# 23. Data Export & Deletion Tools

meta:
  id: web-production-23
  feature: web-production
  priority: P2
  depends_on: []
  tags: [compliance, gdpr, privacy, production]

objective:
- Implement user-facing data export and account deletion tools to comply with GDPR and CCPA requirements

deliverables:
- Data export API and UI (/settings/data-export)
- Account deletion API and UI (/settings/delete-account)
- Data retention policy enforcement
- Deletion confirmation and grace period

steps:
1. Create data export functionality:
   - API endpoint: POST /api/trpc/user.exportData
   - Collect all user data: profile, alerts, exposures, subscriptions, family members
   - Format as JSON or machine-readable format
   - Include metadata: export date, data categories
   - Email download link or provide direct download
   - Complete within 30 days (GDPR requirement)
2. Create account deletion:
   - UI in settings page with warning and confirmation
   - Require password re-entry for confirmation
   - API endpoint: POST /api/trpc/user.delete
   - Soft delete first (mark deletedAt, anonymize)
   - Hard delete after 30-day grace period
   - Cancel active subscriptions via Stripe
   - Remove from email lists
3. Implement family data handling:
   - If family group owner: transfer ownership or delete group
   - If family member: remove from group
   - Notify family members of account deletion
4. Add data retention policy:
   - Define retention periods per data type
   - Automated cleanup of deleted accounts after 30 days
   - Audit logs retained for 1 year
   - Backup deletion after retention period
5. Add admin tools:
   - Admin endpoint to fulfill data export requests
   - Admin endpoint to process deletion requests
   - Audit log of all export/deletion actions

tests:
- Unit: Test export includes all user data
- Integration: Test deletion flow end-to-end
- Compliance: Verify grace period and hard delete

acceptance_criteria:
- Users can export all personal data from settings
- Export includes: profile, alerts, exposures, watchlist, subscriptions, family data
- Export delivered within 30 seconds (async for large data)
- Account deletion requires password confirmation
- Deleted accounts soft-deleted immediately, hard-deleted after 30 days
- Active subscriptions cancelled on deletion
- Family group handled correctly (ownership transfer)
- Deletion audit log maintained
- Data retention policy documented and enforced

validation:
- Export data → JSON file contains all user data
- Delete account → user marked deleted, can login to restore within 30 days
- After 30 days → user data completely removed from DB
- Check Stripe → subscription cancelled
- Check audit log → deletion action recorded

notes:
- Soft delete preserves referential integrity for family groups
- Hard delete must cascade through all related tables
- Consider GDPR Article 17 exceptions (legal obligations)
- Backup restoration may temporarily restore deleted data