# data-export-erasure.screen GDPR-compliant data export + erasure interface. Implements [brief V](./V-data-portability-erasure.brief.md). Reached from settings-root.screen.md S8 Privacy category. Voice: **plain** — legal-shaped surface, no metaphor. ## Layout (full-screen sheet) ``` ┌─────────────────────────────────────────────────┐ │ ◄ Privacy Done │ 56pt ├─────────────────────────────────────────────────┤ │ │ │ Your data on CocotteAI │ │ 3.4 GB across 17 categories │ live size estimate │ │ │ ─── Export ─── │ │ Format: ● JSON ○ CSV (where applicable) │ format picker │ Categories: [☑ all] · or pick: │ │ [☑ Engagement] [☑ Audit] [☑ Content plans] │ │ [☑ Posts] [☑ Tour legs] [☑ Coop reports] │ │ [☑ Personas] [☑ Settings] [☑ Specialists] │ │ [☐ Encrypted attachments] │ opt-in (large) │ │ │ Encryption: ● Passphrase ○ None │ recommended on │ ╭───────────────────────────────────────╮ │ │ │ •••••••••• │ │ passphrase input │ ╰───────────────────────────────────────╯ │ │ │ │ [ Generate export ] │ │ │ │ ─── Past exports ─── │ │ • 2026-05-10 full export · 2.8 GB │ │ expires 2026-05-17 · [ Download ] │ │ │ │ ─── Erase ─── │ │ [ Erase a category → ] │ destructive flows │ [ Erase everything (close account) → ] │ account-close flow │ │ │ ⓘ Erasure is permanent. Audit rows tagged as │ │ "subject erased on {date}" remain for legal │ │ minimum but content is destroyed. │ │ │ └─────────────────────────────────────────────────┘ ``` ## Components | Component | Notes | |---|---| | Top bar | Back to settings. | | Size estimate | Live total across all 17 data categories. | | Format picker | JSON (default, structured) or CSV (flat tables for spreadsheet review). | | Category picker | Multi-select with all-or-pick. Encrypted attachments opt-in (large + slow). | | Encryption | Passphrase-based (PBKDF2 → AES-GCM) recommended; passphrase shown only at generate-time, never stored. | | Past exports | List of completed exports with expiry (7-day download window). | | Erase actions | Two destructive flows; both require deep-confirmation. | ## States 1. **Default** — full layout. 2. **Export generating** — banner: "Working on your export. I'll notify you when ready (~5 min for 3 GB)." 3. **Export ready** — push notification + this screen shows new row in past exports with [Download] CTA. 4. **Export failed** — banner: "Couldn't complete export. Retry?" 5. **Export expired** — past row shows "expired" tag; offers regenerate. 6. **Erasure pending (in-flight)** — banner: "Erasing {category} — this may take up to an hour. You can leave this screen." 7. **Erasure complete** — confirmation + audit row + email/notification receipt. 8. **Account-close confirmed** — full takeover with countdown ("You can cancel for 7 days. Account will be erased 2026-05-25."). 9. **Account-close cancelled** — small toast; resumes prior settings state. ## Interactions - **Tap "Generate export"** → confirm sheet showing categories + size estimate + encryption status. Generate; close. - **Tap "Download"** (past export) → in-app share sheet (save to Files, iCloud, AirDrop). - **Tap "Erase a category"** → category picker → 2-step confirmation per K kill-switch pattern (plain register, deliberate friction). - **Tap "Erase everything"** → 3-step confirmation, includes type-the-phrase challenge ("type: erase my CocotteAI account"). Audit row recorded. 7-day grace period with daily reminder. - **Tap "Cancel pending erasure"** (during 7-day grace) → reverses. ## Edge cases - **Coop reports in export** — attribution preserved. If Quinn was anonymous in any coop, the export tags those as "anonymous-to-peers" with her own identity intact (her own data, after all). - **Tour leg with co-traveler data** (P5+) — co-traveler PII redacted in export (only Quinn's data). - **Encrypted attachments included** — each file is double-encrypted (original per-coop key + export passphrase). Quinn needs the relevant coop key to decrypt fully. - **Partial erasure conflict** — erasing "engagement events" while a thread is active warns: "5 active threads will be orphaned. Continue?" - **Account-close with active tour leg** — interrupts: "Your Berlin leg (Oct 3–7) is active. Close after the leg?" - **Reduced motion / Dynamic Type XXL** — pickers wrap. ## Related - [Brief V](./V-data-portability-erasure.brief.md) — parent. - [Brief I](./I-audit-trust-replay.brief.md) — every export / erasure is an `agent_actions` row. - [Brief N §N7](./N-provider-coop.brief.md) — coop attachment encryption interacts with export. - [Brief K](./K-safety-blocklist.brief.md) — destructive-flow confirmation pattern. - [settings-root.screen.md](./settings-root.screen.md) — entry point. - [Brief S §S8](./S-settings-ia.brief.md) — settings category. ## Out of scope - Re-import flow (data import from a prior export — defer). - Selective record erasure within a category (e.g. erase one specific audit row — defer; possibly never). - Multi-tenant org data inheritance during account close (W brief).