Privacy

Privacy is not a late-stage toggle — it's a schema decision from commit 1. Every Koder product collects the minimum, retains for the declared window, and hands control back to the user.

Commitment

Telemetry and error reporting default-OFF; collection only with explicit consent. Declarative retention windows (auth events 24m, error events 7d, sso sessions +90d post-expiry). Right-to-erasure via DELETE /v1/me with 24h grace + cross-service cascade. Cross-tenant access returns 404, not 403.

Canonical specs

policies/identity-data-retention.kmd · policies/error-reporting-retention.kmd · policies/multi-tenant-by-default.kmd · specs/multi-tenancy/contract.kmd · specs/errors/reporting.kmd. Owner-curated expansion will cover the per-component matrix.