Compliance Checklist

• [x] Privacy policy published
• [x] Terms of service published
• [x] GDPR data export endpoint
• [x] GDPR data deletion endpoint
• [x] Cookie consent (essential only)
• [ ] SOC 2 (not needed at current scale)
• [ ] HIPAA (not applicable)
• [ ] PCI DSS (handled by Stripe)