# Compliance Research Cache ## TMDB API Terms of Use _Researched: 2026-04-05 (from existing knowledge, web search unavailable)_ Key requirements from TMDB API Terms of Use: 1. **Attribution Required**: Must display "This product uses the TMDB API but is not endorsed or certified by TMDB" or equivalent. The TMDB logo must be displayed with a link to tmdb.org. 2. **No Data Caching Beyond 6 Months**: TMDB data cached locally should be refreshed. Long-term storage of TMDB metadata is permitted but images must be served from TMDB's CDN (image.tmdb.org). 3. **Image Serving**: Poster images MUST be served from TMDB's image CDN. You cannot download and host TMDB images on your own servers. 4. **Rate Limits**: Approximately 40 requests per 10 seconds per API key (free tier). No hard monthly cap but abuse triggers throttling. 5. **No Commercial Use Without Permission**: Free tier is for personal/non-commercial projects. Commercial use requires separate agreement. 6. **Data Freshness**: Apps should periodically refresh stored data to keep it current. 7. **API Key Security**: API keys must not be exposed in client-side code. Use server-side proxying. ## GDPR and Anonymous Users _Researched: 2026-04-05 (from existing knowledge, web search unavailable)_ Key considerations: 1. **UUIDs as Personal Data**: Under GDPR, any unique identifier that can single out an individual is personal data, including UUIDs stored in local storage. 2. **Local Storage/Cookies**: Even without traditional cookies, local storage containing user identifiers triggers GDPR obligations. 3. **IP Logging**: Server logs that capture IP addresses are personal data under GDPR. 4. **Lawful Basis**: Even for anonymous-style auth, you need a lawful basis (likely legitimate interest or consent). 5. **Right to Deletion**: Users must be able to delete their account and all associated data. 6. **Privacy Policy Required**: Even minimal data collection requires a privacy policy. 7. **Data Minimization**: Only collect what is necessary. 8. **Cookie/Storage Consent**: Depending on jurisdiction (ePrivacy Directive in EU), storing identifiers in local storage may require consent banners. ## WCAG 2.1 AA Requirements _Researched: 2026-04-05 (from existing knowledge, web search unavailable)_ Key requirements for a PWA like MovieDice: 1. **Color Contrast**: Minimum 4.5:1 for normal text, 3:1 for large text (18pt+ or 14pt+ bold). 2. **Touch Targets**: Minimum 44x44 CSS pixels (mentioned in scope). 3. **Focus Management**: All interactive elements must be keyboard-focusable with visible focus indicators. 4. **Screen Reader Support**: aria-labels on icon buttons, semantic HTML, alt text on images. 5. **Motion/Animation**: Respect `prefers-reduced-motion` media query; provide option to disable animations. 6. **Text Resize**: Content must be readable at 200% zoom. 7. **Form Labels**: All inputs must have associated labels. 8. **Error Identification**: Form errors must be clearly identified and described. 9. **Heading Hierarchy**: Proper heading structure (h1-h6). 10. **Link Purpose**: Link text must describe the destination. ## PWA Standards _Researched: 2026-04-05 (from existing knowledge, web search unavailable)_ 1. **Web App Manifest**: Required fields: name, short_name, icons (multiple sizes), start_url, display, theme_color, background_color. 2. **Service Worker**: Required for installability. Must handle fetch events. 3. **HTTPS**: Required for service workers and PWA installation. 4. **Offline Support**: Service worker should cache critical assets for offline use. 5. **Icons**: Multiple sizes required (192x192, 512x512 minimum). Maskable icons recommended. 6. **Splash Screen**: Configured via manifest properties. ## Docker + Next.js Best Practices _Researched: 2026-04-05 (from existing knowledge, web search unavailable)_ 1. **Multi-stage builds**: Use separate build and runtime stages to minimize image size. 2. **Non-root user**: Run the application as a non-root user in the container. 3. **Next.js standalone output**: Use `output: 'standalone'` in next.config.js for optimized Docker images. 4. **Health checks**: Include HEALTHCHECK instruction in Dockerfile. 5. **Environment variables**: Use ARG for build-time, ENV for runtime. Never bake secrets into images. 6. **Signal handling**: Use `dumb-init` or `tini` for proper signal forwarding (PID 1 problem). 7. **Layer caching**: Copy package.json and install dependencies before copying source code. 8. **Security scanning**: Scan images for vulnerabilities regularly. 9. **.dockerignore**: Exclude node_modules, .git, .env files from build context. ## TMDB Terms of Service — Deep Dive _Researched: 2026-04-05 (second pass, from existing knowledge)_ Additional requirements beyond basic attribution: 1. **Image Hotlinking vs Caching**: TMDB ToS Section 3(A) prohibits "storing" TMDB content except for reasonable caching. The distinction: serving images directly from `image.tmdb.org` via `` tags is compliant. Downloading images to your own server/CDN and re-serving them is a violation. Using `next/image` as a proxy (which downloads, optimizes, and re-serves) is a gray area — the scope correctly avoids this by using native TMDB URLs. 2. **Data Freshness Obligation**: TMDB ToS require that cached/stored data be refreshed periodically. The scope's bi-weekly trailer refresh is a start, but the core movie metadata (title, genres, poster_path) stored in the `movies` table has NO refresh mechanism. If TMDB updates a poster or corrects metadata, the app would serve stale data indefinitely. 3. **Rate Limits (Free Tier)**: ~40 requests per 10 seconds (~4/s average). No hard monthly cap. HTTP 429 responses include `Retry-After` header. The scope does not specify handling of 429 responses in the server proxy. 4. **TMDB Logo Requirements**: The logo must be used as provided (no modification). Minimum size requirements exist. The logo files are available at https://www.themoviedb.org/about/logos-attribution. The scope says "logo + link + disclaimer" but does not specify using the official logo assets. 5. **Content Filtering**: TMDB includes adult content. The scope does not specify filtering `adult: true` results from API responses. ## GDPR and Supabase Anonymous Auth — Deep Dive _Researched: 2026-04-05 (second pass, from existing knowledge)_ 1. **Supabase Internal Logging**: Self-hosted Supabase components (GoTrue, PostgREST, Kong) all produce their own logs containing IP addresses, user agent strings, and auth tokens. These are personal data under GDPR. The scope mentions no log management for the Supabase stack — only the Next.js app. 2. **JWT as Personal Data**: The JWT issued by `signInAnonymously()` contains the user's UUID in the `sub` claim, token expiry, and role. While the JWT itself is ephemeral, it is transmitted over the network and stored in the browser. Under GDPR, the UUID within is personal data (it singles out an individual). The JWT is not the concern — the UUID it carries is. 3. **Supabase Auth Tables**: GoTrue stores its own `auth.users` table with: id, created_at, updated_at, last_sign_in_at, raw_app_meta_data, raw_user_meta_data, is_anonymous flag, and more. This is separate from the app's `public.users` table. Account deletion must also clean up `auth.users`. 4. **Data Processor Agreement**: Under GDPR, if using a third-party to process data, a Data Processing Agreement (DPA) is required. For self-hosted Supabase, the deployer IS the data controller and processor — no DPA needed with Supabase Inc. However, TMDB receives search queries (which could contain personal preferences) — TMDB's privacy policy should be referenced. 5. **Legitimate Interest Basis**: For anonymous auth with no email, the lawful basis is likely "legitimate interest" (Art. 6(1)(f)) or "performance of a contract" (Art. 6(1)(b)). The privacy policy must state which basis is used. ## WCAG 2.1 AA — Animation and Component Accessibility Deep Dive _Researched: 2026-04-05 (second pass, from existing knowledge)_ 1. **WCAG 2.2.2 Pause, Stop, Hide**: Any auto-playing animation that (a) starts automatically, (b) lasts more than 5 seconds, and (c) is presented in parallel with other content MUST have a mechanism to pause, stop, or hide it. The landing page slot-machine reel (if it auto-plays or loops) would fall under this. The scope's `prefers-reduced-motion` handling addresses motion but NOT the pause/stop requirement for users who want motion but need control over it. 2. **WCAG 2.4.7 Focus Visible**: All interactive elements must have a visible focus indicator. The scope mentions focus management for the inline panel but does not mention visible focus styles for poster cards, buttons, or other interactive elements. Tailwind's default `outline-none` on focus is a common violation. 3. **WCAG 1.1.1 Non-text Content**: All poster images need meaningful `alt` text (movie title + year minimum). The scope does not specify alt text strategy. Reel animation posters spinning at high speed should have `aria-hidden="true"` during spin and meaningful alt on the final result. 4. **WCAG 1.3.1 Info and Relationships**: The poster grid should use semantic list markup (`