Add Privacy Policy page at /privacy

- Create PrivacyPolicy component with sections covering data collection,
  storage, authentication, third-party services, retention, disclaimers
- Register /privacy route in RouterContext
- Add Privacy path to NavigationPaths
- Add Privacy Policy link in NavBar drawer (with Policy icon)
- Add Privacy Policy link on LoginView page
- Skip auth redirect for /privacy so unauthenticated users can read it
- Hide NavBar on /privacy page (same as /login)

Author: dkhalife

frontend/src/App.tsx

@@ -86,7 +86,7 @@ class AppImpl extends React.Component<AppProps> {
     const silentOk = await loginSilently()
     if (silentOk) {
       await this.initializeAuthenticated()
-    } else if (isAuthEnabled() && this.props.pathname !== NavigationPaths.Login) {
+    } else if (isAuthEnabled() && this.props.pathname !== NavigationPaths.Login && this.props.pathname !== NavigationPaths.Privacy) {
       this.props.navigate(NavigationPaths.Login)
     }
 

frontend/src/contexts/RouterContext.tsx

@@ -7,6 +7,7 @@ import { LoginView } from '@/views/Authorization/LoginView'
 import { TaskHistory } from '@/views/History/TaskHistory'
 import { LabelView } from '@/views/Labels/LabelView'
 import { NotFound } from '@/views/NotFound'
+import { PrivacyPolicy } from '@/views/PrivacyPolicy'
 import { Settings } from '@/views/Settings/Settings'
 import { MyTasks } from '@/views/Tasks/MyTasks'
 import { TaskEdit } from '@/views/Tasks/TaskEdit'
@@ -172,6 +173,10 @@ class RouterContextImpl extends React.Component<RouterContextProps, RouterContex
               path='/labels/'
               element={<LabelView />}
             />
+            <Route
+              path='/privacy'
+              element={<PrivacyPolicy />}
+            />
           </Route>
         </Routes>
 

frontend/src/utils/navigation.ts

@@ -17,6 +17,7 @@ export const NavigationPaths = {
   TaskCreate: '/tasks/create',
   TaskEdit: (taskId: number) => `/tasks/${taskId}/edit`,
   TaskHistory: (taskId: number) => `/tasks/${taskId}/history`,
+  Privacy: '/privacy',
 }
 
 export interface WithNavigate {

frontend/src/views/Authorization/LoginView.tsx

@@ -8,6 +8,7 @@ import {
   Button,
 } from '@mui/joy'
 import React from 'react'
+import { Link } from 'react-router-dom'
 import { initializeMsal, loginSilently, loginWithRedirect } from '@/utils/msal'
 import { setTitle } from '@/utils/dom'
 import { NavigationPaths, WithNavigate } from '@/utils/navigation'
@@ -97,6 +98,17 @@ class LoginViewImpl extends React.Component<LoginViewProps, LoginViewState> {
               Sign in
             </Button>
           </Sheet>
+          <Typography
+            level='body-xs'
+            sx={{ mt: 2, textAlign: 'center' }}
+          >
+            <Link
+              to={NavigationPaths.Privacy}
+              style={{ color: 'inherit' }}
+            >
+              Privacy Policy
+            </Link>
+          </Typography>
         </Box>
       </Container>
     )

frontend/src/views/Navigation/NavBar.tsx

@@ -5,6 +5,7 @@ import {
   LocalLibrary,
   Label,
   Settings,
+  Policy,
 } from '@mui/icons-material'
 import {
   IconButton,
@@ -57,7 +58,7 @@ export class NavBar extends React.Component<NavBarProps, NavBarState> {
   }
 
   render(): React.ReactNode {
-    if (['/login'].includes(this.props.pathname)) {
+    if (['/login', '/privacy'].includes(this.props.pathname)) {
       return null
     }
 
@@ -153,6 +154,11 @@ export class NavBar extends React.Component<NavBarProps, NavBarState> {
               size='md'
               onClick={this.openDrawer}
             >
+              <NavBarLink
+                to={NavigationPaths.Privacy}
+                icon={<Policy />}
+                label='Privacy Policy'
+              />
               <ListItemButton
                 onClick={this.logout}
                 sx={{

frontend/src/views/PrivacyPolicy.tsx

@@ -0,0 +1,199 @@
+import {
+  Container,
+  Divider,
+  List,
+  ListItem,
+  ListItemDecorator,
+  Typography,
+} from '@mui/joy'
+import {
+  CheckCircle,
+  RemoveCircle,
+} from '@mui/icons-material'
+import React from 'react'
+
+export class PrivacyPolicy extends React.Component {
+  render(): React.ReactNode {
+    return (
+      <Container
+        maxWidth='md'
+        sx={{ py: 4, px: 2 }}
+      >
+        <Typography level='h1'>Privacy Policy</Typography>
+        <Typography
+          level='body-sm'
+          sx={{ mt: 1, mb: 3, color: 'text.tertiary' }}
+        >
+          Last updated: March 2026
+        </Typography>
+
+        <Section title='Overview'>
+          <Typography>
+            Task Wizard is a self-hostable, privacy-focused task management
+            application. Because you can host it on your own infrastructure, you
+            retain full control over your data. No user information is sent to the
+            Task Wizard maintainers or any centralized service operated by them.
+          </Typography>
+        </Section>
+
+        <Section title='Data We Collect'>
+          <Typography sx={{ mb: 1 }}>
+            Task Wizard is designed to collect the minimum data necessary to
+            function:
+          </Typography>
+          <BulletList
+            icon={<CheckCircle color='success' />}
+            items={[
+              'Authentication identifiers from Microsoft Entra ID (directory ID and object ID) — used solely to identify your account',
+              'Task data you create: titles, due dates, recurrence rules, completion status, and labels',
+              'Notification preferences and scheduled notification metadata',
+              'Request metadata for operational logging: IP address, user agent, HTTP method, route, and status code (request bodies and tokens are never logged)',
+            ]}
+          />
+        </Section>
+
+        <Section title='Data We Do NOT Collect'>
+          <BulletList
+            icon={<RemoveCircle color='disabled' />}
+            items={[
+              'Personal names, email addresses, or passwords — these fields were explicitly omitted from the data model',
+              'Tracking cookies, analytics identifiers, or advertising data',
+              'Telemetry or usage analytics',
+            ]}
+          />
+        </Section>
+
+        <Section title='How Your Data Is Stored'>
+          <Typography>
+            All data is stored in a database (SQLite by default, or MySQL) on
+            a backend server.
+          </Typography>
+          <Typography sx={{ mt: 1 }}>
+            The database is not encrypted at rest by default. Server
+            administrators are encouraged to apply operating-system-level or
+            disk-level encryption to protect stored data.
+          </Typography>
+        </Section>
+
+        <Section title='Authentication and Security'>
+          <BulletList
+            icon={<CheckCircle color='success' />}
+            items={[
+              'Authentication is delegated to Microsoft Entra ID using OAuth 2.0 and OpenID Connect — no passwords are stored or processed by the application',
+              'JWT tokens are verified against Entra ID\'s public signing keys (JWKS) on every request',
+              'WebSocket connections are authenticated using the same token verification',
+              'Rate limiting is applied (300 requests per minute per IP address) to mitigate abuse',
+              'All database queries use parameterized statements to prevent SQL injection',
+              'CORS is configurable per deployment to restrict cross-origin access',
+              'HTTPS is recommended and should be configured via a reverse proxy in front of the application',
+            ]}
+          />
+        </Section>
+
+        <Section title='Third-Party Services'>
+          <BulletList
+            icon={<CheckCircle color='success' />}
+            items={[
+              'Microsoft Entra ID - contacted for authentication only; no task or personal data is shared',
+              'Gotify or webhook endpoints (optional) - if configured by you, only minimal task completion text is sent to the endpoint you choose',
+            ]}
+          />
+          <Typography sx={{ mt: 1 }}>
+            No other external services are contacted by the application.
+          </Typography>
+        </Section>
+
+        <Section title='Data Retention and Deletion'>
+          <BulletList
+            icon={<CheckCircle color='success' />}
+            items={[
+              'Sent notifications are automatically deleted within 10 minutes',
+              'Deleting your account removes all associated data including tasks, labels, and notifications',
+              'As a self-hostable application, the server administrator has full control over data retention, backups, and purging',
+            ]}
+          />
+        </Section>
+
+        <Section title='Open Source and Transparency'>
+          <Typography>
+            Task Wizard is open-source software. The entire codebase is publicly
+            available and can be audited by anyone. Automated security scanning
+            is performed via CodeQL and dependency updates are managed through
+            Dependabot.
+          </Typography>
+        </Section>
+
+        <Divider sx={{ my: 3 }} />
+
+        <Section title='Disclaimers'>
+          <Typography>
+            This software is provided &ldquo;as is&rdquo;, without warranty of
+            any kind, express or implied. While the project follows security best
+            practices, no system is perfect and vulnerabilities may exist.
+          </Typography>
+          <Typography sx={{ mt: 1, fontWeight: 600 }}>
+            Use at your own risk.
+          </Typography>
+          <Typography sx={{ mt: 1 }}>
+            The maintainers are not liable for any data loss, security breaches,
+            or damages arising from the use of this software. Because Task
+            Wizard is self-hostable, the security of your deployment ultimately
+            depends on you: keep your server, reverse proxy, operating system,
+            and dependencies up to date.
+          </Typography>
+        </Section>
+
+        <Section title='Changes to This Policy'>
+          <Typography>
+            This policy may be updated as the application evolves. Changes will
+            be reflected in the &ldquo;last updated&rdquo; date at the top of
+            this page.
+          </Typography>
+        </Section>
+      </Container>
+    )
+  }
+}
+
+interface SectionProps {
+  title: string
+  children: React.ReactNode
+}
+
+class Section extends React.Component<SectionProps> {
+  render(): React.ReactNode {
+    return (
+      <section style={{ marginBottom: 24 }}>
+        <Typography
+          level='h3'
+          sx={{ mb: 1 }}
+        >
+          {this.props.title}
+        </Typography>
+        {this.props.children}
+      </section>
+    )
+  }
+}
+
+interface BulletListProps {
+  icon: React.ReactNode
+  items: string[]
+}
+
+class BulletList extends React.Component<BulletListProps> {
+  render(): React.ReactNode {
+    return (
+      <List size='sm'>
+        {this.props.items.map((item, index) => (
+          <ListItem key={index}>
+            <ListItemDecorator sx={{ alignSelf: 'flex-start', mt: 0.5 }}>
+              {this.props.icon}
+            </ListItemDecorator>
+            {item}
+          </ListItem>
+        ))}
+      </List>
+    )
+  }
+}