Privacy & compliance

Patterns for handling sensitive data with dignity and a clear audit trail — especially for HealthOS, FinanceOS, CampusOS and HospitalityOS. The components live in components/privacy/; this guide is when and how to use them.

Components

Component	Use for
`MaskedField`	Display a sensitive value masked, with explicit reveal + copy (card numbers, SSN, DOB, API keys).
`SensitivityTag`	Classify a field/record: `PII` · `PHI` · `financial` · `confidential` · `restricted`.
`ConsentBanner`	First-visit consent with balanced accept / reject / manage — reject is never harder than accept.
`AuditLogEntry`	One immutable entry in an access/change trail (who, what, when, from where).
`SessionTimeoutDialog`	Inactivity countdown with stay-signed-in / sign-out.

Sensitive-data rules

Mask by default, reveal on intent. Sensitive values render masked; revealing is a deliberate action, logged, and re-masks on blur/navigation. Never log the revealed value to the console or analytics.
Classify visibly. Pair sensitive regions with a SensitivityTag so users and reviewers see the data class. Tags are labelled, not colour-only.
Least exposure. Show the minimum (last 4 digits, initials). Full values appear only on explicit reveal or in the one screen that needs them.
Redaction in shared/exported/printed views replaces the value with •••• — not a blur that can be reversed.
Copy carefully. Copy-to-clipboard is allowed for masked fields; clear it from any UI echo immediately.

Accept, reject and manage are equally prominent — no dark patterns, no pre-ticked non-essential boxes.
State what's collected and why in plain language (see CONTENT.md); link to full policy.
Persist the choice; offer a always-available "Privacy settings" entry to change it later.
Essential vs optional is separated; essential is explained, not bundled.

Audit & impersonation

High-sensitivity reads/writes append an AuditLogEntry (actor, action, target, timestamp, origin) — immutable, reverse-chronological.
Admin impersonation shows a persistent banner ("You are viewing as …") for the whole session and is always audited.

Sessions & secure input

SessionTimeoutDialog warns before timeout with a live countdown and a clear way to stay; on timeout, return to a safe signed-out state.
Guest data reset (hotel TV): on checkout, clear all guest state, history and credentials from the device — see TV_AND_CINEMA.md.
Secure uploads state constraints up front and confirm on success; payment messages are precise and never hype (see CONTENT.md).

Compliance copy

Explain in plain terms what data is used for; no legalese in the primary path (link to it).
A PII/PHI warning states the risk and the safe action, without alarm.
Never blame the user for a security event; state what happened and the next step.

Compliance checklist

Sensitive values masked by default; reveal is explicit, logged, re-masks.
Sensitive regions carry a labelled SensitivityTag.
Consent: accept/reject/manage equally prominent; no pre-ticked options.
Sensitive actions write an immutable audit entry; impersonation is bannered.
Session timeout warns + recovers safely; guest reset clears device state.
All copy passes CONTENT.md; contrast + a11y pass QA.md.

Components​

Sensitive-data rules​

Consent​

Audit & impersonation​

Sessions & secure input​

Compliance copy​

Compliance checklist​