chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

legal: implement automated deletion-on-offboarding (or rewrite privacy claims) #175

New Issue
Open
opened 2026-05-14 15:57:00 +00:00 by chihlasm · 0 comments
chihlasm commented 2026-05-14 15:57:00 +00:00
Owner
Copy Link

Source: /legal/attorney-review-checklist.md item A1.

Problem. Today, DELETE /accounts/me (accounts.py:524-567) only:

  • Sets users.deleted_at (soft-delete of the owner user)
  • Revokes the user's refresh tokens
  • Writes an audit-log entry

The account row, audit logs, ai_sessions + conversation transcripts + ticket snapshots, sessions (legacy), session_branches, session_handoffs, escalation_package*, resolution_note_*, file_uploads rows + Railway Object Storage objects, assistant_chat (unless covered by 90d/100-cap retention), ai_usage, sales_leads, beta_feedback, notifications, stripe_events, etc. are not automatically purged.

Why it matters. The generated Privacy Policy §6 and DPA §6.2 imply Customer Data is deleted after termination. The code does not enforce this. GDPR Art. 5(1)(e) storage-limitation and CCPA service-provider obligations require action.

Two acceptable paths:

  1. Build the deletion job (recommended). Scheduled task that, on owner-initiated account deletion (or after a 30-day grace period), purges all account-scoped rows + Object Storage objects. Should also clean up:

    • audit_logs older than 12 months (security-baseline retention)
    • refresh_tokens where expires_at < now() or revoked_at IS NOT NULL
    • email_verification_tokens / password_reset_tokens past expiry/use

  2. Rewrite the language in privacy-policy.md §6 + dpa.md §6.2 to describe the actual behavior (deletion-on-request, with a stated SLA the team can hit manually).

Acceptance criteria.

  • Decision recorded: build vs. rewrite
  • If build: scheduled job purges account-scoped data + Object Storage objects after the export window; deletion is idempotent and logged
  • Token-table cleanup job in place
  • /legal/implementation-verification.md rows for these claims flip from

Blocker for: publishing legal docs (Privacy Policy + DPA) to resolutionflow.com.

Companion files:

  • /legal/attorney-review-checklist.md (item A1, §C table)
  • /legal/implementation-verification.md (retention/deletion rows)
**Source:** `/legal/attorney-review-checklist.md` item A1. **Problem.** Today, `DELETE /accounts/me` ([accounts.py:524-567](https://gitea.resolutionflow.com/chihlasm/resolutionflow/src/branch/main/backend/app/api/endpoints/accounts.py#L524-L567)) only: - Sets `users.deleted_at` (soft-delete of the owner user) - Revokes the user's refresh tokens - Writes an audit-log entry The account row, audit logs, `ai_sessions` + conversation transcripts + ticket snapshots, `sessions` (legacy), `session_branches`, `session_handoffs`, `escalation_package*`, `resolution_note_*`, `file_uploads` rows + Railway Object Storage objects, `assistant_chat` (unless covered by 90d/100-cap retention), `ai_usage`, `sales_leads`, `beta_feedback`, `notifications`, `stripe_events`, etc. are **not** automatically purged. **Why it matters.** The generated Privacy Policy §6 and DPA §6.2 imply Customer Data is deleted after termination. The code does not enforce this. GDPR Art. 5(1)(e) storage-limitation and CCPA service-provider obligations require action. **Two acceptable paths:** 1. **Build the deletion job** (recommended). Scheduled task that, on owner-initiated account deletion (or after a 30-day grace period), purges all account-scoped rows + Object Storage objects. Should also clean up: - `audit_logs` older than 12 months (security-baseline retention) - `refresh_tokens` where `expires_at < now()` or `revoked_at IS NOT NULL` - `email_verification_tokens` / `password_reset_tokens` past expiry/use 2. **Rewrite the language** in privacy-policy.md §6 + dpa.md §6.2 to describe the actual behavior (deletion-on-request, with a stated SLA the team can hit manually). **Acceptance criteria.** - [ ] Decision recorded: build vs. rewrite - [ ] If build: scheduled job purges account-scoped data + Object Storage objects after the export window; deletion is idempotent and logged - [ ] Token-table cleanup job in place - [ ] `/legal/implementation-verification.md` rows for these claims flip from ❌ → ✅ **Blocker for:** publishing legal docs (Privacy Policy + DPA) to resolutionflow.com. **Companion files:** - `/legal/attorney-review-checklist.md` (item A1, §C table) - `/legal/implementation-verification.md` (retention/deletion rows)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
10x-analysis
From 10x product analysis
 backend
FastAPI/Python work
 bug
Something isn't working
 collaboration
Team sharing, escalation, notifications
 database
PostgreSQL/schema changes
 documentation
Documentation updates
 duplicate
This issue or pull request already exists
 enhancement
Improvement to existing feature
 feature
New functionality
 frontend
React work
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 integration
PSA, external service integrations
 intelligence
Analytics, AI, data-driven features
 invalid
This doesn't seem right
 priority: high
Do this soon
 priority: low
Nice to have
 priority: medium
Important but not urgent
 question
Further information is requested
 quick-win
Low effort, high value
 strategic
Long-term strategic bet
 ux
User experience improvements
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
chihlasm
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: chihlasm/resolutionflow#175
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?