Loading...
Loading...
Loading...
DYKWYBLSby Island Pitch
Do You Know What You Built Last Summer?!
You vibe coded it. You shipped it. Now let's find out if you actually know what's in there. No shame — just truth.
Do You Know What You Built Last Summer?!
You vibe coded it. You shipped it. Now let's find out if you actually know what's in there. No shame — just truth.
Knowledge Is Protection
Understand what data your app collects, how to protect it, and what your users have the right to know.
Your app works. Users sign up, enter their information, and everything flows smoothly. But here is a question that might make you uncomfortable: do you know exactly what data your app is collecting? Not what you told the AI to collect — what it actually collects? Because in 2024, the average data breach cost $4.88 million globally and $10.22 million for US companies. The gap between what you think your app does with data and what it actually does has a price tag — and it is measured in millions.
Data handling is everything your app does with user information: collecting it, storing it, processing it, sharing it, and eventually deleting it. Privacy is your users' right to control what happens with their personal information.
This covers a wide spectrum. On one end, you have obviously sensitive data: passwords, credit card numbers, social security numbers. On the other end, you have things that seem harmless but are actually personal information under laws like GDPR: email addresses, IP addresses, device identifiers, even cookies.
When your AI tool builds features for you, it often makes decisions about data that you might not realize. It might log user actions to the console (which ends up in server logs). It might store form data in local storage without encryption. It might send analytics data to third-party services. Each of these is a data handling decision, and each one has implications for your users' privacy.
There is also an accessibility angle here that most people miss. Screen readers can inadvertently expose sensitive data if forms are not coded properly. Custom password fields built with div elements instead of native input elements lack built-in protection — screen readers may echo keystrokes aloud. Privacy and accessibility are deeply connected: both are about respecting the people who use your product.
Your AI tool made data decisions for you. That is fine. But those decisions have your name on them, not the AI's.
Average breach detection time: 241 days. That is 8 months of exposure before you know there is a problem.
In February 2024, the ALPHV/BlackCat ransomware group encrypted Change Healthcare systems in what became the largest healthcare data breach in US history. 192.7 million individuals were affected — roughly one-third of all Americans. UnitedHealth Group paid a $22 million ransom, but the affiliate kept a copy and demanded more. Total cost through September 2024: $2.457 billion. An AHA survey found 74% of hospitals reported direct patient care impact.
That same year, the Clop ransomware group exploited a SQL injection zero-day in MOVEit file transfer software, compromising 2,700+ organizations and exposing data of 93.3 million individuals. Financial toll: approximately $9.93 billion.
And the Equifax breach from 2017? The $425 million settlement was still paying out in 2024, with final payments of approximately $70 million distributed that year. Seven years later, still writing checks.
The Verizon 2025 DBIR analyzed 22,000+ security incidents and 12,195 confirmed breaches. Third-party involvement doubled to 30%. Ransomware was present in 44% of breaches, up 37% from the previous year. The average time to detect and contain a breach: 241 days. That is eight months of someone rummaging through your users' data before you even know.
These are not just big-company problems. Privacy laws like GDPR and CCPA apply to anyone who handles user data, including your side project with twelve users.
Change Healthcare. One-third of all Americans. $2.457 billion. And that is just one breach from one year.
192.7M individuals affected. $9.93B MOVEit toll. $425M Equifax settlement still paying out 7 years later. Data mishandling compounds.
Make a list of every piece of user data your app touches. Check form fields, analytics events, server logs, and third-party integrations. If you find data being collected that you did not explicitly plan for, investigate why.
Data in your database should be encrypted (at rest). Data sent between the browser and your server should go over HTTPS (in transit). If you store sensitive data like payment info or health records, look for field-level encryption.
How long do you keep user data? Do you delete accounts when users ask? A good retention policy means you only keep data as long as you actually need it, and you have a process for deleting it on request.
Every analytics tool, payment processor, email service, and API that touches user data should be listed in your privacy policy. Your AI tool might have added integrations you are not aware of — check your package dependencies.
At minimum, users should be able to see what data you have about them and request its deletion. Under GDPR and similar laws, this is not optional. Make sure those data request forms are accessible to screen readers and keyboard users too.
Five checkboxes between you and sleeping at night. Start at the top, work your way down.
5 items. Data inventory is the prerequisite for all the others. Start there.
You are responsible for every byte of user data your app touches — even the data your AI tool decided to collect without asking you. In a world where a single breach can cost $2.457 billion and take 241 days to even detect, understanding your data flow is not just good practice — it is survival. Do Cool Things the Right Way means respecting your users' privacy as much as you respect their time.
Every byte has a story. Make sure you know the story before a regulator asks you to tell it.
GDPR fines: up to 4% of global revenue. CCPA: up to $7,988 per intentional violation. Compliance is cheaper than enforcement.
Not sure what data your app is really handling? A DYKWYBLS comprehension check analyzes your actual codebase and compares it to what you think is happening. It is the fastest way to spot data handling surprises before your users — or regulators — find them first. Part of how Island Pitch helps you Do Cool Things the Right Way!
Meet Your Code