modified: web/app.py

modified:   web/templates/privacy_policy.html

web/app.py

@@ -118,7 +118,7 @@ def create_app() -> Flask:
         resp.headers.setdefault("X-Content-Type-Options", "nosniff")
         resp.headers.setdefault("X-Frame-Options", "DENY")
         resp.headers.setdefault("Referrer-Policy", "strict-origin-when-cross-origin")
-        resp.headers.setdefault("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://cdn.jsdelivr.net; connect-src 'self'; frame-ancestors 'none';")
+        resp.headers.setdefault("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data: https://minotar.net; font-src 'self' https://cdn.jsdelivr.net; connect-src 'self'; frame-ancestors 'none';")
         return resp
 
     @app.route("/privacy-policy")
@@ -126,8 +126,9 @@ def create_app() -> Flask:
         from config import Config
         return render_template(
             "privacy_policy.html",
-            last_updated="April 14, 2026",
+            last_updated="April 15, 2026",
             invite_expiry_hours=Config.INVITE_EXPIRY_HOURS,
+            audit_retention_days=Config.AUDIT_LOG_RETENTION_DAYS,
         )
 
     @app.errorhandler(400)