docs(website): Disclose Cloudflare Turnstile in privacy policy

[yamadashy]

Summary

• Add a Bot Protection bullet to the Repomix Website section in privacy.md that references the Cloudflare Turnstile Privacy Policy and explains the invisible challenge.

Why

Cloudflare's dashboard flags Invisible-mode Turnstile widgets with a requirement that the host site's own privacy policy references the Turnstile Privacy Addendum. The Repomix Turnstile widget was just switched from Managed to Invisible mode, so this disclosure becomes mandatory.

Localization

All 15 locale variants of privacy.md use <!--@include: ../../en/guide/privacy.md-->, so updating the English file alone propagates the new bullet to every translation.

Checklist

• node --run docs:build (website/client) — passes locally

[github-actions]

⚡ Performance Benchmark

Latest commit:	2ace2f8 docs(website): Disclose Cloudflare Turnstile in privacy policy
Status:	✅ Benchmark complete!
Ubuntu:	0.71s (±0.02s) → 0.71s (±0.03s) · +0.00s (+0.1%)
macOS:	0.38s (±0.03s) → 0.38s (±0.02s) · -0.00s (-0.3%)
Windows:	0.96s (±0.08s) → 0.95s (±0.02s) · -0.01s (-0.8%)

Details

• Packing the repomix repository with node bin/repomix.cjs
• Warmup: 2 runs (discarded), interleaved execution
• Measurement: 20 runs / 30 on macOS (median ± IQR)
• Workflow run

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d1e65f35-dcf5-4158-b3fd-f9130bdab1d0

📥 Commits

Reviewing files that changed from the base of the PR and between f458fbd and 2ace2f8.

📒 Files selected for processing (1)

• website/client/src/en/guide/privacy.md

---

📝 Walkthrough

Walkthrough

The pull request adds a single line to the website privacy policy documentation, disclosing the use of Cloudflare Turnstile for bot protection on the Pack form and clarifying what data it may collect during verification.

Changes

Privacy Policy Update

Layer / File(s)	Summary
Bot Protection Disclosure website/client/src/en/guide/privacy.md	Added a new privacy policy bullet describing Cloudflare Turnstile (invisible mode) protection for the Pack form, what signals it may collect for verification, and a link to Turnstile's privacy policy.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• yamadashy/repomix#981: Introduced the Privacy Policy page template that this PR now updates with bot protection disclosure.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main change: adding a Cloudflare Turnstile disclosure to the privacy policy.
Description check	✅ Passed	The description covers the summary, rationale, localization approach, and includes the required checklist item; however, the npm test/lint checklist items are not addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/privacy-turnstile-disclosure

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the privacy policy to include a section on bot protection using Cloudflare Turnstile. A review comment suggests using a locale-neutral URL for the Cloudflare Privacy Policy link to better support the site's multiple locale variants.

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	2ace2f8
Status:	✅  Deploy successful!
Preview URL:	https://0bb02ae6.repomix.pages.dev
Branch Preview URL:	https://docs-privacy-turnstile-discl.repomix.pages.dev

View logs

[claude]

Review Summary

Verified Turnstile is actually integrated (useTurnstile.ts, server/src/middlewares/turnstile.ts) and runs in Invisible/execute mode, so the disclosure matches the real implementation. The bullet's style matches the surrounding Data Collection / File Processing entries. Approved with one suggestion.

Details

🟡 Recommended: Russian translation will become stale

14 of 15 locale variants of privacy.md use <!--@include: ../../en/guide/privacy.md--> and will pick up the new bullet automatically — but website/client/src/ru/guide/privacy.md is the only fully hand-translated copy with no include directive. After this PR merges, Russian readers will see a privacy page that omits the Cloudflare Turnstile disclosure, which somewhat undercuts the legal/compliance motivation behind the change.

Two options:

• Quick: translate the new bullet inline into ru/guide/privacy.md.
• Durable: convert the Russian page to the same @include pattern as the other 13 locales so future updates propagate automatically.

🟡 Recommended: Cloudflare link locale (seconding @gemini-code-assist)

privacy.md:20 links to cloudflare.com/en-gb/turnstile-privacy-policy/. Cloudflare's canonical URL https://www.cloudflare.com/turnstile-privacy-policy/ is locale-neutral and would avoid forcing en-GB on readers of every translated page (since all locales include this English source).

🔵 Optional: make third-party transfer explicit

The current wording — "may collect browser and network signals" — is accurate but doesn't make clear that signals are sent to Cloudflare as a third-party processor. A small tweak like "sent to Cloudflare" and naming IP address explicitly would more closely mirror Cloudflare's own Turnstile Privacy Addendum language. Not blocking; the linked policy covers the detail.

✅ Not concerns

• CI: .github/workflows/ci-website.yml runs docs:build on website/** changes, so the build is verified.
• Performance: static markdown only.
• Other docs: no separate cookies/tracking page exists; nav and README are unaffected.

— Reviewed by Claude