Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Privacy notice cleanup + English v2

Browse Source 
- 108: Remove DSI duplicate (023 + 093 both wrote privacy_policy DE),
  remove outdated EN v1, create English Privacy Notice v2 with all
  modular sections (data categories table, retention periods, processor
  vs. controller guidance, Art. 21 right to object highlighted)

DB now has exactly 2 privacy_policy templates: DE + EN, both v2.0.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-05-03 07:03:06 +02:00
parent 91b4034fee
commit 5298467275
1 changed files with 316 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/migrations/108_privacy_policy_cleanup_en.sql
+316
View File
@@ -0,0 +1,316 @@
-- Migration 108: DSI Bereinigung + Englische Version
-- 1. Duplikat entfernen (Migration 023 + 093 haben beide privacy_policy DE geschrieben)
-- 2. Veraltete EN v1 entfernen
-- 3. Englische DSI v2 erstellen
-- ===========================================================================
-- 1. DSI Duplikat loeschen (behalte nur das neueste)
-- ===========================================================================
DELETE FROM compliance_legal_templates
WHERE document_type = 'privacy_policy'
AND language = 'de'
AND tenant_id = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
AND id != (
SELECT id FROM compliance_legal_templates
WHERE document_type = 'privacy_policy'
AND language = 'de'
AND tenant_id = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
ORDER BY updated_at DESC
LIMIT 1
);
-- ===========================================================================
-- 2. Veraltete EN v1 loeschen
-- ===========================================================================
DELETE FROM compliance_legal_templates
WHERE document_type = 'privacy_policy'
AND language = 'en'
AND version = '1.0.0'
AND tenant_id = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e';
-- ===========================================================================
-- 3. Englische DSI v2
-- ===========================================================================
INSERT INTO compliance_legal_templates (
id, tenant_id, document_type, title, description, content,
placeholders, language, jurisdiction,
license_id, license_name, source_name,
attribution_required, is_complete_document, version, status,
created_at, updated_at
) SELECT gen_random_uuid(), '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e',
'privacy_policy',
'Privacy Notice (GDPR, modular)',
'Comprehensive privacy notice pursuant to Art. 13/14 GDPR with modular sections. Data categories table, purpose-legal basis mapping, retention periods, recipient categories (processors vs. controllers incl. payment provider guidance), data subject rights with highlighted right to object (Art. 21).',
$template$# Privacy Notice
**Effective:** {{VERSION_DATE}}
**Applies to:** {{SERVICE_SCOPE_DESCRIPTION}}
---
## 1. Controller
The controller responsible for the processing described in this privacy notice:
**{{COMPANY_LEGAL_NAME}} {{COMPANY_LEGAL_FORM}}**
{{COMPANY_ADDRESS_LINE}}
{{COMPANY_POSTAL_CODE}} {{COMPANY_CITY}}, {{COMPANY_COUNTRY}}
{{#IF REPRESENTED_BY_NAME}}Represented by: {{REPRESENTED_BY_NAME}}{{/IF}}
Email: {{CONTACT_EMAIL}}
{{#IF CONTACT_PHONE}}Phone: {{CONTACT_PHONE}}{{/IF}}
---
## 2. Data Protection Officer
{{#IF HAS_DPO}}
{{#IF DPO_NAME}}Our Data Protection Officer: **{{DPO_NAME}}**{{/IF}}
Email: {{DPO_EMAIL}}
{{/IF}}
{{#IF_NOT HAS_DPO}}
For data protection enquiries, please contact: {{CONTACT_EMAIL}}
{{/IF_NOT}}
---
## 3. Principles of Processing
We process personal data exclusively in accordance with the GDPR and applicable national data protection legislation. We observe purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality and transparency.
---
## 4. Categories of Data We Process
| Category | Examples | Details |
|----------|---------|---------|
| Log data | IP address, device type, operating system, timestamp | § 5 |
| Account data | Email, username, password (hashed), profile image | § 5 |
| Identifiers | User ID, device ID, session ID | § 5 |
{{#IF HAS_UGC}} | Content data | Published texts, images, videos, comments, likes | § 5 | {{/IF}}
{{#IF HAS_MESSAGING}} | Communication data | Messages between users {{#IF HAS_E2E_ENCRYPTION}}(end-to-end encrypted provider cannot access content){{/IF}} | § 5 | {{/IF}}
{{#IF HAS_LOCATION}} | Location data | Geographic location during use, content capture location | § 5 | {{/IF}}
| Usage data | Feature usage, time spent, page views, crash reports | § 5 |
{{#IF HAS_PAYMENTS}} | Payment/master data | Name, address, payment method | § 5 | {{/IF}}
{{#IF HAS_IDENTITY_VERIFICATION}} | Identification data | Name, date of birth, identity document, facial image | § 5 | {{/IF}}
| Moderation data | Complaints, violations, suspension information | § 5 |
| Correspondence data | Content of communication with the provider | § 5 |
---
## 5. Purposes and Legal Bases
### 5.1 Provision of Platform and Core Functions
We process log data, account data and identifiers to provide {{PLATFORM_NAME}} and its functions.
**Legal basis:** Art. 6(1)(b) GDPR (performance of contract).
### 5.2 Hosting and Infrastructure
{{PLATFORM_NAME}} is hosted by: **{{HOSTING_PROVIDER_NAME}}**, {{HOSTING_PROVIDER_COUNTRY}}. A data processing agreement is in place ({{HOSTING_PROVIDER_CONTRACT_TYPE}}).
{{#IF HAS_UGC}}
### 5.3 Publication and Moderation of User Content
We process content data and moderation data to provide content functions and ensure compliance.
**Legal basis:** Art. 6(1)(b) GDPR (contract); Art. 6(1)(f) GDPR (legitimate interest) for moderation.
{{/IF}}
### 5.4 IT Security and Abuse Detection
We process log data and identifiers to ensure the security of our IT infrastructure.
**Legal basis:** Art. 6(1)(f) GDPR (legitimate interest in IT security).
{{#IF HAS_ANALYTICS}}
### 5.5 Usage Analysis and Improvement
With your consent, we process usage data and identifiers to improve {{PLATFORM_NAME}}.
**Legal basis:** Art. 6(1)(a) GDPR (consent).
**Details:** {{ANALYTICS_TOOLS_DETAIL}}
{{/IF}}
{{#IF HAS_PAYMENTS}}
### 5.6 Payment Processing
We process master and transaction data for chargeable services.
**Legal basis:** Art. 6(1)(b) GDPR (contract); Art. 6(1)(c) GDPR (legal obligation) for tax/commercial retention.
**Note:** Payment service providers (e.g. Stripe, PayPal) process your payment data as independent controllers not as our processors. Their privacy notices are listed in the recipients section (§ 7).
{{/IF}}
{{#IF HAS_ONLINE_SHOP}}
### 5.7 Order and Delivery Functions
We process master and log data for order processing, shipping cost calculation and delivery.
**Legal basis:** Art. 6(1)(b) GDPR (contract); Art. 6(1)(c) GDPR (legal obligation).
{{/IF}}
### 5.8 Contact Enquiries and Support
We process correspondence data when you contact us.
**Legal basis:** Art. 6(1)(b) or (f) GDPR.
### 5.9 Legal Retention and Legal Defence
We process the respectively required data categories for statutory retention and for establishing, exercising or defending legal claims.
**Legal basis:** Art. 6(1)(c) GDPR (legal obligation); Art. 6(1)(f) GDPR (legitimate interest) for legal defence.
{{#IF HAS_NEWSLETTER}}
### 5.10 Newsletter
We process your email address for newsletter delivery (double opt-in).
**Legal basis:** Art. 6(1)(a) GDPR (consent). Revocation: unsubscribe link or {{CONTACT_EMAIL}}.
{{/IF}}
---
## 6. Are You Obliged to Provide Data?
The provision of personal data is neither legally nor contractually required. However, certain data is technically necessary for the use of {{PLATFORM_NAME}}:
| Data | Necessity | Consequence of Non-Provision |
|------|:---:|---|
| Log data, account data, identifiers | Required for basic use | Use not possible |
{{#IF HAS_UGC}} | Content data | Required for publishing | Content functions unavailable | {{/IF}}
{{#IF HAS_PAYMENTS}} | Payment/transaction data | Required for payment | Payment functions unavailable | {{/IF}}
| Usage data, correspondence data | Optional | No restriction |
---
## 7. Recipients of Personal Data
### 7.1 Processors
We use service providers who process personal data on our behalf. Data processing agreements pursuant to Art. 28 GDPR are in place with all processors.
{{PROCESSOR_LIST}}
{{#IF HAS_PARENT_COMPANY}}
### 7.1a Affiliated Companies
{{COMPANY_LEGAL_NAME}} transfers personal data to affiliated companies acting as processors:
{{AFFILIATED_COMPANIES_LIST}}
{{/IF}}
### 7.2 Other Recipients (Independent Controllers)
In certain cases, we transfer personal data to recipients who process it for their own purposes:
{{THIRD_PARTY_RECIPIENTS}}
**Note:** Payment service providers, banks and identification services process your data as independent controllers due to their own legal obligations (KYC, AML, PSD2).
We also transfer data to authorities and courts where legally required, and to other users and third parties to support the exercise of their rights.
---
## 8. International Transfers
{{#IF HAS_THIRD_COUNTRY}}
Transfers outside the EU/EEA may occur with certain service providers. We ensure an adequate level of protection through {{TRANSFER_GUARDS}}.
{{/IF}}
{{#IF_NOT HAS_THIRD_COUNTRY}}
Transfers to third countries outside the EU/EEA do not take place.
{{/IF_NOT}}
---
## 9. Retention Periods
| Data Category | Retention Period |
|--------------|----------------|
| Log data, session identifiers | Duration of usage session |
| Account data, settings | Until 1 week after account deletion |
{{#IF HAS_UGC}} | Content data | Until removal by user/moderation, latest 1 week after account deletion | {{/IF}}
| Usage data | 4 weeks after session end |
{{#IF HAS_PAYMENTS}} | Master, transaction, identification data | 6 or 10 years (Sec. 147 AO, Sec. 257 HGB) | {{/IF}}
| Moderation data | 3 years after case closure |
| Correspondence data | 3 years (general), 6 years (commercial correspondence) |
**Exception:** In the event of security or legally relevant incidents, affected data is retained until the matter is fully resolved.
---
## 10. Cookies and Consent Management
Details on cookies, retention periods and tools: {{COOKIE_POLICY_URL}}.
Manage/revoke consent: {{CONSENT_WITHDRAWAL_PATH}}.
---
## 11. Security
We employ technical and organisational measures to protect your data: {{SECURITY_MEASURES_SUMMARY}}.
---
## 12. Your Rights
{{#IF DETAILED_RIGHTS}}
- **Access (Art. 15 GDPR):** You have the right to know which data we process, including purpose, legal basis and recipients. You may request a copy of your data.
- **Rectification (Art. 16 GDPR):** You may request the correction of inaccurate or the completion of incomplete data.
- **Erasure (Art. 17 GDPR):** You may request erasure of your data where it is no longer necessary or is unlawfully processed.
- **Restriction (Art. 18 GDPR):** You may request restriction of processing, e.g. where you contest accuracy.
- **Data portability (Art. 20 GDPR):** You have the right to receive your data in a structured, commonly used and machine-readable format.
{{/IF}}
{{#IF_NOT DETAILED_RIGHTS}}
- Access (Art. 15 GDPR)
- Rectification (Art. 16 GDPR)
- Erasure (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
{{/IF_NOT}}
To exercise your rights: {{DATA_SUBJECT_REQUEST_CHANNEL}}
### Right of Withdrawal
You have the right to withdraw any consent at any time (Art. 7(3) GDPR). The lawfulness of processing carried out prior to withdrawal remains unaffected.
### Right to Object
**You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6(1)(f) GDPR (legitimate interest) (Art. 21(1) GDPR). We will then no longer process your data unless there are compelling legitimate grounds.**
{{#IF HAS_MARKETING}}
**You may object to the processing of your data for direct marketing purposes at any time without giving reasons.**
{{/IF}}
---
## 13. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR):
**{{SUPERVISORY_AUTHORITY_NAME}}**
{{SUPERVISORY_AUTHORITY_ADDRESS}}
---
## 14. Changes
We may update this privacy notice. The current version is available at {{WEBSITE_URL}}.
---
*Generated with BreakPilot Compliance {{COMPANY_LEGAL_NAME}} | {{VERSION_DATE}}*
$template$,
'["COMPANY_LEGAL_NAME","COMPANY_LEGAL_FORM","COMPANY_ADDRESS_LINE","COMPANY_POSTAL_CODE","COMPANY_CITY","COMPANY_COUNTRY","CONTACT_EMAIL","CONTACT_PHONE","DPO_NAME","DPO_EMAIL","VERSION_DATE","WEBSITE_URL","PLATFORM_NAME","SERVICE_SCOPE_DESCRIPTION","HOSTING_PROVIDER_NAME","HOSTING_PROVIDER_COUNTRY","HOSTING_PROVIDER_CONTRACT_TYPE","COOKIE_POLICY_URL","CONSENT_WITHDRAWAL_PATH","SECURITY_MEASURES_SUMMARY","DATA_SUBJECT_REQUEST_CHANNEL","SUPERVISORY_AUTHORITY_NAME","SUPERVISORY_AUTHORITY_ADDRESS","ANALYTICS_TOOLS_DETAIL","REPRESENTED_BY_NAME"]'::jsonb,
'en', 'EU',
'mit', 'MIT License', 'BreakPilot Compliance',
false, true, '2.0.0', 'published',
NOW(), NOW()
WHERE NOT EXISTS (
SELECT 1 FROM compliance_legal_templates
WHERE document_type = 'privacy_policy' AND language = 'en' AND version = '2.0.0'
AND tenant_id = '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e'
);