> For the complete documentation index, see [llms.txt](https://scriptingxss.gitbook.io/embedded-appsec-best-practices/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://scriptingxss.gitbook.io/embedded-appsec-best-practices/9_usage_of_data_collection_and_storage_-_privacy.md).

# Usage of Data Collection and Storage - Privacy

It is critical to limit the collection, storage, and sharing of both personally identifiable information (PII) as well as sensitive personal information (SPI). Leaked information such as Social Security Numbers can lead to customers being compromised which could have legal repercussions for manufacturers. If information of this nature must be gathered, it is important to follow the concepts of Privacy-by-Design.

**Considerations (Disclaimer: The List below is non-exhaustive):**

* Determine which PII/SPI is critical for device operation and if storage of the information required for business and/or operational purpose.
* Limit the duration of storage time to the shortest amount of time needed for device operation.
* Ensure the information is stored securely - i.e. in Secure Environment, or protected using strong cryptography.
* Provide transparency for customers by including details about what information is being collected, stored, and distributed via privacy policies.
* Provide a mechanism to allow the device owner to perform a factory reset to remove their personal data before transfer to another user or destruction.
* Consider GDPR for devices that store data in the EU.&#x20;
  * ".[.covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on.](https://gdpr.eu/faq/)"

## Additional References <a href="#additional-references" id="additional-references"></a>

* [Privacy-by-design](https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf)
* <https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/>
* <https://blog.varonis.com/privacy-design-cheat-sheet/>
* <https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://scriptingxss.gitbook.io/embedded-appsec-best-practices/9_usage_of_data_collection_and_storage_-_privacy.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.