Add security and privacy pages to showcase data protection commitment

[ComputelessComputer]

Summary

Adds two new marketing pages to the web app:

• /security - Comprehensive page showcasing Hyprnote's security-first architecture, covering local-first processing, encryption, open source transparency, and enterprise security features
• /privacy - Dedicated page highlighting Hyprnote's privacy commitment (separate from the legal privacy policy), covering data ownership, no-tracking policies, and transparency

Both pages follow the existing design patterns from opensource.tsx, enterprise.tsx, and faq.tsx, using the same component structure, styling conventions, and SlashSeparator layout.

Review & Testing Checklist for Human

• Verify security/privacy claims match actual product capabilities - The pages make specific claims about AES-256 encryption, zero-knowledge design, local-first processing, TLS 1.3, etc. These should be reviewed for accuracy.
• Visual review on desktop and mobile - Pages were not visually tested; check layout, spacing, and responsiveness
• Test internal links - Security page links to /privacy, /download, /enterprise; Privacy page links to /security, /download, /legal/privacy-policy
• Review marketing language - Statements like "thousands of professionals who trust Hyprnote" may need adjustment

Recommended test plan:

1. Run pnpm --filter web dev and navigate to /security and /privacy
2. Check both pages render correctly on desktop and mobile viewports
3. Click all internal links to verify they work
4. Review content for accuracy against actual product features

Notes

• CodeRabbit flagged bg-linear-to-b as invalid Tailwind, but this class is used consistently throughout the existing codebase (verified in 20+ files), so it's likely a custom Tailwind configuration
• The pages cross-link to each other in their CTA sections

Requested by: john@hyprnote.com (@ComputelessComputer)
Devin session: https://app.devin.ai/sessions/975c7af47dfa4a73beab1e4aae15eb4a

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[netlify]

✅ Deploy Preview for hyprnote-storybook ready!

Name	Link
🔨 Latest commit	ee79372
🔍 Latest deploy log	https://app.netlify.com/projects/hyprnote-storybook/deploys/692f135dc6520d0008eda12e
😎 Deploy Preview	https://deploy-preview-2054--hyprnote-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new static privacy route and expands the existing security route; both export Route via createFileRoute and include head() SEO metadata. Pages render multi-section React components with static content, internal links, and an external GitHub link; no runtime data fetching.

Changes

Cohort / File(s)	Change Summary
New privacy information page apps/web/src/routes/_view/privacy.tsx	Added new route exporting Route = createFileRoute("/_view/privacy") with head() meta and a static multi-section React component (Hero, PrivacyPromise, DataOwnership, NoTracking, Transparency, PrivacyComparison, CTA). Uses internal Link and an external GitHub link; Tailwind-like classes.
Updated security information page apps/web/src/routes/_view/security.tsx	Replaced placeholder with full Component and exported Route = createFileRoute("/_view/security") including head() metadata. Introduced multiple sections (Hero, SecurityPrinciples, LocalFirst, Encryption, OpenSourceSecurity, EnterpriseSecurity, CTA), icons, layout structure, and static content.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review SEO metadata accuracy in both head() implementations.
• Verify link targets (internal Link usages and external GitHub URL) and accessibility (alt/text for icons).
• Confirm styling consistency with existing UI patterns and that new sections follow design tokens.

Possibly related PRs

• bunch of new pages #1691 — Prior modification of apps/web/src/routes/_view/security.tsx that introduced the initial placeholder route this change replaces/expands.
• feat(web): add memory layer product page #1981 — Related updates across apps/web/src/routes/_view/* converting route exports to Component-based createFileRoute with head() metadata.

Suggested reviewers

• yujonglee

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding two new security and privacy pages to showcase data protection commitment, which aligns with the file additions and PR objectives.
Description check	✅ Passed	The description clearly explains the changes, including specific details about the two new pages, their content, design patterns, cross-links, and provides a comprehensive review/testing checklist.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1764594722-security-privacy-pages

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[netlify]

✅ Deploy Preview for hyprnote ready!

Name	Link
🔨 Latest commit	ee79372
🔍 Latest deploy log	https://app.netlify.com/projects/hyprnote/deploys/692f135d0a92870008f7e8c9
😎 Deploy Preview	https://deploy-preview-2054--hyprnote.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/web/src/routes/_view/privacy.tsx (1)

469-509: CTA section reuse and cn usage look good

The CTA mirrors the security page’s structure, and cn is used with grouped class arrays as per your guidelines. No issues here; sharing this pattern between pages keeps the marketing surface consistent.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6460c09 and 1ad7fff.

📒 Files selected for processing (2)

• apps/web/src/routes/_view/privacy.tsx (1 hunks)
• apps/web/src/routes/_view/security.tsx (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Avoid creating a bunch of types/interfaces if they are not shared. Especially for function props, just inline them instead.
Never do manual state management for form/mutation. Use useForm (from tanstack-form) and useQuery/useMutation (from tanstack-query) instead for 99% of cases. Avoid patterns like setError.
If there are many classNames with conditional logic, use cn (import from @hypr/utils). It is similar to clsx. Always pass an array and split by logical grouping.
Use motion/react instead of framer-motion.

Files:

• apps/web/src/routes/_view/security.tsx
• apps/web/src/routes/_view/privacy.tsx

🧬 Code graph analysis (1)

apps/web/src/routes/_view/privacy.tsx (2)

apps/web/src/components/slash-separator.tsx (1)

• SlashSeparator (1-8)

packages/utils/src/cn.ts (1)

• cn (20-22)

🪛 GitHub Actions: web_ci

apps/web/src/routes/_view/privacy.tsx

[error] 368-368: Type '"/legal/privacy-policy"' is not assignable to type '"/" | "/blog" | "/docs" | "/youtube" | "/x" | "/linkedin" | "/join-waitlist" | "/github" | "/founders" | "/discord" | "/contact" | "/auth" | "/webhook/stripe" | "/webhook/nango" | ... 63 more ... | ".."'.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Redirect rules - hyprnote
• GitHub Check: Header rules - hyprnote
• GitHub Check: Pages changed - hyprnote
• GitHub Check: Devin
• GitHub Check: fmt

🔇 Additional comments (4)

apps/web/src/routes/_view/security.tsx (2)

8-35: Route and SEO head metadata look consistent and correct

createFileRoute("/_view/security") with component: Component and the structured head().meta block matches the pattern used on the new privacy route and should integrate cleanly with TanStack Router and your SEO setup.

---

37-485: Security page composition is clean and idiomatic

Sections are nicely factored (HeroSection, SecurityPrinciplesSection, etc.), SlashSeparator is reused for visual rhythm, Link/Icon usage is straightforward, and cn is applied with array arguments per your guidelines. No functional or type concerns from this file.

apps/web/src/routes/_view/privacy.tsx (2)

8-35: Privacy route and head metadata are aligned with security page pattern

createFileRoute("/_view/privacy") plus the head().meta entries for title/description and og/twitter tags match the security page setup and should plug into your routing/SEO stack without issues.

---

88-144: Ensure privacy promises match actual product behavior

The promises here (no cloud uploads, no data collection/monetization, no account required, minimal telemetry off by default) are strong. Please double‑check they accurately reflect current behavior across the app and backend so this page stays truthful and compliant.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

apps/web/src/routes/_view/security.tsx (4)

37-60: Background layering: ensure gradient vs pattern behavior is intentional

The root Component layout and container structure look good and match other marketing pages.

Note that the inline style={{ backgroundImage: "url(/patterns/dots.svg)" }} will override any background-image set by bg-linear-to-b on this element. If bg-linear-to-b also defines a gradient via background-image, only one of them will actually render. If you intended to see both the gradient and the dots pattern, you may want to move the pattern background to an inner wrapper or use a combined background definition in CSS.

---

88-144: Principles list is solid; consider using a stable key instead of index

The SecurityPrinciplesSection is a nice, data‑driven list and easy to extend.

Given the list is static, using the array index as the React key is unlikely to cause real issues, but you can make it slightly more robust/self‑documenting by keying on a unique field like title:

-        {principles.map((principle, index) => (
-          <div
-            key={index}
+        {principles.map((principle) => (
+          <div
+            key={principle.title}
             className="p-6 border border-neutral-200 rounded-lg bg-white"
           >

Purely optional, the current code will work fine.

---

306-370: Open-source transparency section is well implemented; watch for quantitative claims

The open-source/security‑through‑transparency story and GitHub CTA are implemented cleanly, with correct external link attributes (target="_blank" + rel="noopener noreferrer").

Minor copy consideration: phrases like “Thousands of developers have reviewed our codebase” are strong quantitative claims. If that’s intended as marketing hyperbole rather than a literally verifiable fact, you might want to soften the language to avoid sounding overstated in a security-context page.

---

372-443: Enterprise features section: be careful with compliance language

Structurally, the enterprise features grid and /enterprise CTA Link are straightforward and consistent with the rest of the page.

The “Compliance ready” bullet explicitly calls out “GDPR, HIPAA, and SOC 2 compliance requirements”. That’s potentially sensitive from a legal/compliance perspective: buyers will often interpret this as de facto compliance or certification.

I’d recommend:

• Having legal/compliance explicitly sign off on this line; and/or
• Adjusting the wording toward “designed to help support…” and being precise about what’s actually provided (e.g., audit logs, access controls), especially for HIPAA/SOC 2.

Until that’s confirmed, I’d treat this line as something that must be double‑checked before shipping.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1ad7fff and ee79372.

⛔ Files ignored due to path filters (1)

• apps/web/src/routeTree.gen.ts is excluded by !**/*.gen.ts

📒 Files selected for processing (2)

• apps/web/src/routes/_view/privacy.tsx (1 hunks)
• apps/web/src/routes/_view/security.tsx (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/web/src/routes/_view/privacy.tsx

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Avoid creating a bunch of types/interfaces if they are not shared. Especially for function props, just inline them instead.
Never do manual state management for form/mutation. Use useForm (from tanstack-form) and useQuery/useMutation (from tanstack-query) instead for 99% of cases. Avoid patterns like setError.
If there are many classNames with conditional logic, use cn (import from @hypr/utils). It is similar to clsx. Always pass an array and split by logical grouping.
Use motion/react instead of framer-motion.

Files:

• apps/web/src/routes/_view/security.tsx

🧬 Code graph analysis (1)

apps/web/src/routes/_view/security.tsx (3)

apps/web/src/routes/_view/privacy.tsx (1)

• Route (8-35)

apps/web/src/components/slash-separator.tsx (1)

• SlashSeparator (1-8)

packages/utils/src/cn.ts (1)

• cn (20-22)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Redirect rules - hyprnote
• GitHub Check: Header rules - hyprnote
• GitHub Check: Pages changed - hyprnote
• GitHub Check: fmt
• GitHub Check: ci

🔇 Additional comments (5)

apps/web/src/routes/_view/security.tsx (5)

1-6: Route setup and SEO meta look consistent and complete

Imports, Route creation, and the head() meta block match the pattern from privacy.tsx and give the page solid SEO coverage (title, description, OG, Twitter). Technically looks good.

One thing to double‑check outside of code review: the meta descriptions and titles make strong claims (e.g., “local-first architecture, end-to-end encryption, open source transparency”). Please ensure product/infra/marketing have explicitly signed off that these are accurate for the current offering.

Also applies to: 8-35

---

62-86: Hero section structure and copy read cleanly

The hero section has clear hierarchy (single h1, supporting copy) and uses straightforward, accessible markup. The pill with the shield icon helps quickly communicate “security-first” without adding unnecessary complexity.

No code changes needed here.

---

146-225: Local-first section layout and messaging are coherent

The three-column grid plus the offline callout card is clear and responsive, and the icon usage is consistent with the rest of the page. Markup is simple and semantic; no issues from a React/layout standpoint.

Only note is non-code: the copy (“recordings never leave your device”, “everything runs locally”) is very strong. Make sure this exactly matches how the app behaves across all supported platforms and configurations.

---

227-304: Encryption section is technically clear; verify the specificity of claims

The “Enterprise-grade encryption” section is well structured and easy to scan. From a code perspective, it’s just static JSX and looks fine.

Content-wise, you’re making specific technical assertions (AES‑256 at rest, TLS 1.3 with PFS, keys never leaving the device). Those are good if true, but also easy to drift from reality as infrastructure evolves. I’d suggest confirming with whoever owns security/infra that all of these details are accurate today and will remain maintained going forward.

---

445-485: CTA section and cn usage look good and follow guidelines

The CTA provides clear primary/secondary actions, and the cross‑link to /privacy is a nice touch for users wanting more detail.

Using cn with a grouped array of class strings keeps the button styles readable and aligns with the project’s “pass an array and group logically” convention.