Files
Lumotia/docs/brief/legal-compliance.md
2026-03-21 12:01:50 +00:00

45 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!-- Source: Kon Master Brief — §6 Legal & Compliance -->
## 6. Legal & Compliance
### Code signing (non-negotiable for distribution)
- **macOS:** Apple Developer Programme (£79/year) + notarisation mandatory. Unsigned apps trigger "damaged app" dialogue that most users cannot bypass.
- **Windows:** Extended Validation certificate (£240£480/year) for immediate SmartScreen bypass. Unsigned executables trigger warnings that destroy conversion.
- **Linux:** Users more tolerant of unsigned software. Flathub + AppImage as primary formats.
- **Budget impact:** ~£320£560/year minimum for macOS + Windows signing. Non-optional cost.
### GDPR position (local-only tier)
- **Jake is NOT a data processor.** Kon runs entirely on-device. No data is transmitted, stored, or visible to the developer. Same legal position as distributing a word processor.
- **Special category data:** Marketing targets neurodivergent users, but the app does not collect, store, or infer diagnosis information. Per ICO guidance, a "possible inference" is not special category data — only "reasonable certainty" triggers Article 9. Kon is on safe ground here.
- **Voice data:** Processed locally by Whisper. Never leaves the device. No third-party processor involved.
### GDPR position (cloud tier — when added)
- Jake becomes a data processor when voice data hits an external API.
- Requires: explicit consent before any audio is sent, data processing addendum, clarity on which AI provider and their retention policies.
- Do not add cloud features until revenue justifies compliance overhead.
### European Accessibility Act (EAA)
- Enforceable from 28 June 2025. Applies to consumer-facing digital products sold in the EU, including apps.
- Technical benchmark: EN 301 549 V3.2.1, incorporating WCAG 2.1 Level AA.
- Applies to non-EU companies selling to EU customers (similar extraterritorial reach to GDPR).
- Microenterprises (fewer than 10 employees, under €2M turnover) are currently exempt — Kon qualifies initially.
- **The UK has not adopted the EAA.** UK relies on the Equality Act 2010 ("reasonable adjustments") with no specific technical standards enforced.
- **Competitive opportunity:** Neither Tiimo nor Structured publishes a VPAT or formal accessibility conformance report. Publishing one first opens doors to government procurement, educational institutions, and enterprise contracts.
- Build to WCAG 2.2 AA from day one — this aligns with Kon's design philosophy and creates a genuine compliance moat.
### Required before paid launch
- [ ] Privacy policy (no data leaves device, no telemetry, no identifying analytics)
- [ ] Terms of service (licence terms, limitation of liability, AI accuracy disclaimer)
- [ ] Cookie policy (if landing page/website uses any tracking)
### Required before cloud tier launch
- [ ] Data processing addendum
- [ ] Explicit consent mechanism in-app
- [ ] DPIA (Data Protection Impact Assessment) — recommended given voice data + neurodivergent audience
- [ ] Review AI provider's data retention and training policies
### Business structure
- Personal project for now. No company entity required during beta.
- Roll into CORBEL Ltd if/when revenue becomes meaningful.
- Consult tax advisor at ~£500+/month revenue to determine optimal structure.