fix(pitch-deck): GDPR compliance — automated cleanup, full Art. 13 notice

- runDataCleanup() replaces maskOverdueInvestors(): now also anonymizes never-activated invites after 90 days, deletes sessions + magic links older than 30 days, NULLs IPs in audit logs older than 30 days, and redacts email from audit log details JSONB for masked investors - New /api/admin/cleanup POST endpoint for scheduled invocation - New .gitea/workflows/pitch-cleanup.yml: daily cron at 02:00 UTC calls the cleanup endpoint so anonymization is genuinely automatic, not lazy - Switch masking window from first_activity_at to last_login_at (30 days of inactivity; resets on each login) - Both auth pages: DSGVO footer now covers all Art. 13 requirements — data categories, retention cutoffs, Art. 15–21 rights, contact address, LfDI Baden-Württemberg as supervisory authority Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-01 15:11:51 +02:00
parent 2f861cd6d7
commit 5946aa47d5
8 changed files with 137 additions and 25 deletions
@@ -0,0 +1,36 @@
 # Daily GDPR data cleanup for the pitch deck.
 # Calls /api/admin/cleanup which runs runDataCleanup():
 #   - anonymizes investors inactive 30+ days
 #   - anonymizes never-activated invites after 90 days
 #   - deletes sessions + magic links older than 30 days
 #   - anonymizes IPs in audit logs older than 30 days
 #
 # Requires Gitea Actions secret: PITCH_ADMIN_SECRET
 name: Pitch deck — GDPR cleanup
 on:
  schedule:
    - cron: '0 2 * * *'
 jobs:
  cleanup:
    runs-on: docker
    container:
      image: alpine:3.19
    steps:
      - name: Run data cleanup
        env:
          PITCH_ADMIN_SECRET: ${{ secrets.PITCH_ADMIN_SECRET }}
        run: |
          apk add --no-cache curl
          RESPONSE=$(curl -sSf -w "\n%{http_code}" -X POST \
            -H "Authorization: Bearer $PITCH_ADMIN_SECRET" \
            -H "Content-Type: application/json" \
            https://pitch.breakpilot.com/api/admin/cleanup) \
            || { echo "Cleanup request failed"; exit 1; }
          HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
          BODY=$(echo "$RESPONSE" | head -n-1)
          echo "Response: $BODY"
          [ "$HTTP_CODE" = "200" ] || { echo "Unexpected status $HTTP_CODE"; exit 1; }
          echo "GDPR cleanup completed successfully"
@@ -0,0 +1,11 @@
 import { NextRequest, NextResponse } from 'next/server'
 import { requireAdmin } from '@/lib/admin-auth'
 import { runDataCleanup } from '@/lib/masking'
 export async function POST(request: NextRequest) {
  const guard = await requireAdmin(request)
  if (guard.kind === 'response') return guard.response
  const stats = await runDataCleanup()
  return NextResponse.json({ success: true, stats })
 }
@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server'
 import pool from '@/lib/db'
 import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
-import { maskOverdueInvestors } from '@/lib/masking'
+import { runDataCleanup } from '@/lib/masking'
 interface RouteContext {
  params: Promise<{ id: string }>
@@ -13,7 +13,7 @@ export async function GET(request: NextRequest, ctx: RouteContext) {
  const { id } = await ctx.params
-  await maskOverdueInvestors()
+  await runDataCleanup()
  const [investor, sessions, snapshots, audit] = await Promise.all([
    pool.query(
@@ -1,13 +1,13 @@
 import { NextRequest, NextResponse } from 'next/server'
 import pool from '@/lib/db'
 import { requireAdmin } from '@/lib/admin-auth'
-import { maskOverdueInvestors } from '@/lib/masking'
+import { runDataCleanup } from '@/lib/masking'
 export async function GET(request: NextRequest) {
  const guard = await requireAdmin(request)
  if (guard.kind === 'response') return guard.response
-  await maskOverdueInvestors()
+  await runDataCleanup()
  const { rows } = await pool.query(
    `SELECT i.id, i.email, i.name, i.company, i.status, i.last_login_at, i.login_count, i.created_at,
@@ -127,8 +127,7 @@ export default function AuthPage() {
      <div className="absolute bottom-0 left-0 right-0 px-8 py-4 border-t border-white/5">
        <div className="max-w-2xl mx-auto">
          <p className="text-[10px] text-white/20 leading-relaxed text-center">
-            <strong className="text-white/25">Datenschutzhinweis:</strong> Beim Zugriff auf diese Seite werden technische Zugriffsdaten (insbesondere IP-Adresse und Zeitpunkt) verarbeitet, um die sichere Nutzung des Zugangs zu gewährleisten und Missbrauch zu verhindern. Die Speicherung erfolgt für maximal 72 Stunden. Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse).
+            <strong className="text-white/25">Datenschutzhinweis (Art. 13 DSGVO):</strong> Beim Zugriff werden technische Zugriffsdaten (IP-Adresse, Zeitpunkt, Browser) sowie – soweit eingeladen – personenbezogene Kontaktdaten (E-Mail, Name, Unternehmen) verarbeitet. Zweck: Zugangsverwaltung und Missbrauchsprävention. Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse). Speicherdauer: max. 30 Tage nach letztem Zugriff; nicht aktivierte Zugänge nach 90 Tagen. Danach automatische Anonymisierung. Ihre Rechte gem. Art. 15–21 DSGVO (Auskunft, Berichtigung, Löschung, Einschränkung, Datenübertragbarkeit, Widerspruch): Anfragen an pitch@breakpilot.ai. Beschwerderecht bei der Aufsichtsbehörde: LfDI Baden-Württemberg (www.baden-wuerttemberg.datenschutz.de).</p>
          </p>
          <p className="text-[10px] text-white/15 text-center mt-1">
            Verantwortlich: Benjamin Bönisch & Sharang Parnerkar · Kontakt: info@breakpilot.com
          </p>
@@ -119,8 +119,7 @@ export default function VerifyPage() {
      <div className="absolute bottom-0 left-0 right-0 z-10 px-8 py-4 border-t border-white/5">
        <div className="max-w-2xl mx-auto">
          <p className="text-[10px] text-white/20 leading-relaxed text-center">
-            <strong className="text-white/25">Datenschutzhinweis:</strong> Beim Zugriff auf diese Seite werden technische Zugriffsdaten (insbesondere IP-Adresse und Zeitpunkt) verarbeitet, um die sichere Nutzung des Zugangs zu gewährleisten und Missbrauch zu verhindern. Die Speicherung erfolgt für maximal 72 Stunden. Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse). Weitere Informationen zum Datenschutz erhalten Sie auf Anfrage.
+            <strong className="text-white/25">Datenschutzhinweis (Art. 13 DSGVO):</strong> Beim Zugriff werden technische Zugriffsdaten (IP-Adresse, Zeitpunkt, Browser) sowie – soweit eingeladen – personenbezogene Kontaktdaten (E-Mail, Name, Unternehmen) verarbeitet. Zweck: Zugangsverwaltung und Missbrauchsprävention. Rechtsgrundlage: Art. 6 Abs. 1 lit. f DSGVO (berechtigtes Interesse). Speicherdauer: max. 30 Tage nach letztem Zugriff; nicht aktivierte Zugänge nach 90 Tagen. Danach automatische Anonymisierung. Ihre Rechte gem. Art. 15–21 DSGVO (Auskunft, Berichtigung, Löschung, Einschränkung, Datenübertragbarkeit, Widerspruch): Anfragen an pitch@breakpilot.ai. Beschwerderecht bei der Aufsichtsbehörde: LfDI Baden-Württemberg (www.baden-wuerttemberg.datenschutz.de).</p>
          </p>
          <p className="text-[10px] text-white/15 text-center mt-1">
            Verantwortlich: Benjamin Bönisch & Sharang Parnerkar · Kontakt: info@breakpilot.com
          </p>
@@ -198,15 +198,15 @@ export default function InvestorDetailPage() {
                </div>
                {inv.data_masked_at ? (
                  <div className="text-xs text-zinc-500 mt-1">
-                    Data anonymized on {new Date(inv.data_masked_at).toLocaleString()} · 72h window elapsed after first activity
+                    Data anonymized on {new Date(inv.data_masked_at).toLocaleString()} · 30-day inactivity window elapsed
                  </div>
                ) : (
                  <>
                    <div className="text-sm text-white/60">{inv.company || '—'}</div>
                    <div className="text-xs text-white/40 mt-1">{inv.email}</div>
-                    {inv.first_activity_at && (
+                    {inv.last_login_at && (
                      <div className="text-xs text-amber-400/70 mt-1">
-                        ⏱ Data window: 72h from first login · expires {new Date(new Date(inv.first_activity_at).getTime() + 72 * 60 * 60 * 1000).toLocaleString()}
+                        ⏱ Data window: 30 days after last login · auto-anonymizes {new Date(new Date(inv.last_login_at).getTime() + 30 * 24 * 60 * 60 * 1000).toLocaleString()}
                      </div>
                    )}
                  </>
@@ -1,30 +1,97 @@
 import pool from '@/lib/db'
-const MASKING_HOURS = parseInt(process.env.DATA_MASKING_HOURS || '72')
+const MASKING_DAYS = parseInt(process.env.DATA_MASKING_DAYS || '30')
 const NEVER_ACTIVATED_DAYS = parseInt(process.env.NEVER_ACTIVATED_DAYS || '90')
-export async function maskOverdueInvestors(): Promise<void> {
+export interface CleanupStats {
-  const cutoff = new Date(Date.now() - MASKING_HOURS * 60 * 60 * 1000)
+  investors_masked: number
  sessions_deleted: number
  audit_ips_anonymized: number
  audit_details_redacted: number
  magic_links_deleted: number
 }
-  const { rows } = await pool.query<{ id: string }>(
+export async function runDataCleanup(): Promise<CleanupStats> {
  const stats: CleanupStats = {
    investors_masked: 0,
    sessions_deleted: 0,
    audit_ips_anonymized: 0,
    audit_details_redacted: 0,
    magic_links_deleted: 0,
  }
  const activeCutoff = new Date(Date.now() - MASKING_DAYS * 24 * 60 * 60 * 1000)
  const neverActivatedCutoff = new Date(Date.now() - NEVER_ACTIVATED_DAYS * 24 * 60 * 60 * 1000)
  // 1. Mask investors inactive for MASKING_DAYS
  const { rows: maskedActive } = await pool.query<{ id: string }>(
    `UPDATE pitch_investors
     SET email = 'anon.' || id::text,
-         name = NULL,
+         name = NULL, company = NULL,
-         company = NULL,
+         status = 'revoked', data_masked_at = NOW(), updated_at = NOW()
-         status = 'revoked',
+     WHERE last_login_at IS NOT NULL
-         data_masked_at = NOW(),
+       AND last_login_at < $1
         updated_at = NOW()
     WHERE first_activity_at IS NOT NULL
       AND first_activity_at < $1
       AND data_masked_at IS NULL
     RETURNING id`,
-    [cutoff],
+    [activeCutoff],
  )
-  if (rows.length > 0) {
+  // 2. Mask investors invited but never activated after NEVER_ACTIVATED_DAYS
  const { rows: maskedNever } = await pool.query<{ id: string }>(
    `UPDATE pitch_investors
     SET email = 'anon.' || id::text,
         name = NULL, company = NULL,
         status = 'revoked', data_masked_at = NOW(), updated_at = NOW()
     WHERE last_login_at IS NULL
       AND created_at < $1
       AND data_masked_at IS NULL
     RETURNING id`,
    [neverActivatedCutoff],
  )
  const allMaskedIds = [...maskedActive, ...maskedNever].map((r) => r.id)
  stats.investors_masked = allMaskedIds.length
  if (allMaskedIds.length > 0) {
    // 3. Revoke sessions for newly masked investors
    await pool.query(
      `UPDATE pitch_sessions SET revoked = true
       WHERE investor_id = ANY($1::uuid[]) AND NOT revoked`,
-      [rows.map((r) => r.id)],
+      [allMaskedIds],
    )
    // 4. Redact email field from audit log details for masked investors
    const { rowCount } = await pool.query(
      `UPDATE pitch_audit_logs
       SET details = details - 'email'
       WHERE investor_id = ANY($1::uuid[]) AND details ? 'email'`,
      [allMaskedIds],
    )
    stats.audit_details_redacted = rowCount ?? 0
  }
  // 5. Delete sessions older than MASKING_DAYS (expired, contain IP/UA)
  const { rowCount: sessionsDeleted } = await pool.query(
    `DELETE FROM pitch_sessions WHERE created_at < $1`,
    [activeCutoff],
  )
  stats.sessions_deleted = sessionsDeleted ?? 0
  // 6. Anonymize IP addresses in audit logs older than MASKING_DAYS
  const { rowCount: logsAnonymized } = await pool.query(
    `UPDATE pitch_audit_logs
     SET ip_address = NULL
     WHERE created_at < $1 AND ip_address IS NOT NULL`,
    [activeCutoff],
  )
  stats.audit_ips_anonymized = logsAnonymized ?? 0
  // 7. Delete magic links older than MASKING_DAYS
  const { rowCount: linksDeleted } = await pool.query(
    `DELETE FROM pitch_magic_links WHERE created_at < $1`,
    [activeCutoff],
  )
  stats.magic_links_deleted = linksDeleted ?? 0
  return stats
 }