GDPR & Privacy

What is it?

Data protection compliance framework for EU users. Implements consent management, user rights (access, export, erasure), and privacy-by-design principles.

What is it for?

• Cookie consent management
• User data access and export
• Account deletion (right to erasure)
• AI data processing transparency
• Third-party vendor compliance

Why was it chosen?

Cookie categories:

Consent solutions:

Stack advantages:

Known limitations

Consent implementation:

• Must block scripts until consent (not just show banner)
• Consent must be as easy to revoke as grant
• "Reject all" must be as prominent as "Accept all"
• Consent state must persist across sessions

User rights:

• Export must include ALL user data
• Deletion must cascade through all tables
• Backups must eventually purge deleted data
• 30-day response deadline

AI data processing:

• Requires separate consent for AI features
• Must disclose providers in privacy policy
• Cannot store AI conversations indefinitely
• User can request AI history deletion

Third-party services:

• All vendors need DPAs (Data Processing Agreements)
• US-based services need SCCs (Standard Contractual Clauses)
• Must maintain vendor registry
• Regular compliance audits

Enforcement:

AI provider compliance:

Related

• ../../foundation/user-data.md - Data category definitions
• ../auth/better-auth.md - User data ownership
• notifications.md - Marketing consent
• ../ai/ai-sdk.md - AI data handling