tenet-privacy-datalisted

# Tenet Privacy & Data Audits whether the codebase treats personal and regulated data deliberately. This skill focuses on source-visible privacy risks: PII collected without clear handling, sensitive fields logged or sent to analytics, missing deletion/export paths, weak retention boundaries, and unsafe data sharing with third parties. ## Language Support Matrix ```yaml support: native: [typescript, javascript, python, go] heuristic: [java, ruby, php, csharp, kotlin, swift] config-only: [yaml, json, terraform, sql] ``` ## Procedure ### Step 0: Detect Applicability This dimension is applicable when any source, schema, config, API, or database file suggests user data handling: - Auth/user/account/profile/customer/member/contact tables or models - Fields matching `email`, `phone`, `address`, `name`, `dob`, `ssn`, `tax_id`, `passport`, `ip_address`, `device_id`, `location`, `payment`, `card`, `health` - Analytics or third-party SDKs such as Segment, Amplitude, Mixpanel, PostHog, Sentry, Datadog RUM, Intercom, Stripe If none are found, write `score: null`, `applicable: false`, and note that no PII-handling surface was detected. ### Step 1: Data Inventory Signals Scan model/schema files, migrations, API DTOs, and validation schemas for sensitive fields. Severity: - `major`: sensitive fields exist but no privacy policy, retention note, or deletion/export path is visible - `minor`: PII exists with partial documentation but no clear field-level inventory - `info`: inve