Privacy Center
The Privacy Center provides tools for managing data subject access requests (DSARs), consent preferences, data retention policies, and privacy compliance. It supports GDPR, CCPA, and other privacy regulations by giving administrators visibility into personal data processing and user consent status.
Features
| Feature | Description |
|---|---|
| DSAR Management | Handle data subject access, deletion, and portability requests |
| Consent Dashboard | View and manage user consent preferences |
| Data Inventory | Map personal data across platform services |
| Retention Policies | Configure and enforce data retention rules |
| Privacy Impact | Track privacy impact assessments for new features |
| Compliance Reports | Generate compliance status reports |
Data Subject Requests
The DSAR workflow handles requests from data subjects under privacy regulations:
| Request Type | Regulation | SLA |
|---|---|---|
| Access (Right to Know) | GDPR Art. 15, CCPA | 30 days |
| Deletion (Right to Erasure) | GDPR Art. 17, CCPA | 30 days |
| Portability (Data Export) | GDPR Art. 20 | 30 days |
| Rectification (Correction) | GDPR Art. 16 | 30 days |
| Restriction | GDPR Art. 18 | 72 hours |
DSAR Workflow
- Submission: Data subject submits request through portal or email
- Verification: Identity verification before processing
- Assessment: Review scope and feasibility
- Processing: Execute across all relevant data stores
- Review: Administrator reviews results before delivery
- Delivery: Results delivered to data subject
- Documentation: Full audit trail recorded
Consent Management
| Consent Category | Purpose | Default |
|---|---|---|
| Essential | Platform functionality | Required (no opt-out) |
| Analytics | Usage analytics and improvement | Opt-in |
| Personalization | AI personalization and recommendations | Opt-in |
| Marketing | Marketing communications | Opt-in |
| Third-party | Data sharing with third parties | Opt-in |
Consent Status View
interface UserConsent {
user_id: string;
consents: {
category: string;
granted: boolean;
granted_at: string | null;
version: string;
}[];
last_updated: string;
}Data Retention Policies
| Data Type | Default Retention | Configurable | Auto-Delete |
|---|---|---|---|
| Session data | 90 days | Yes | Yes |
| Conversation history | 1 year | Yes | Yes |
| Audit logs | 7 years | Yes (min 90 days) | Yes |
| User profiles | Account lifetime | No | On deletion request |
| ML training data | 2 years | Yes | Yes |
| Analytics data | 1 year | Yes | Yes |
Data Inventory
The data inventory maps where personal data is stored across platform services:
| Service | Personal Data | Storage | Encryption |
|---|---|---|---|
| IAM Service | Email, name, password hash | PostgreSQL | AES-256 |
| AI Service | Conversation history, preferences | PostgreSQL + Redis | AES-256 |
| ML Service | Feature data (if PII present) | PostgreSQL + Object Store | AES-256 |
| Audit Service | User actions, IP addresses | PostgreSQL | AES-256 |
| Analytics | Usage patterns, session data | ClickHouse | AES-256 |
Compliance Reports
Generate on-demand or scheduled compliance reports:
| Report | Contents | Format |
|---|---|---|
| DSAR Summary | Request counts, processing times, outcomes | PDF, CSV |
| Consent Status | Consent rates by category, opt-out trends | PDF, CSV |
| Retention Compliance | Data beyond retention policy, deletion queue | |
| Privacy Impact | Active PIAs, risk assessments |
Access Control
| Action | Privacy Officer | Tenant Admin | User |
|---|---|---|---|
| View DSARs | All | Own tenant | Own requests |
| Process DSARs | All | Own tenant | No |
| View consents | All | Own tenant | Own only |
| Configure retention | Yes | No | No |
| Generate reports | Yes | Own tenant | No |