UNPKG

@openpolicy/sdk

Version:

Public API for defining privacy policies with OpenPolicy

github.com/jamiedavenport/openpolicy

jamiedavenport/openpolicy

150 lines (112 loc) 6.56 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# PrivacyPolicyConfig Field Reference All fields below live at the top level of `OpenPolicyConfig` (the object passed to `defineConfig()`) alongside `company`. OpenPolicy auto-detects the privacy policy from the presence of privacy-specific fields. ## PrivacyPolicyConfig | Field | Type | Required | Notes | |---|---|---|---| | `effectiveDate` | `string` | Yes | ISO date string (e.g. `"2026-01-01"`). Validation fails if empty. | | `dataCollected` | `Record<string, string[]>` | Yes | At least one entry required. Keys are category labels; values are arrays of data point labels. Use `DataCategories.*` presets or spread `dataCollected` sentinel. | | `legalBasis` | `LegalBasis \| LegalBasis[]` | Yes (GDPR) | Required when `"eu"` is in `jurisdictions`. Accepts a single value or array. | | `retention` | `Record<string, string>` | Yes | Keys should match `dataCollected` categories. Use `Retention.*` preset strings. | | `cookies` | `{ essential: boolean; analytics: boolean; marketing: boolean }` | Yes | All three booleans required. Drives cookie policy sections. | | `thirdParties` | `{ name: string; purpose: string; policyUrl?: string }[]` | Yes | Can be empty array. Use `Providers.*` presets or spread `thirdParties` sentinel. | | `jurisdictions` | `Jurisdiction[]` | Yes | Controls which jurisdiction-specific sections appear and drives the auto-derived user rights list. See values below. | | `children` | `{ underAge: number; noticeUrl?: string }` | No | Include when service is directed at children. `underAge` must be a positive integer. | ### LegalBasis values | Constant | String value | |---|---| | `LegalBases.Consent` | `"consent"` | | `LegalBases.Contract` | `"contract"` | | `LegalBases.LegalObligation` | `"legal_obligation"` | | `LegalBases.VitalInterests` | `"vital_interests"` | | `LegalBases.PublicTask` | `"public_task"` | | `LegalBases.LegitimateInterests` | `"legitimate_interests"` | ### Jurisdiction values | Value | Region | |---|---| | `"us"` | United States | | `"eu"` | European Union (triggers GDPR sections) | | `"ca"` | California, USA (triggers CCPA sections) | | `"au"` | Australia | | `"nz"` | New Zealand | | `"other"` | Other / unspecified | ### User rights (auto-derived) User rights are **not** a config field — they are derived from `jurisdictions` at compile time. | Jurisdiction | Rights granted | |---|---| | `"eu"` (GDPR) | access, rectification, erasure, portability, restriction, objection | | `"ca"` (CCPA) | access, erasure, opt_out_sale, non_discrimination | | `"us"`, `"au"`, `"nz"`, `"other"` | ∅ (no baseline) | When multiple jurisdictions are declared, the rights are unioned and rendered in a fixed canonical order. ### DataCategories presets Each entry is a `Record<string, string[]>` safe to spread into `dataCollected`: | Constant | Category label | Data points | |---|---|---| | `DataCategories.AccountInfo` | `"Account Information"` | Name, Email address | | `DataCategories.SessionData` | `"Session Data"` | IP address, User agent, Browser type | | `DataCategories.PaymentInfo` | `"Payment Information"` | Card last 4 digits, Billing name, Billing address | | `DataCategories.UsageData` | `"Usage Data"` | Pages visited, Features used, Time spent | | `DataCategories.DeviceInfo` | `"Device Information"` | Device type, Operating system, Browser version | | `DataCategories.LocationData` | `"Location Data"` | Country, City, Timezone | | `DataCategories.Communications` | `"Communications"` | Email content, Support tickets | ### Retention presets | Constant | String value | |---|---| | `Retention.UntilAccountDeletion` | `"Until account deletion"` | | `Retention.UntilSessionExpiry` | `"Until session expiry"` | | `Retention.ThirtyDays` | `"30 days"` | | `Retention.NinetyDays` | `"90 days"` | | `Retention.OneYear` | `"1 year"` | | `Retention.ThreeYears` | `"3 years"` | | `Retention.AsRequiredByLaw` | `"As required by applicable law"` | ### Providers presets Each entry is a `{ name: string; purpose: string; policyUrl: string }` safe to use in `thirdParties`: **Payments:** `Providers.Stripe`, `Providers.Paddle`, `Providers.LemonSqueezy`, `Providers.PayPal` **Analytics:** `Providers.GoogleAnalytics`, `Providers.PostHog`, `Providers.Plausible`, `Providers.Mixpanel` **Infrastructure:** `Providers.Vercel`, `Providers.Cloudflare`, `Providers.AWS` **Auth:** `Providers.Auth0`, `Providers.Clerk` **Email:** `Providers.Resend`, `Providers.Postmark`, `Providers.SendGrid`, `Providers.Loops` **Monitoring:** `Providers.Sentry`, `Providers.Datadog` ### Compliance presets | Preset | Expands to | |---|---| | `Compliance.GDPR` | `{ jurisdictions: ["eu"], legalBasis: ["legitimate_interests"] }` | | `Compliance.CCPA` | `{ jurisdictions: ["ca"] }` | ### Validation behavior - `effectiveDate` empty → fatal error - `company.*` fields empty → fatal error per field - `dataCollected` has zero keys → fatal error - `"eu"` in jurisdictions + no `legalBasis` → fatal error - `children.underAge`0 → fatal error Source: `packages/core/src/validate.ts` --- ## CookiePolicyConfig All fields below live at the top level of `OpenPolicyConfig` (the object passed to `defineConfig()`) alongside `company`. OpenPolicy auto-detects the cookie policy from the presence of `cookies`, `consentMechanism`, or `trackingTechnologies`. | Field | Type | Required | Notes | |---|---|---|---| | `effectiveDate` | `string` | Yes | ISO date string. Shared with privacy policy. | | `cookies` | `CookiePolicyCookies` | Yes | `essential: boolean` is required; all other keys are `boolean` and treated as additional cookie categories. | | `jurisdictions` | `Jurisdiction[]` | Yes | Same values as the privacy policy. Shared at the top level. | | `thirdParties` | `{ name: string; purpose: string; policyUrl?: string }[]` | No | Use `Providers.*` presets. Shared with privacy policy. | | `trackingTechnologies` | `string[]` | No | e.g. `["cookies", "localStorage", "sessionStorage", "pixel"]` | | `consentMechanism` | `{ hasBanner: boolean; hasPreferencePanel: boolean; canWithdraw: boolean }` | No | Required when `"eu"` in jurisdictions for GDPR compliance. | ### CookiePolicyCookies shape ```ts type CookiePolicyCookies = { essential: boolean; // required [key: string]: boolean; // additional categories }; ``` Example with custom categories: ```ts defineConfig({ company: { /* ... */ }, effectiveDate: "2026-01-01", jurisdictions: ["eu", "us"], cookies: { essential: true, analytics: true, marketing: false, preferences: true, }, }) ```