app collects, how you use it, and how users can see or delete it. It is not optional for any app that takes signups, uses analytics, or accepts payments.
#What goes wrong
Many vibe-coded apps either skip the privacy policy entirely or paste a generic template with placeholder text still in it. Phrases like [COMPANY NAME] or [YOUR EMAIL] are red flags. So is a link in the footer that points to a 404.
#Why it matters
Stripe will refuse to activate live mode without a privacy policy reachable from your site. Google OAuth verification requires one as well. On the legal side, GDPR fines for EU users start at four percent of global revenue, and CCPA gives California users the right to sue directly. None of that is theoretical for a paid product.
#How Heimdall checks for this
Heimdall looks for a file or route with privacy in the name, fetches its contents, and checks whether it is real text or template scaffolding with placeholder tokens. It also reads your layout and footer files to verify the policy is linked somewhere a user can actually find it.
#How to fix it
Use a tool like Termly, iubenda, or Pocket Lawyer to generate a real policy customized to your data flows. Replace every placeholder with your actual company name, contact email, and the specific data you collect. Link it from the global footer, the signup form, and the bottom of any page that captures user data.
Frequently asked questions
Can I just copy another company's privacy policy?
Do I need a privacy policy if I only collect emails?
Where should the privacy policy link appear?
Run this check on your own repo
Heimdall scans your GitHub repo for this and 16 other issues in under a minute.