From cbcbe8a2cba98fa5cfed029e770c0237eccb8369 Mon Sep 17 00:00:00 2001
From: Brian <brian@brianhaas.li>
Date: Sun, 5 Apr 2026 19:43:22 +0200
Subject: [PATCH 1/3] Add privacy policy content registration via
 wp_add_privacy_policy_content

---
 class-two-factor-core.php | 48 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index d98cbfe6..46f1c7e5 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -136,6 +136,7 @@ public static function add_hooks( $compat ) {
 
 		add_action( 'login_enqueue_scripts', array( __CLASS__, 'login_enqueue_scripts' ), 5 );
 		add_action( 'admin_init', array( __CLASS__, 'trigger_user_settings_action' ) );
+		add_action( 'admin_init', array( __CLASS__, 'add_privacy_policy_content' ) );
 		add_filter( 'two_factor_providers', array( __CLASS__, 'enable_dummy_method_for_debug' ) );
 
 		// Add Settings link to plugin action links.
@@ -2596,5 +2597,52 @@ public static function filter_session_information( $session, $user_id ) {
 
 		return $session;
 	}
+
+	/**
+	 * Adds suggested privacy policy text for the plugin.
+	 *
+	 * @since [version]
+	 */
+	public static function add_privacy_policy_content() {
+		if ( ! function_exists( 'wp_add_privacy_policy_content' ) ) {
+			return;
+		}
+
+		$content =
+			'<p class="privacy-policy-tutorial">'
+			. __( 'The Two Factor plugin stores authentication data for your account on this website to verify your identity at login. No data is transmitted to third parties. The suggested text below covers what is stored, why, and for how long.', 'two-factor' )
+			. '</p>'
+
+			. '<h3>' . __( 'Two-factor authentication data', 'two-factor' ) . '</h3>'
+			. '<p>'
+			. __( 'To protect your account we store the following personal data:', 'two-factor' )
+			. '</p>'
+			. '<ul>'
+			. '<li>' . __( '<strong>TOTP secret key</strong> – a unique cryptographic secret generated when you set up an authenticator app. It is stored encrypted in your user profile.', 'two-factor' ) . '</li>'
+			. '<li>' . __( '<strong>Backup codes</strong> – a set of one-time-use codes you can store offline. Hashed copies are kept in your user profile until they are used or regenerated.', 'two-factor' ) . '</li>'
+			. '<li>' . __( '<strong>Email address</strong> – your account email is used to send a one-time passcode when the email provider is active. The code itself is not stored after the login attempt concludes.', 'two-factor' ) . '</li>'
+			. '<li>' . __( '<strong>Enabled providers list</strong> – a record of which two-factor methods you have activated (e.g. TOTP, email, backup codes) is stored in your user profile.', 'two-factor' ) . '</li>'
+			. '</ul>'
+
+			. '<h3>' . __( 'Who we share your data with', 'two-factor' ) . '</h3>'
+			. '<p>'
+			. __( 'Two-factor authentication data is never shared with or transmitted to any third party. All data remains on this website.', 'two-factor' )
+			. '</p>'
+
+			. '<h3>' . __( 'How long we retain your data', 'two-factor' ) . '</h3>'
+			. '<p>'
+			. __( 'Authentication data (secret keys, backup codes, provider settings) is retained for as long as your user account exists. It is deleted automatically when your account is removed. You can also remove individual two-factor methods at any time from your profile page, which immediately deletes the associated data.', 'two-factor' )
+			. '</p>'
+
+			. '<h3>' . __( 'What rights you have over your data', 'two-factor' ) . '</h3>'
+			. '<p>'
+			. __( 'If you have an account on this site you can request an export of the personal data we hold about you, including all two-factor authentication data. You can also request that we erase any personal data we hold about you. This does not include data we are obliged to keep for administrative, legal, or security purposes.', 'two-factor' )
+			. '</p>';
+
+		wp_add_privacy_policy_content(
+			'Two Factor',
+			wp_kses_post( wpautop( $content, false ) )
+		);
+	}
 }
 

From 4399693938085cec8e00bf1cb3adff573b2c1c93 Mon Sep 17 00:00:00 2001
From: Brian <brian@brianhaas.li>
Date: Thu, 16 Apr 2026 21:27:41 +0200
Subject: [PATCH 2/3] add since versions

---
 class-two-factor-core.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 46f1c7e5..53f0d65c 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -425,7 +425,7 @@ private static function add_error( WP_Error $error ) {
 	/**
 	 * Attach Two-Factor profile errors to WordPress core profile update errors.
 	 *
-	 * @since NEXT
+	 * @since 0.16.0
 	 *
 	 * @param WP_Error $errors WP_Error object passed by core.
 	 *
@@ -2601,7 +2601,7 @@ public static function filter_session_information( $session, $user_id ) {
 	/**
 	 * Adds suggested privacy policy text for the plugin.
 	 *
-	 * @since [version]
+	 * @since 0.17.0
 	 */
 	public static function add_privacy_policy_content() {
 		if ( ! function_exists( 'wp_add_privacy_policy_content' ) ) {

From 3dff9dee682fc47ba8f46c7e5badabcdb87b0e88 Mon Sep 17 00:00:00 2001
From: Brian <brian@brianhaas.li>
Date: Sat, 18 Apr 2026 19:36:57 +0200
Subject: [PATCH 3/3] adjust per accurate feedback

---
 class-two-factor-core.php | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 53f0d65c..8ce0fb69 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -2618,7 +2618,7 @@ public static function add_privacy_policy_content() {
 			. __( 'To protect your account we store the following personal data:', 'two-factor' )
 			. '</p>'
 			. '<ul>'
-			. '<li>' . __( '<strong>TOTP secret key</strong> – a unique cryptographic secret generated when you set up an authenticator app. It is stored encrypted in your user profile.', 'two-factor' ) . '</li>'
+			. '<li>' . __( '<strong>TOTP secret key</strong> – a unique cryptographic secret generated when you set up an authenticator app. It is stored in your user profile.', 'two-factor' ) . '</li>'
 			. '<li>' . __( '<strong>Backup codes</strong> – a set of one-time-use codes you can store offline. Hashed copies are kept in your user profile until they are used or regenerated.', 'two-factor' ) . '</li>'
 			. '<li>' . __( '<strong>Email address</strong> – your account email is used to send a one-time passcode when the email provider is active. The code itself is not stored after the login attempt concludes.', 'two-factor' ) . '</li>'
 			. '<li>' . __( '<strong>Enabled providers list</strong> – a record of which two-factor methods you have activated (e.g. TOTP, email, backup codes) is stored in your user profile.', 'two-factor' ) . '</li>'
@@ -2631,12 +2631,7 @@ public static function add_privacy_policy_content() {
 
 			. '<h3>' . __( 'How long we retain your data', 'two-factor' ) . '</h3>'
 			. '<p>'
-			. __( 'Authentication data (secret keys, backup codes, provider settings) is retained for as long as your user account exists. It is deleted automatically when your account is removed. You can also remove individual two-factor methods at any time from your profile page, which immediately deletes the associated data.', 'two-factor' )
-			. '</p>'
-
-			. '<h3>' . __( 'What rights you have over your data', 'two-factor' ) . '</h3>'
-			. '<p>'
-			. __( 'If you have an account on this site you can request an export of the personal data we hold about you, including all two-factor authentication data. You can also request that we erase any personal data we hold about you. This does not include data we are obliged to keep for administrative, legal, or security purposes.', 'two-factor' )
+			. __( 'Authentication data (secret keys, backup codes, provider settings) is retained for as long as your user account exists. It is deleted automatically when your account is removed.', 'two-factor' )
 			. '</p>';
 
 		wp_add_privacy_policy_content(
@@ -2645,4 +2640,3 @@ public static function add_privacy_policy_content() {
 		);
 	}
 }
-