cocottetech/@platform/codebase/@features/ai-copilot/docs/data-export-erasure.screen.md
natalie 1b719e1fd7 chore(bootstrap): initial V4 commit
Clean successor to V3 (forge: lilith/atlilith). Seeded from local Mac
working tree at ~/Code/@projects/@cocottetech/. node_modules and build
artifacts excluded via .gitignore.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 08:11:41 -07:00

6.4 KiB
Raw Blame History

data-export-erasure.screen

GDPR-compliant data export + erasure interface. Implements brief V. Reached from settings-root.screen.md S8 Privacy category. Voice: plain — legal-shaped surface, no metaphor.

Layout (full-screen sheet)

┌─────────────────────────────────────────────────┐
│ ◄ Privacy                               Done    │ 56pt
├─────────────────────────────────────────────────┤
│                                                 │
│  Your data on CocotteAI                          │
│  3.4 GB across 17 categories                    │   live size estimate
│                                                 │
│  ─── Export ───                                 │
│  Format: ● JSON  ○ CSV (where applicable)        │   format picker
│  Categories: [☑ all] · or pick:                  │
│  [☑ Engagement] [☑ Audit] [☑ Content plans]      │
│  [☑ Posts] [☑ Tour legs] [☑ Coop reports]        │
│  [☑ Personas] [☑ Settings] [☑ Specialists]       │
│  [☐ Encrypted attachments]                       │   opt-in (large)
│                                                 │
│  Encryption: ● Passphrase ○ None                 │   recommended on
│  ╭───────────────────────────────────────╮      │
│  │ ••••••••••                              │      │   passphrase input
│  ╰───────────────────────────────────────╯      │
│                                                 │
│  [ Generate export ]                             │
│                                                 │
│  ─── Past exports ───                            │
│  • 2026-05-10  full export · 2.8 GB             │
│    expires 2026-05-17 · [ Download ]             │
│                                                 │
│  ─── Erase ───                                  │
│  [ Erase a category → ]                          │   destructive flows
│  [ Erase everything (close account) → ]          │   account-close flow
│                                                 │
│  ⓘ Erasure is permanent. Audit rows tagged as   │
│    "subject erased on {date}" remain for legal  │
│    minimum but content is destroyed.            │
│                                                 │
└─────────────────────────────────────────────────┘

Components

Component Notes
Top bar Back to settings.
Size estimate Live total across all 17 data categories.
Format picker JSON (default, structured) or CSV (flat tables for spreadsheet review).
Category picker Multi-select with all-or-pick. Encrypted attachments opt-in (large + slow).
Encryption Passphrase-based (PBKDF2 → AES-GCM) recommended; passphrase shown only at generate-time, never stored.
Past exports List of completed exports with expiry (7-day download window).
Erase actions Two destructive flows; both require deep-confirmation.

States

  1. Default — full layout.
  2. Export generating — banner: "Working on your export. I'll notify you when ready (~5 min for 3 GB)."
  3. Export ready — push notification + this screen shows new row in past exports with [Download] CTA.
  4. Export failed — banner: "Couldn't complete export. Retry?"
  5. Export expired — past row shows "expired" tag; offers regenerate.
  6. Erasure pending (in-flight) — banner: "Erasing {category} — this may take up to an hour. You can leave this screen."
  7. Erasure complete — confirmation + audit row + email/notification receipt.
  8. Account-close confirmed — full takeover with countdown ("You can cancel for 7 days. Account will be erased 2026-05-25.").
  9. Account-close cancelled — small toast; resumes prior settings state.

Interactions

  • Tap "Generate export" → confirm sheet showing categories + size estimate + encryption status. Generate; close.
  • Tap "Download" (past export) → in-app share sheet (save to Files, iCloud, AirDrop).
  • Tap "Erase a category" → category picker → 2-step confirmation per K kill-switch pattern (plain register, deliberate friction).
  • Tap "Erase everything" → 3-step confirmation, includes type-the-phrase challenge ("type: erase my CocotteAI account"). Audit row recorded. 7-day grace period with daily reminder.
  • Tap "Cancel pending erasure" (during 7-day grace) → reverses.

Edge cases

  • Coop reports in export — attribution preserved. If Quinn was anonymous in any coop, the export tags those as "anonymous-to-peers" with her own identity intact (her own data, after all).
  • Tour leg with co-traveler data (P5+) — co-traveler PII redacted in export (only Quinn's data).
  • Encrypted attachments included — each file is double-encrypted (original per-coop key + export passphrase). Quinn needs the relevant coop key to decrypt fully.
  • Partial erasure conflict — erasing "engagement events" while a thread is active warns: "5 active threads will be orphaned. Continue?"
  • Account-close with active tour leg — interrupts: "Your Berlin leg (Oct 37) is active. Close after the leg?"
  • Reduced motion / Dynamic Type XXL — pickers wrap.

Out of scope

  • Re-import flow (data import from a prior export — defer).
  • Selective record erasure within a category (e.g. erase one specific audit row — defer; possibly never).
  • Multi-tenant org data inheritance during account close (W brief).