Data privacy and user controls¶
Overview¶
PetFolio handles sensitive information - pet health conditions, medication routines, emergency contacts, daily schedules, and home details. Users trust PetFolio with data they wouldn't post publicly. The platform must respect that trust through transparent data practices and user control.
Regulatory context¶
PetFolio must comply with UK GDPR (as the MVP targets UK users only). ADR-001 covers technical GDPR considerations (data minimisation, encryption, lawful basis). This document focuses on the user-facing aspects.
MVP approach¶
For MVP, there is no user-facing privacy dashboard. Users cannot self-serve data export, access logs, or consent management. However, the backend must be capable of fulfilling any legal request.
| Capability | User self-service (MVP) | Backend capability (MVP) |
|---|---|---|
| Data export (right to portability) | No | Yes - must be able to extract all data for a user on request |
| Data deletion (right to erasure) | Via account closure flow | Yes - account closure process handles this |
| Access log (who viewed my data) | No | Yes - must be logged for legal compliance |
| Consent management | Consent captured at sign-up | Yes - consent timestamp and version recorded |
| Activity log (profile changes) | Yes | Yes |
Activity log (MVP)¶
The activity log is user-facing in MVP. It captures changes that help users understand what happened and when.
What the activity log records:
| Category | Events logged |
|---|---|
| Animal profile changes | Field updated, section added/removed, Top Tip flagged/unflagged, status changed. Includes what changed, when, and by whom. |
| Account profile changes | Contact details updated, emergency contacts changed, recovery email updated. |
| Sharing activity | Share created, share revoked, share expired, invitation sent, invitation accepted. |
Who can see the activity log:
| Account type | Who sees it |
|---|---|
| Personal | The account holder |
| Professional | Owner/Admin (full log for the organisation) |
What the activity log does not record (MVP):
- Who viewed a profile (access log) - backend only
- Failed login attempts - backend only
- Export/download of the log itself - future
Consent at sign-up¶
Users must consent to the following at account creation:
- Terms of service - what PetFolio is and how it works
- Privacy policy - what data is collected, how it is used, and who it is shared with
- Cookie policy - if applicable for web
Consent must be:
- Explicit - not pre-ticked checkboxes
- Recorded - timestamp and version of the policy agreed to
- Withdrawable - users can withdraw consent, which triggers account closure
Data subject rights¶
PetFolio must be able to fulfil these rights when requested through support:
| Right | How PetFolio handles it |
|---|---|
| Right to access (Article 15) | Export all data held about the user in a machine-readable format (JSON). Must include profile data, animal data, sharing history, and activity log. |
| Right to erasure (Article 17) | Account closure process handles this. All user data, animal profiles, and sharing history are removed after the 30-day grace period. |
| Right to portability (Article 20) | Same as right to access - data export in JSON format. |
| Right to rectification (Article 16) | Users can edit their own profile and animal data at any time. For data they cannot edit (e.g., activity log entries), support can correct errors. |
| Right to restrict processing (Article 18) | Account can be set to read-only (similar to the inactive state) while a dispute is resolved. |
| Data breach notification (Article 33) | Must notify authorities within 72 hours. Must notify affected users without undue delay. |
Data retention¶
| Data | Retained until | Notes |
|---|---|---|
| Active account data | Account closure + 30-day grace period | User controls this via account closure |
| Inactive account data | 30 days after inactive notification, then closed + 30-day grace | System-triggered based on inactivity period |
| Archived animal profiles | Indefinitely while account is active | Read-only, retained as a record |
| Sharing history | Same as account data | Removed when account is removed |
| Activity log | Same as account data | Removed when account is removed |
| Consent records | Retained independently of account for legal compliance | Even after account deletion, the record that consent was given/withdrawn is retained |
Third-party data sharing¶
For MVP, PetFolio does not share data with any third party except:
- OAuth providers (Google) - only for authentication. PetFolio receives name and email; it does not send pet data to Google.
- Share recipients - other PetFolio users who the owner has explicitly granted access to. This is user-initiated, not platform-initiated.
No data is sold, no analytics data is shared with third parties, no advertising networks have access.
Requirement highlights¶
MVP¶
- Consent captured at sign-up (explicit, timestamped, versioned)
- Activity log visible to account holders (profile changes, account changes, sharing activity)
- Backend capable of fulfilling all GDPR rights (data export, erasure, access logs) through support
- Account closure process removes all data after 30-day grace period
- No third-party data sharing beyond OAuth and user-initiated shares
- Data structured for extractability and deletability from day one
Future¶
- Self-service data export ("download my data")
- Self-service access log ("who has viewed my profile")
- Self-service consent management (view and update consent preferences)
- Privacy dashboard consolidating all controls in one place
- Cookie consent management (if web-based)
- Automated data breach notification system