Skip to content

Account and user management - MVP

Account types

Personal account

A Personal account represents an individual managing their own pets.

Account profile:

  • Name
  • Email address (from OAuth)
  • Phone number
  • Emergency contacts (name, relationship, phone number)

Access model:

  • One person per account
  • Animals belong to the account holder
  • Household members and family get access via Profile Sharing (permanent or temporary shares)
  • The account holder controls all sharing

Professional account

A Professional account represents an organisation managing animals at scale.

Organisation profile:

  • Organisation name
  • Organisation type (vet, groomer, boarding, pet sitter, trainer, breeder, rehoming centre, other)
  • Contact details (email, phone number, address)

Staff roles (MVP - Option A):

In MVP, the Owner and Admin roles are combined into a single Owner/Admin role. This will be split into two distinct roles (Owner and Admin) in Option B, allowing multiple people to manage staff without full owner-level control.

Role Animal profiles Staff management Sharing Account settings
Owner/Admin Create, edit, delete Invite, remove, change roles Create and manage Full control
Editor Create, edit, delete No Create and manage No
Viewer View only No No No
  • One Owner/Admin per account (the person who created it)
  • Multiple Editors and Viewers
  • Owner/Admin can promote Viewers to Editors and demote Editors to Viewers
  • New staff members join as Viewers by default

Access model:

  • Animals belong to the organisation, not to any individual
  • All staff (regardless of role) can view all animals on the account
  • Editors and Owner/Admin can create and edit animal profiles
  • When a staff member is removed, all their access is revoked immediately
  • External sharing (with adopters, pet owners, other organisations) works via Profile Sharing

Authentication

  • OAuth only - no passwords stored. Google sign-in first, with Microsoft and Facebook as future additions.
  • Account type selection at sign-up - Personal or Professional
  • Recovery email captured at sign-up (strongly encouraged). Used solely for account recovery if the user loses access to their OAuth provider. Framed as: "If you lose access to your Google account, we'll use this to verify it's you and restore access."
  • Cross-account membership - a single person can have both a Personal account and be a staff member on a Professional account using the same email address. See Platform and user interaction.

Account lifecycle

Accounts follow a lifecycle to ensure data is never orphaned and users have time to act before data is removed.

Account states

State Trigger What happens
Active Account created or reactivated Full access, normal operation
Inactive No activity for a defined period (system-triggered) User notified. 30 days to reactivate before the account moves to Closed
Closed Manual closure request or 30 days after Inactive without response 30 day grace period to change their mind. After 30 days, data is removed

Personal account closure

  1. User requests account closure
  2. If the account has animal profiles with active shares (permanent or temporary):
    • User is prompted to transfer or archive each shared animal before closure can proceed
    • Unshared animals can be transferred, archived, or deleted
  3. Once all animals are resolved, the account enters Closed state
  4. 30 day grace period - user can reactivate during this window
  5. After 30 days, data is permanently removed

Professional account closure

Professional account closure has a higher blast radius - it affects all staff and all organisational animals.

  1. Owner/Admin requests account closure
  2. The account must be empty before closure is allowed:
    • All staff members must be removed first
    • All animals must be transferred, archived, or deleted
  3. Only once the account is empty can the Owner proceed with closure
  4. Account enters Closed state with 30 day grace period
  5. After 30 days, data is permanently removed

This approach forces the Owner to deliberately confront the consequences. An impulsive or accidental closure is blocked by the requirement to resolve every animal and remove every staff member first.

Account recovery

  • Primary path: recovery email. User triggers a recovery flow via their recovery email address to regain access after losing their OAuth provider.
  • Fallback path: support-assisted recovery. For cases where the recovery email is also lost. Requires identity verification, may take time, and is not guaranteed. This is documented honestly at sign-up to encourage users to set a recovery email.

Key principles

  • One account per person for Personal accounts - sharing handles household collaboration
  • One account per organisation for Professional accounts - membership handles staff access
  • Cross-account membership - a person can hold a Personal account and be a member of a Professional account with the same email
  • Animals belong to accounts, not individuals - this is critical for Professional accounts where staff turnover should not affect animal records
  • Least privilege by default - new staff join as Viewers, not Editors
  • Account type captured at sign-up - enables analytics segmentation and future feature divergence even though MVP features are identical across types
  • Never orphan data - account closure requires all animals to be resolved (transferred, archived, or deleted) before proceeding