Clean successor to V3 (forge: lilith/atlilith). Seeded from local Mac working tree at ~/Code/@projects/@cocottetech/. node_modules and build artifacts excluded via .gitignore. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6.4 KiB
6.4 KiB
data-export-erasure.screen
GDPR-compliant data export + erasure interface. Implements brief V. Reached from settings-root.screen.md S8 Privacy category. Voice: plain — legal-shaped surface, no metaphor.
Layout (full-screen sheet)
┌─────────────────────────────────────────────────┐
│ ◄ Privacy Done │ 56pt
├─────────────────────────────────────────────────┤
│ │
│ Your data on CocotteAI │
│ 3.4 GB across 17 categories │ live size estimate
│ │
│ ─── Export ─── │
│ Format: ● JSON ○ CSV (where applicable) │ format picker
│ Categories: [☑ all] · or pick: │
│ [☑ Engagement] [☑ Audit] [☑ Content plans] │
│ [☑ Posts] [☑ Tour legs] [☑ Coop reports] │
│ [☑ Personas] [☑ Settings] [☑ Specialists] │
│ [☐ Encrypted attachments] │ opt-in (large)
│ │
│ Encryption: ● Passphrase ○ None │ recommended on
│ ╭───────────────────────────────────────╮ │
│ │ •••••••••• │ │ passphrase input
│ ╰───────────────────────────────────────╯ │
│ │
│ [ Generate export ] │
│ │
│ ─── Past exports ─── │
│ • 2026-05-10 full export · 2.8 GB │
│ expires 2026-05-17 · [ Download ] │
│ │
│ ─── Erase ─── │
│ [ Erase a category → ] │ destructive flows
│ [ Erase everything (close account) → ] │ account-close flow
│ │
│ ⓘ Erasure is permanent. Audit rows tagged as │
│ "subject erased on {date}" remain for legal │
│ minimum but content is destroyed. │
│ │
└─────────────────────────────────────────────────┘
Components
| Component | Notes |
|---|---|
| Top bar | Back to settings. |
| Size estimate | Live total across all 17 data categories. |
| Format picker | JSON (default, structured) or CSV (flat tables for spreadsheet review). |
| Category picker | Multi-select with all-or-pick. Encrypted attachments opt-in (large + slow). |
| Encryption | Passphrase-based (PBKDF2 → AES-GCM) recommended; passphrase shown only at generate-time, never stored. |
| Past exports | List of completed exports with expiry (7-day download window). |
| Erase actions | Two destructive flows; both require deep-confirmation. |
States
- Default — full layout.
- Export generating — banner: "Working on your export. I'll notify you when ready (~5 min for 3 GB)."
- Export ready — push notification + this screen shows new row in past exports with [Download] CTA.
- Export failed — banner: "Couldn't complete export. Retry?"
- Export expired — past row shows "expired" tag; offers regenerate.
- Erasure pending (in-flight) — banner: "Erasing {category} — this may take up to an hour. You can leave this screen."
- Erasure complete — confirmation + audit row + email/notification receipt.
- Account-close confirmed — full takeover with countdown ("You can cancel for 7 days. Account will be erased 2026-05-25.").
- Account-close cancelled — small toast; resumes prior settings state.
Interactions
- Tap "Generate export" → confirm sheet showing categories + size estimate + encryption status. Generate; close.
- Tap "Download" (past export) → in-app share sheet (save to Files, iCloud, AirDrop).
- Tap "Erase a category" → category picker → 2-step confirmation per K kill-switch pattern (plain register, deliberate friction).
- Tap "Erase everything" → 3-step confirmation, includes type-the-phrase challenge ("type: erase my CocotteAI account"). Audit row recorded. 7-day grace period with daily reminder.
- Tap "Cancel pending erasure" (during 7-day grace) → reverses.
Edge cases
- Coop reports in export — attribution preserved. If Quinn was anonymous in any coop, the export tags those as "anonymous-to-peers" with her own identity intact (her own data, after all).
- Tour leg with co-traveler data (P5+) — co-traveler PII redacted in export (only Quinn's data).
- Encrypted attachments included — each file is double-encrypted (original per-coop key + export passphrase). Quinn needs the relevant coop key to decrypt fully.
- Partial erasure conflict — erasing "engagement events" while a thread is active warns: "5 active threads will be orphaned. Continue?"
- Account-close with active tour leg — interrupts: "Your Berlin leg (Oct 3–7) is active. Close after the leg?"
- Reduced motion / Dynamic Type XXL — pickers wrap.
Related
- Brief V — parent.
- Brief I — every export / erasure is an
agent_actionsrow. - Brief N §N7 — coop attachment encryption interacts with export.
- Brief K — destructive-flow confirmation pattern.
- settings-root.screen.md — entry point.
- Brief S §S8 — settings category.
Out of scope
- Re-import flow (data import from a prior export — defer).
- Selective record erasure within a category (e.g. erase one specific audit row — defer; possibly never).
- Multi-tenant org data inheritance during account close (W brief).