Skip to content

legal(monthly): flag Chrome extension, PostHog identify, new sub-processors for review#4321

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1772330615-legal-monthly-review
Open

legal(monthly): flag Chrome extension, PostHog identify, new sub-processors for review#4321
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1772330615-legal-monthly-review

Conversation

@devin-ai-integration
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot commented Mar 1, 2026

Summary

Monthly automated review of legal documentation against product changes from the last 30 days (Jan 30 – Mar 1, 2026). This PR adds a review report (LEGAL_REVIEW_2026_03.md) flagging 8 findings across Privacy Policy, Terms of Service, Cookie Policy, and DPA. No legal documents were modified.

The 3 HIGH-priority findings are:

  1. New Chrome extension (apps/chrome) collects Google Meet participant names, mute state, and URLs — not mentioned in any legal doc
  2. PostHog $identify now links analytics to user accounts (email/ID), but DPA still describes PostHog as "for logging clicks"
  3. Missing DPA sub-processors: Nango (OAuth), Chatwoot (support chat), and Google (Calendar/Drive) were added but are not in the sub-processor list

Review & Testing Checklist for Human

  • Verify Chrome extension data flow: Report assumes data stays local via Native Messaging. Confirm no cloud transmission occurs — this determines whether Privacy Policy needs a "local only" or "cloud" disclosure.
  • Verify Cookie Policy outdated services claim: Report flags Intercom, Zendesk, Google Ads, and Facebook Pixel as unused. This was inferred from absence in recent commits — verify these aren't still embedded in the marketing site or loaded via tag managers.
  • Verify Cactus is local-only: Report assumes Cactus STT/LLM is purely on-device. If any Cactus processing hits a remote server, it would need DPA listing.
  • Check for missed changes: The report was generated from git log --since="30 days ago" with keyword filtering. Skim the full log for anything the automated scan may have missed.
  • Forward HIGH findings to legal counsel before making any doc changes.

Notes

@devin-ai-integration
legal(monthly): flag potential legal doc updates for Chrome extension…
d959a37 
…, PostHog identify, new sub-processors

Co-Authored-By: bot_apk <apk@cognition.ai>
@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Mar 1, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@netlify
Copy link

netlify bot commented Mar 1, 2026
edited
Loading

Deploy Preview for hyprnote canceled.

Name Link
🔨 Latest commit d959a37
🔍 Latest deploy log https://app.netlify.com/projects/hyprnote/deploys/69a39ef011c1a90008712460

@netlify
Copy link

netlify bot commented Mar 1, 2026
edited
Loading

Deploy Preview for hyprnote-storybook canceled.

Name Link
🔨 Latest commit d959a37
🔍 Latest deploy log https://app.netlify.com/projects/hyprnote-storybook/deploys/69a39ef0e2e3f80008e594c9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants