A free, open repository of privacy and security specs, rules, and architectural patterns — built by and for the community.
So product developers (and their agents) can have a shared resource for privacy-compliant architecture for everyone's benefit.
People building products that handle user data — especially AI-native applications where the privacy stakes are higher (training use, embeddings, memory, tool calls) and established patterns are fewer.
Anyone evaluating privacy posture — whether you're assessing your own product, reviewing a vendor, or planning a new build.
Legal, policy, and compliance professionals — contribute by proposing new rules or classifications to make this project better for everyone. This resource will always be 100% free and open-source. A few hours of work could one day protect millions of users and help product developers everywhere incorporate better privacy-standards in the applications they deploy (that you might one day use).
Assess your product: Pick the class closest to your intended posture, go through its rules, and see where you pass or fail. The Classify Your Product guide walks through this step by step.
Plan improvements: Use the Roadmap to a Class guide to plan your path from where you are to where you want to be.
Build something new: Pick a class, use its rules as requirements, and check its patterns for ready-to-use architecture.
This is early stage — many rules are missing, most classes don't have specs or patterns yet, and every class has a Gaps section listing areas that need your help.
- Propose a rule — see something missing in a class? Suggest it
- Write a spec — verify a product or architecture against a class
- Contribute a pattern — document an architectural approach for meeting rules
- Propose a class — think there's a privacy posture we're missing?
- Improve docs — clarify language, fix examples, add context
Open Requests:
- Privacy Professionals - please audit classifications / rules and if you see issues - create an issue or PR
- General - see open issues on github
See CONTRIBUTING.md for full details.
The repo is organized around privacy classes — each one defines a privacy posture with verifiable rules that a product either meets or doesn't.
| Class | What It Means | Example |
|---|---|---|
| Sovereign | You own the entire stack — no external party touches data | Personal AI assistant on local hardware |
| Ephemeral | Process and forget — nothing persists after the interaction | Therapy chatbot that retains no session content |
| Trusted Custody | Data held in trust — user-owned, purpose-bound, auto-expiring | Journaling app that stores your entries but they're yours |
| Accountable Use | Broader use permitted — but every use is visible, consented, auditable | AI assistant that learns your preferences transparently |
Each class contains:
- Rules — specific, true/false requirements (example)
- Specs — products verified against a class's rules (example)
- Patterns — architectural blueprints for meeting rules (example)
File/Folder Organization
classes/ # Privacy classes and their contents
overview.md # How classes relate to each other
sovereign/ # No trust delegation
ephemeral/ # Process and forget
trusted-custody/ # Held in trust, user-owned
accountable-use/ # Broader use, full transparency
README.md # Class definition and rules
specs/ # Product verifications
patterns/ # Architectural blueprints
guides/ # Practical guides
classify-your-product.md # Assess your current posture
roadmap-to-a-class.md # Plan a migration