cocottetech/@platform/codebase/@features/ai-copilot/docs/data-export-erasure.screen.md

98 lines
6.4 KiB
Markdown
Raw Normal View History

# data-export-erasure.screen
GDPR-compliant data export + erasure interface. Implements [brief V](./V-data-portability-erasure.brief.md). Reached from settings-root.screen.md S8 Privacy category. Voice: **plain** — legal-shaped surface, no metaphor.
## Layout (full-screen sheet)
```
┌─────────────────────────────────────────────────┐
│ ◄ Privacy Done │ 56pt
├─────────────────────────────────────────────────┤
│ │
│ Your data on CocotteAI │
│ 3.4 GB across 17 categories │ live size estimate
│ │
│ ─── Export ─── │
│ Format: ● JSON ○ CSV (where applicable) │ format picker
│ Categories: [☑ all] · or pick: │
│ [☑ Engagement] [☑ Audit] [☑ Content plans] │
│ [☑ Posts] [☑ Tour legs] [☑ Coop reports] │
│ [☑ Personas] [☑ Settings] [☑ Specialists] │
│ [☐ Encrypted attachments] │ opt-in (large)
│ │
│ Encryption: ● Passphrase ○ None │ recommended on
│ ╭───────────────────────────────────────╮ │
│ │ •••••••••• │ │ passphrase input
│ ╰───────────────────────────────────────╯ │
│ │
│ [ Generate export ] │
│ │
│ ─── Past exports ─── │
│ • 2026-05-10 full export · 2.8 GB │
│ expires 2026-05-17 · [ Download ] │
│ │
│ ─── Erase ─── │
│ [ Erase a category → ] │ destructive flows
│ [ Erase everything (close account) → ] │ account-close flow
│ │
│ ⓘ Erasure is permanent. Audit rows tagged as │
│ "subject erased on {date}" remain for legal │
│ minimum but content is destroyed. │
│ │
└─────────────────────────────────────────────────┘
```
## Components
| Component | Notes |
|---|---|
| Top bar | Back to settings. |
| Size estimate | Live total across all 17 data categories. |
| Format picker | JSON (default, structured) or CSV (flat tables for spreadsheet review). |
| Category picker | Multi-select with all-or-pick. Encrypted attachments opt-in (large + slow). |
| Encryption | Passphrase-based (PBKDF2 → AES-GCM) recommended; passphrase shown only at generate-time, never stored. |
| Past exports | List of completed exports with expiry (7-day download window). |
| Erase actions | Two destructive flows; both require deep-confirmation. |
## States
1. **Default** — full layout.
2. **Export generating** — banner: "Working on your export. I'll notify you when ready (~5 min for 3 GB)."
3. **Export ready** — push notification + this screen shows new row in past exports with [Download] CTA.
4. **Export failed** — banner: "Couldn't complete export. Retry?"
5. **Export expired** — past row shows "expired" tag; offers regenerate.
6. **Erasure pending (in-flight)** — banner: "Erasing {category} — this may take up to an hour. You can leave this screen."
7. **Erasure complete** — confirmation + audit row + email/notification receipt.
8. **Account-close confirmed** — full takeover with countdown ("You can cancel for 7 days. Account will be erased 2026-05-25.").
9. **Account-close cancelled** — small toast; resumes prior settings state.
## Interactions
- **Tap "Generate export"** → confirm sheet showing categories + size estimate + encryption status. Generate; close.
- **Tap "Download"** (past export) → in-app share sheet (save to Files, iCloud, AirDrop).
- **Tap "Erase a category"** → category picker → 2-step confirmation per K kill-switch pattern (plain register, deliberate friction).
- **Tap "Erase everything"** → 3-step confirmation, includes type-the-phrase challenge ("type: erase my CocotteAI account"). Audit row recorded. 7-day grace period with daily reminder.
- **Tap "Cancel pending erasure"** (during 7-day grace) → reverses.
## Edge cases
- **Coop reports in export** — attribution preserved. If Quinn was anonymous in any coop, the export tags those as "anonymous-to-peers" with her own identity intact (her own data, after all).
- **Tour leg with co-traveler data** (P5+) — co-traveler PII redacted in export (only Quinn's data).
- **Encrypted attachments included** — each file is double-encrypted (original per-coop key + export passphrase). Quinn needs the relevant coop key to decrypt fully.
- **Partial erasure conflict** — erasing "engagement events" while a thread is active warns: "5 active threads will be orphaned. Continue?"
- **Account-close with active tour leg** — interrupts: "Your Berlin leg (Oct 37) is active. Close after the leg?"
- **Reduced motion / Dynamic Type XXL** — pickers wrap.
## Related
- [Brief V](./V-data-portability-erasure.brief.md) — parent.
- [Brief I](./I-audit-trust-replay.brief.md) — every export / erasure is an `agent_actions` row.
- [Brief N §N7](./N-provider-coop.brief.md) — coop attachment encryption interacts with export.
- [Brief K](./K-safety-blocklist.brief.md) — destructive-flow confirmation pattern.
- [settings-root.screen.md](./settings-root.screen.md) — entry point.
- [Brief S §S8](./S-settings-ia.brief.md) — settings category.
## Out of scope
- Re-import flow (data import from a prior export — defer).
- Selective record erasure within a category (e.g. erase one specific audit row — defer; possibly never).
- Multi-tenant org data inheritance during account close (W brief).