Please report security issues privately to security@pametan.co rather than opening a public issue. We aim to acknowledge reports within 2 business days.

Relevant concerns include:

• Consent bypass — any way collect()/send() gathers or transmits signals before consent is granted, or collects extended signals despite GPC/DNT.
• Cross-site tracking vectors — the package must not enable correlation of a user across unrelated sites.
• A signal probe that leaks or mishandles personal data, or an SSR path that unexpectedly touches window/navigator.

Use synthetic/example data in reports.

Device signals can be quasi-identifiers. This package is consent-gated by default and leaves identity minting to your backend. It is an engineering aid, not legal advice or a guarantee of compliance with privacy law.

The latest published minor version receives fixes. Until a 1.0 release, the API is stable but not yet frozen.