98 lines
6.4 KiB
Markdown
98 lines
6.4 KiB
Markdown
|
|
# data-export-erasure.screen
|
|||
|
|
|
|||
|
|
GDPR-compliant data export + erasure interface. Implements [brief V](./V-data-portability-erasure.brief.md). Reached from settings-root.screen.md S8 Privacy category. Voice: **plain** — legal-shaped surface, no metaphor.
|
|||
|
|
|
|||
|
|
## Layout (full-screen sheet)
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
┌─────────────────────────────────────────────────┐
|
|||
|
|
│ ◄ Privacy Done │ 56pt
|
|||
|
|
├─────────────────────────────────────────────────┤
|
|||
|
|
│ │
|
|||
|
|
│ Your data on CocotteAI │
|
|||
|
|
│ 3.4 GB across 17 categories │ live size estimate
|
|||
|
|
│ │
|
|||
|
|
│ ─── Export ─── │
|
|||
|
|
│ Format: ● JSON ○ CSV (where applicable) │ format picker
|
|||
|
|
│ Categories: [☑ all] · or pick: │
|
|||
|
|
│ [☑ Engagement] [☑ Audit] [☑ Content plans] │
|
|||
|
|
│ [☑ Posts] [☑ Tour legs] [☑ Coop reports] │
|
|||
|
|
│ [☑ Personas] [☑ Settings] [☑ Specialists] │
|
|||
|
|
│ [☐ Encrypted attachments] │ opt-in (large)
|
|||
|
|
│ │
|
|||
|
|
│ Encryption: ● Passphrase ○ None │ recommended on
|
|||
|
|
│ ╭───────────────────────────────────────╮ │
|
|||
|
|
│ │ •••••••••• │ │ passphrase input
|
|||
|
|
│ ╰───────────────────────────────────────╯ │
|
|||
|
|
│ │
|
|||
|
|
│ [ Generate export ] │
|
|||
|
|
│ │
|
|||
|
|
│ ─── Past exports ─── │
|
|||
|
|
│ • 2026-05-10 full export · 2.8 GB │
|
|||
|
|
│ expires 2026-05-17 · [ Download ] │
|
|||
|
|
│ │
|
|||
|
|
│ ─── Erase ─── │
|
|||
|
|
│ [ Erase a category → ] │ destructive flows
|
|||
|
|
│ [ Erase everything (close account) → ] │ account-close flow
|
|||
|
|
│ │
|
|||
|
|
│ ⓘ Erasure is permanent. Audit rows tagged as │
|
|||
|
|
│ "subject erased on {date}" remain for legal │
|
|||
|
|
│ minimum but content is destroyed. │
|
|||
|
|
│ │
|
|||
|
|
└─────────────────────────────────────────────────┘
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## Components
|
|||
|
|
|
|||
|
|
| Component | Notes |
|
|||
|
|
|---|---|
|
|||
|
|
| Top bar | Back to settings. |
|
|||
|
|
| Size estimate | Live total across all 17 data categories. |
|
|||
|
|
| Format picker | JSON (default, structured) or CSV (flat tables for spreadsheet review). |
|
|||
|
|
| Category picker | Multi-select with all-or-pick. Encrypted attachments opt-in (large + slow). |
|
|||
|
|
| Encryption | Passphrase-based (PBKDF2 → AES-GCM) recommended; passphrase shown only at generate-time, never stored. |
|
|||
|
|
| Past exports | List of completed exports with expiry (7-day download window). |
|
|||
|
|
| Erase actions | Two destructive flows; both require deep-confirmation. |
|
|||
|
|
|
|||
|
|
## States
|
|||
|
|
|
|||
|
|
1. **Default** — full layout.
|
|||
|
|
2. **Export generating** — banner: "Working on your export. I'll notify you when ready (~5 min for 3 GB)."
|
|||
|
|
3. **Export ready** — push notification + this screen shows new row in past exports with [Download] CTA.
|
|||
|
|
4. **Export failed** — banner: "Couldn't complete export. Retry?"
|
|||
|
|
5. **Export expired** — past row shows "expired" tag; offers regenerate.
|
|||
|
|
6. **Erasure pending (in-flight)** — banner: "Erasing {category} — this may take up to an hour. You can leave this screen."
|
|||
|
|
7. **Erasure complete** — confirmation + audit row + email/notification receipt.
|
|||
|
|
8. **Account-close confirmed** — full takeover with countdown ("You can cancel for 7 days. Account will be erased 2026-05-25.").
|
|||
|
|
9. **Account-close cancelled** — small toast; resumes prior settings state.
|
|||
|
|
|
|||
|
|
## Interactions
|
|||
|
|
|
|||
|
|
- **Tap "Generate export"** → confirm sheet showing categories + size estimate + encryption status. Generate; close.
|
|||
|
|
- **Tap "Download"** (past export) → in-app share sheet (save to Files, iCloud, AirDrop).
|
|||
|
|
- **Tap "Erase a category"** → category picker → 2-step confirmation per K kill-switch pattern (plain register, deliberate friction).
|
|||
|
|
- **Tap "Erase everything"** → 3-step confirmation, includes type-the-phrase challenge ("type: erase my CocotteAI account"). Audit row recorded. 7-day grace period with daily reminder.
|
|||
|
|
- **Tap "Cancel pending erasure"** (during 7-day grace) → reverses.
|
|||
|
|
|
|||
|
|
## Edge cases
|
|||
|
|
|
|||
|
|
- **Coop reports in export** — attribution preserved. If Quinn was anonymous in any coop, the export tags those as "anonymous-to-peers" with her own identity intact (her own data, after all).
|
|||
|
|
- **Tour leg with co-traveler data** (P5+) — co-traveler PII redacted in export (only Quinn's data).
|
|||
|
|
- **Encrypted attachments included** — each file is double-encrypted (original per-coop key + export passphrase). Quinn needs the relevant coop key to decrypt fully.
|
|||
|
|
- **Partial erasure conflict** — erasing "engagement events" while a thread is active warns: "5 active threads will be orphaned. Continue?"
|
|||
|
|
- **Account-close with active tour leg** — interrupts: "Your Berlin leg (Oct 3–7) is active. Close after the leg?"
|
|||
|
|
- **Reduced motion / Dynamic Type XXL** — pickers wrap.
|
|||
|
|
|
|||
|
|
## Related
|
|||
|
|
- [Brief V](./V-data-portability-erasure.brief.md) — parent.
|
|||
|
|
- [Brief I](./I-audit-trust-replay.brief.md) — every export / erasure is an `agent_actions` row.
|
|||
|
|
- [Brief N §N7](./N-provider-coop.brief.md) — coop attachment encryption interacts with export.
|
|||
|
|
- [Brief K](./K-safety-blocklist.brief.md) — destructive-flow confirmation pattern.
|
|||
|
|
- [settings-root.screen.md](./settings-root.screen.md) — entry point.
|
|||
|
|
- [Brief S §S8](./S-settings-ia.brief.md) — settings category.
|
|||
|
|
|
|||
|
|
## Out of scope
|
|||
|
|
- Re-import flow (data import from a prior export — defer).
|
|||
|
|
- Selective record erasure within a category (e.g. erase one specific audit row — defer; possibly never).
|
|||
|
|
- Multi-tenant org data inheritance during account close (W brief).
|