====== GDPR ====== This document explains how GDPR actions currently work in InsightEngine from an operational perspective. ===== What Is In Place ===== * Users can download their personal data. * Users can delete their account with identity anonymization. * Organization admins can anonymize individual survey participants. * Analytics tracking is only enabled after explicit cookie consent. * GDPR-sensitive actions are recorded in audit history. ===== Right of Access (Data Export) ===== Users can request and download a copy of their personal data from Settings. Current export includes: * profile details * memberships * survey response records linked to the user * access and activity log records related to the user Outcome: * the user receives a downloadable data file for portability and review. ===== Right to Erasure (User Account Deletion) ===== Registered users can delete their own account from Settings after password confirmation. When this happens: * personally identifying profile fields are anonymize * direct account access is removed * active relationships tied to the account are removed * historical records needed for accountability are retained in anonymize form * an erasure event is recorded in audit history Outcome: * identity is removed while compliance and aggregate reporting continuity are preserved. ===== Participant Erasure (Organization Admin Action) ===== Organization owners and super admins can anonymize a participant record. When this happens: * participant names are replaced with anonymize values * the record is marked as erased for active participant views * an erasure event is written to audit history with actor and context details Outcome: * participant identity is removed from normal operational views while non-identifying analysis can remain available. ===== Analytics and Cookie Consent ===== Analytics tracking is consent-gated. Behavior: * users are presented with an explicit accept/reject choice * analytics runs only after acceptance * if consent is rejected or not given, analytics does not initialize Outcome: * tracking aligns with consent requirements. ===== Audit and Accountability ===== GDPR-relevant actions are auditable. Recorded events include: * who performed the action * what type of action occurred (including erasure) * when it occurred * route and client context needed for compliance review Outcome: * privacy actions can be evidenced during internal review or external audit. ===== Data Retention Position ===== Current approach uses anonymisation for erasure flows instead of full historical destruction in all cases. Rationale: * protect data subject identity * preserve compliance traceability * preserve aggregate analytics integrity ===== Operational Notes for Handover ===== * Erasure actions are irreversible in practical terms for personal identity. * Access to participant erasure is restricted to authorised roles. * Data export and account deletion are user-initiated self-service actions. * Audit records are central to demonstrating GDPR accountability.