🏠 Overview ✅ Implementation Tasks ✅ epic-geographic-peer-mentor-map-consent-privacy-task-011

Document GDPR compliance evidence and consent audit trail

epic-geographic-peer-mentor-map-consent-privacy-task-011 — Produce developer documentation covering: the consent data model and its mapping to GDPR Articles 6 and 9, the audit log schema and retention policy, the revocation and deletion procedure including confirmation that no location data persists post-revocation, the consent version lifecycle, and the privacy policy link configuration per organisation. Documentation must be sufficient to support a GDPR audit by any of the three partner organisations.

high priority low complexity documentation pending documentor Tier 7

Acceptance Criteria

Document explicitly maps each consent data field to its legal basis under GDPR Article 6 (legitimate interest / explicit consent) and Article 9 (special category data) with a rationale for each mapping
Audit log schema is documented with all column names, types, retention period (minimum and maximum), and the automated deletion trigger or scheduled job reference
Revocation and deletion procedure is documented as a numbered step-by-step sequence, ending with a checkable assertion: 'after step N, querying mentor_locations for mentor_id X returns zero rows'
Consent version lifecycle is documented: how version numbers are assigned, what triggers a re-consent-required status, and how old version records are archived vs. deleted
Privacy policy link configuration is documented per organisation (NHF, Blindeforbundet, HLF) with the config key name, where it is stored (Supabase org_settings table or environment variable), and how to update it without a code deploy
Document is written in English and structured so a non-developer GDPR auditor can follow the data lifecycle section without reading code
Document includes a 'Data Minimisation' section confirming that only opted-in mentor coordinates are ever returned to callers
Document references the test file locations that verify each compliance claim (linking code evidence to legal requirement)

Technical Requirements

frameworks
Flutter
Supabase
apis
Supabase PostgREST
Supabase Storage (if consent policy PDFs are stored)
data models
MentorConsent
ConsentAuditLog
OrgPrivacyConfig
performance requirements
No performance requirements — documentation artifact only
security requirements
Document must not include real API keys, connection strings, or personal data as examples — use placeholder values
Clearly note which fields are PII and subject to access control

Execution Context

Execution Tier
Tier 7

Tier 7 - 84 tasks

Can start after Tier 6 completes

Implementation Notes

Structure the document as a Markdown file at docs/gdpr/consent-compliance.md with clear sections: (1) Legal Basis Mapping, (2) Data Model Reference, (3) Audit Log Schema & Retention, (4) Revocation & Deletion Procedure, (5) Consent Version Lifecycle, (6) Per-Organisation Privacy Policy Configuration, (7) Data Minimisation Guarantee, (8) Test Evidence Index. For the legal basis mapping, consult the Norwegian Data Protection Authority (Datatilsynet) guidance on special category health data — the three partner organisations (NHF, Blindeforbundet, HLF) all handle disability-related data which qualifies as Article 9. The re-consent trigger (e.g. privacy policy version bump) must be described precisely because it directly affects the UI flow.

Reference the exact Supabase table and column names as implemented, not abstract names, so the document stays accurate as the schema evolves.

Testing Requirements

No automated tests for the documentation itself. However, the document must be reviewed by one developer who was not the author (peer review) and signed off by the project lead before being accepted.

Optionally, create a lightweight compliance_checklist_test.dart that queries the live (staging) database to assert: consent_audit_log has a retention trigger defined, mentor_locations has zero rows for a known revoked mentor ID (using a seeded test mentor). This acts as executable compliance evidence.

Component
Location Privacy Configuration
infrastructure low
Dependencies (1)
Implement comprehensive tests covering: grantConsent happy path, double-grant idempotency, revokeConsent atomicity with location data deletion, checkConsent returning correct status for each state (granted, denied, revoked, re-consent-required), RLS policy enforcement for all roles, and dialog widget rendering with both Opt In and Opt Out interactions. Achieve minimum 90% branch coverage on location-consent-service. epic-geographic-peer-mentor-map-consent-privacy-task-010
Epic Risks (2)
medium impact medium prob scope

If the privacy policy text or consent terms change after mentors have already opted in, existing consent records may become legally insufficient, requiring re-consent from all opted-in mentors which could temporarily reduce map coverage.

Mitigation & Contingency

Mitigation: Store a consent_version field on every consent record. Implement a consent version check in location-consent-service that compares the stored version against the current policy version from location-privacy-config and flags stale consents for re-consent prompting.

Contingency: If a policy update invalidates existing consents, suppress affected mentors from the map, queue them for re-consent notification via the existing in-app notification system, and restore map visibility only after new consent is recorded.

medium impact medium prob scope

A poorly designed consent dialog may lead to low opt-in rates, reducing map utility for coordinators to the point where the feature delivers insufficient value to justify maintenance cost.

Mitigation & Contingency

Mitigation: Follow plain-language writing guidelines from the cognitive accessibility feature. User-test the dialog with 2-3 peer mentors from Blindeforbundet before implementation is finalised. Ensure the dialog explains the benefit to the mentor, not just the data collection facts.

Contingency: If opt-in rate after launch is below 40%, conduct a targeted usability study and iterate on dialog copy and layout. The coordinator can also send a bulk opt-in invitation notification (per the user story) to non-consenting mentors.

Quick Links
All Tasks Execution Plan