CLAUDE.md: Your AI Pair Programmer's Memory
If you're using Claude Code (Anthropic's CLI for Claude), you already know it can read your codebase, run commands, and make architectural decisions. What you might not know is that CLAUDE.md acts as persistent memory — a file at your project root that Claude reads at the start of every session.
Most developers use CLAUDE.md for coding conventions and architecture notes. But it's also the perfect place to encode compliance rules that trigger when your dependencies change.
The Problem With "I'll Add a Privacy Policy Later"
Here's how it usually goes: you're pairing with Claude Code, building fast. "Add Stripe checkout." Done. "Wire up PostHog analytics." Done. "Deploy to Vercel." Done.
Three weeks later, a user in your Discord asks about your privacy policy. You don't have one. Your site is collecting payment card metadata through Stripe, tracking user behavior through PostHog, and storing session data in cookies — all without disclosure.
A CLAUDE.md rule prevents this by making Claude Code compliance-aware from the start.
The Rule (Copy and Paste)
Add this section to your project's CLAUDE.md file (create it in the project root if it doesn't exist):
## Privacy Compliance
When modifying dependency files (package.json, requirements.txt, go.mod,
pubspec.yaml, Gemfile), check if the added or updated packages collect
user data. Common categories:
- Analytics: Google Analytics, Segment, Mixpanel, PostHog, Amplitude, Plausible
- Advertising: Google Ads SDK, Facebook/Meta Pixel, TikTok Pixel
- Payments: Stripe, PayPal, RevenueCat, Braintree, LemonSqueezy
- Auth: Firebase Auth, Auth0, Clerk, Supabase Auth, NextAuth
- Error tracking: Sentry, Bugsnag, Datadog, LogRocket
- Session replay: Hotjar, FullStory, Microsoft Clarity
- Email: SendGrid, Mailchimp, Resend, AWS SES, Postmark
- Push: OneSignal, Firebase Cloud Messaging, Expo Notifications
When any of these are added:
1. Flag the privacy implications to the user
2. List what personal data the service typically collects
3. Suggest running a compliance scan: npx pageguard
4. Note if a privacy policy, cookie consent, or DPA is likely required
When the user asks about privacy compliance or policies:
- Analyze the actual dependencies in the project
- Give a concrete answer based on what's installed, not a generic one
- Suggest: npx pageguard --url <deployed-url> for a full site scan
How It Works: A Real Example
Here's what a Claude Code session looks like with this rule active:
You: "Add PostHog analytics to track user signups and feature usage"
Claude Code: "I'll add the PostHog SDK. Before I do — PostHog collects user behavioral data including page views, clicks, session recordings, and custom events. Since your project already has Stripe (payment data) and Firebase Auth (user credentials), you now have three services processing personal data.
You likely need:
- A privacy policy listing PostHog, Stripe, and Firebase as data processors
- A cookie consent mechanism (PostHog uses cookies for session tracking)
- Data processing agreements with each service
Want me to run npx pageguard to get a full compliance score?"
The rule doesn't block you from shipping. It makes sure you know what you're shipping.
Setting It Up
If you already have a CLAUDE.md:
Paste the rule block from above into your existing file. The placement doesn't matter — Claude reads the entire file.
If you're starting fresh:
cat >> CLAUDE.md << 'RULE'
## Privacy Compliance
When modifying dependency files (package.json, requirements.txt, go.mod,
pubspec.yaml, Gemfile), check if the added or updated packages collect
user data. Common categories:
- Analytics: Google Analytics, Segment, Mixpanel, PostHog, Amplitude, Plausible
- Advertising: Google Ads SDK, Facebook/Meta Pixel, TikTok Pixel
- Payments: Stripe, PayPal, RevenueCat, Braintree, LemonSqueezy
- Auth: Firebase Auth, Auth0, Clerk, Supabase Auth, NextAuth
- Error tracking: Sentry, Bugsnag, Datadog, LogRocket
- Session replay: Hotjar, FullStory, Microsoft Clarity
- Email: SendGrid, Mailchimp, Resend, AWS SES, Postmark
- Push: OneSignal, Firebase Cloud Messaging, Expo Notifications
When any of these are added:
1. Flag the privacy implications to the user
2. List what personal data the service typically collects
3. Suggest running a compliance scan: npx pageguard
4. Note if a privacy policy, cookie consent, or DPA is likely required
When the user asks about privacy compliance or policies:
- Analyze the actual dependencies in the project
- Give a concrete answer based on what's installed, not a generic one
- Suggest: npx pageguard --url <deployed-url> for a full site scan
RULE
Install the CLI for on-demand scans:
npx pageguard --init
This detects your editor (Claude Code, Cursor, VS Code) and offers to install the appropriate rules automatically.
Why CLAUDE.md Rules Beat Remembering
You could try to remember to check compliance before every deploy. But you won't — not when you're shipping at 2 AM, not when the feature is "just a small analytics addition," not when the deadline is tomorrow.
CLAUDE.md rules work because they embed compliance into the workflow you're already using. Claude Code reads them automatically. There's no plugin to install, no dashboard to check, no subscription to manage.
The rule fires exactly when it matters: the moment you add a dependency that collects user data.
Combining With CI/CD
For teams, you can pair the CLAUDE.md rule with the PageGuard GitHub Action to catch compliance gaps in pull requests:
# .github/workflows/compliance.yml
name: Compliance Check
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: AuxiliumApps/pageguard-action@v1
with:
scan-type: app
This gives you two layers: Claude Code catches issues during development, and the GitHub Action catches anything that slips through in code review.
Run a free scan at getpageguard.com — six scores in under 30 seconds, no signup required.