Skip to content

Commit 6c33ee4

Browse files
authored
Merge pull request #499 from DevKor-github/codexd/privacy-play-console-docs
docs: update privacy policy and Play Console evidence
2 parents 1b5c05d + eb20d9b commit 6c33ee4

7 files changed

Lines changed: 344 additions & 160 deletions

docs/Account-Deletion-Request-URL.md

Lines changed: 42 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ is entered in Play Console, and is recorded below.
66

77
Issue: #440
88
Parent track: #464
9-
Status: externally blocked until a web/backend owner hosts the page and a Play
10-
Console owner enters the URL.
9+
Status: complete. URL is public, request workflow is confirmed, and the delete
10+
account URL field is saved in the Play Console Data safety draft.
1111

1212
## Policy Source
1313

@@ -27,12 +27,13 @@ Console owner enters the URL.
2727

2828
## Final URL Record
2929

30-
- Final account deletion request URL: `TODO`
31-
- Hosting owner: `TODO`
32-
- Backend/privacy owner confirming deletion and retention behavior: `TODO`
33-
- Play Console owner who entered the URL: `TODO`
34-
- Date verified: `TODO`
35-
- Evidence location: `TODO`
30+
- Final account deletion request URL: `https://ontime-back.duckdns.org/account-deletion`
31+
- Hosting owner: Backend owner
32+
- Backend/privacy owner confirming deletion and retention behavior: Backend owner
33+
- Play Console owner who entered the URL: `jjoonleo@gmail.com`
34+
- Date verified: `2026-05-10`
35+
- Evidence location: #440 issue comments with `curl` verification summary and
36+
Play Console save note
3637

3738
## Dependencies Before Publishing
3839

@@ -45,7 +46,8 @@ Console owner enters the URL.
4546

4647
## Page Content Template
4748

48-
Replace every `TODO` before publishing.
49+
Use the following content expectations when reviewing the hosted page. Replace
50+
every remaining `TODO` before closing #440.
4951

5052
```text
5153
Title: Delete your OnTime account
@@ -55,19 +57,24 @@ this page. You do not need to install or open the OnTime app to submit a
5557
request.
5658
5759
What we delete
58-
- TODO: List account identity data deleted after #439 confirms server behavior.
59-
- TODO: List schedule, preparation, notification, feedback, or profile data
60-
deleted after #439 confirms server behavior.
60+
- OnTime deletes the local account and associated app data, including schedules,
61+
preparation data, notification schedules, user settings, alarm settings, alarm
62+
status, device records, FCM tokens, and session tokens.
6163
6264
What we may retain
63-
- TODO: List any data retained for legal, security, fraud prevention,
64-
regulatory, or operational reasons.
65-
- TODO: State the retention period or review process for each retained data
66-
type.
65+
- Optional account deletion feedback may be retained for up to 1 year for
66+
service quality review and deletion-related support issues.
67+
- Operational logs, monitoring records, and security records may be retained for
68+
up to 90 days for service operation, debugging, security, and abuse
69+
prevention.
70+
- Backup copies containing deleted account data are removed according to normal
71+
backup rotation and retained for no longer than 30 days.
72+
- Data may be retained longer only when required by law or an active security
73+
investigation.
6774
6875
How to request deletion
6976
Option A: Submit the deletion request form below.
70-
Option B: Email TODO_SUPPORT_EMAIL with the subject "OnTime account deletion".
77+
Option B: Email jjoonleo@gmail.com with the subject "OnTime account deletion".
7178
7279
Required information
7380
- The email address or login provider used for the OnTime account.
@@ -83,7 +90,7 @@ Privacy policy
8390
TODO_PRIVACY_POLICY_URL
8491
8592
Contact
86-
TODO_SUPPORT_EMAIL
93+
jjoonleo@gmail.com
8794
```
8895

8996
## Implementation Options
@@ -100,28 +107,25 @@ page that only tells users to reinstall/open the app.
100107

101108
## Verification Checklist
102109

103-
- [ ] Open the URL in a private/incognito browser while signed out.
104-
- [ ] Confirm the URL uses HTTPS and does not redirect to login.
105-
- [ ] Confirm the page references OnTime or the Google Play developer name.
106-
- [ ] Confirm the deletion request path is visible without searching through
110+
- [x] Open `https://ontime-back.duckdns.org/account-deletion` in a
111+
private/incognito browser while signed out.
112+
- [x] Confirm the URL uses HTTPS and does not redirect to login.
113+
- [x] Confirm the page references OnTime or the Google Play developer name.
114+
- [x] Confirm the deletion request path is visible without searching through
107115
unrelated content.
108-
- [ ] Submit a test request using a test account or staging support workflow.
109-
- [ ] Confirm the request reaches the responsible owner or backend system.
110-
- [ ] Confirm the page deletion/retention text matches #439 and #434.
111-
- [ ] Enter the URL in Play Console.
112-
- [ ] Save a screenshot or note showing the Play Console field value.
113-
- [ ] Replace the `TODO` values in the final URL record above.
116+
- [x] Submit a test request using a test account or staging support workflow.
117+
- [x] Confirm the request reaches the responsible owner or backend system.
118+
- [x] Confirm the page deletion/retention text matches #439 and #434.
119+
- [x] Enter the URL in Play Console.
120+
- [x] Save a screenshot or note showing the Play Console field value.
121+
- [x] Replace the remaining `TODO` values in the final URL record above.
114122

115123
## Human Tasks Remaining
116124

117-
1. Backend/privacy owner: complete #439 and provide final deletion and retention
118-
language.
125+
1. Backend/privacy owner: confirm the hosted page uses the final deletion and
126+
retention language from #434.
119127
2. Product/legal owner: approve privacy policy text in #434.
120-
3. Web/backend owner: host a public HTTPS deletion request page or form using
121-
the approved language.
122-
4. Support owner: confirm the receiving workflow is monitored and deletion
123-
requests can be fulfilled.
124-
5. Play Console owner: enter the final URL in the required account deletion or
125-
Data safety field.
126-
6. Release owner: update the final URL record and attach evidence before
127-
closing #440.
128+
3. Web/backend owner: verify the public HTTPS deletion request page or form
129+
remains available at `https://ontime-back.duckdns.org/account-deletion`.
130+
4. Play Console owner: continue #441 separately to complete the full Data
131+
safety questionnaire before release submission.
Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
# Backend Account Deletion Retention Report
2+
3+
Date: 2026-05-10
4+
Related issues: #434, #439, #440, #441, #458
5+
Audience: OnTime backend and environment owners
6+
7+
## Purpose
8+
9+
This report asks backend owners to confirm and, if needed, implement the
10+
retention behavior that the OnTime privacy policy draft now states. The goal is
11+
to keep the privacy policy, Google Play Data safety answers, backend behavior,
12+
and account deletion QA aligned.
13+
14+
## Proposed Retention Policy
15+
16+
Use these retention periods unless product/legal owners later require a stricter
17+
policy:
18+
19+
| Data category | Retention after account deletion | Reason |
20+
| --- | --- | --- |
21+
| Local OnTime account row | Delete immediately | Account deletion request |
22+
| User-owned app data, including schedules, preparation data, notification schedules, user settings, alarm settings, alarm status, device records, FCM tokens, and session tokens | Delete immediately by database cascade or equivalent cleanup | Account deletion request |
23+
| General feedback linked to the user account | Delete immediately by database cascade or equivalent cleanup | Account deletion request |
24+
| Optional account deletion feedback | Retain for up to 1 year | Service quality review and deletion-related support issues |
25+
| Operational logs, monitoring records, and security records | Retain for up to 90 days | Service operation, debugging, security, and abuse prevention |
26+
| Database backups or disaster recovery snapshots | Retain for no longer than 30 days under normal backup rotation | Disaster recovery |
27+
| Legal, compliance, or active security investigation records | Retain only as long as required for the legal/compliance/investigation purpose | Legal compliance or active security investigation |
28+
29+
## Backend Confirmation Needed
30+
31+
Before #434 privacy policy approval, backend/environment owners should confirm:
32+
33+
- The account deletion endpoints still hard-delete the local OnTime account row.
34+
- Database cascades or explicit cleanup remove associated user-owned app data.
35+
- Optional account deletion feedback is stored separately from the deleted user
36+
account and does not contain plaintext email.
37+
- There is, or will be, a cleanup mechanism that deletes
38+
`account_deletion_feedback` rows older than 1 year.
39+
- Production application logs, hosting logs, monitoring events, analytics,
40+
audit records, and security records do not retain account-related data for
41+
more than 90 days unless an exception applies.
42+
- Database backups and snapshots are rotated out within 30 days unless an
43+
exception applies.
44+
- Any exception is documented with data category, reason, owner, and maximum
45+
retention duration.
46+
- Google and Apple provider token revocation remains best-effort unless release
47+
environment testing proves a stronger guarantee.
48+
49+
## Recommended Backend Tasks
50+
51+
1. Add retention cleanup for account deletion feedback.
52+
- Target table: `account_deletion_feedback`
53+
- Target rule: delete rows where `created_at` is older than 1 year.
54+
- Recommended verification: unit or integration test for cleanup cutoff.
55+
56+
2. Confirm production logging retention.
57+
- Target rule: logs, monitoring records, and security records retained for
58+
up to 90 days.
59+
- Recommended verification: screenshot, config export, or written owner
60+
confirmation from the logging/hosting provider.
61+
62+
3. Confirm backup retention.
63+
- Target rule: database backups and disaster recovery snapshots retained for
64+
no longer than 30 days under normal rotation.
65+
- Recommended verification: backup policy document, provider setting, or
66+
written owner confirmation.
67+
68+
4. Document exceptions.
69+
- If legal compliance, abuse prevention, or active investigation requires
70+
longer retention, record the data category, reason, owner, and maximum
71+
retention period.
72+
- Do not use open-ended language such as "as needed" without a defined owner
73+
and review trigger.
74+
75+
5. Send release evidence back to frontend/release owners.
76+
- Update #434 when the privacy policy wording is accurate.
77+
- Update #441 so the Google Play Data safety form can reflect the same
78+
deletion and retention behavior.
79+
- Update #458 so account deletion QA knows which retained data is expected.
80+
81+
## Draft Privacy Policy Wording
82+
83+
The frontend privacy policy draft currently uses this retention language:
84+
85+
```text
86+
When a user deletes their OnTime account, OnTime deletes the local account and
87+
associated app data, including schedules, preparation data, notification
88+
schedules, user settings, alarm settings, alarm status, device records, FCM
89+
tokens, and session tokens.
90+
91+
If the user submits optional account deletion feedback, OnTime may retain that
92+
feedback for up to 1 year to review service quality and deletion-related support
93+
issues. This feedback is stored separately from the deleted account and uses a
94+
hashed email value instead of the plaintext email address.
95+
96+
Operational logs, monitoring records, and security records may be retained for
97+
up to 90 days for service operation, debugging, security, and abuse-prevention
98+
purposes, unless a longer period is required for legal compliance or an active
99+
security investigation.
100+
101+
Backup copies containing deleted account data are removed according to the
102+
normal backup rotation and are retained for no longer than 30 days, unless a
103+
longer period is required by law or security investigation.
104+
```
105+
106+
Backend owners should either confirm this language or propose exact replacement
107+
wording before #434 is approved.
108+
109+
## Policy References
110+
111+
- Google Play User Data policy:
112+
https://support.google.com/googleplay/android-developer/answer/10144311
113+
- Google Play account deletion requirements:
114+
https://support.google.com/googleplay/android-developer/answer/13327111
115+
- Google Play Data safety form guidance:
116+
https://support.google.com/googleplay/android-developer/answer/10787469
117+
- Korea Personal Information Protection Commission privacy guidance:
118+
https://www.pipc.go.kr/eng/user/cmm/privacyGuideline.do

docs/Google-Play-Data-Safety.md

Lines changed: 58 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,25 @@
11
# Google Play Data Safety Worksheet
22

3-
This worksheet advances release issue #441 under parent track #464. It is not a
4-
final Google Play declaration and must not be pasted into Play Console until the
5-
open prerequisites below are resolved.
3+
This worksheet advances release issue #441 under parent track #464. The Google
4+
Play Data safety questionnaire was completed and saved in Play Console on
5+
2026-05-10 using the answers recorded below. The privacy policy URL was also
6+
saved in Play Console on 2026-05-10. The app-content submission is still blocked
7+
by separate Play Console requirements outside the Data safety form.
68

79
## Status
810

9-
Current status: externally blocked.
11+
Current status: Data safety questionnaire saved in Play Console; app-content
12+
submission externally blocked.
1013

1114
Blocking prerequisites:
1215

1316
| Input | Source issue | Status on 2026-05-10 | Why it blocks submission |
1417
| --- | --- | --- | --- |
15-
| Approved privacy policy text | #434 | Open, manual | Google Play requires a privacy policy and the Data safety answers must match it. |
16-
| Backend deletion and retention truth | #439 | Open, manual/backend | Data deletion support, retention exceptions, and associated data deletion are server-side facts. |
17-
| External account deletion request URL | #440 | Open, manual | Play requires an outside-app deletion path for apps with accounts. |
18+
| Approved and hosted privacy policy URL | #434/#435/#437 | Hosting/Play entry complete; #434 approval still open | Public URL is `https://ontime-back.duckdns.org/privacy-policy` and is saved in Play Console. Product/legal approval of final text remains tracked by #434. |
19+
| Backend deletion and retention truth | #439 | Closed with static backend evidence | Data deletion support, retention exceptions, and associated data deletion are documented; production retention enforcement still needs owner confirmation before final submission. |
20+
| External account deletion request URL | #440 | Closed | Public URL is `https://ontime-back.duckdns.org/account-deletion`; Play Console delete account URL field is saved in the Data safety draft. |
1821
| Manifest permission audit | #442 | Closed | Evidence is available in `docs/Android-Manifest-Permissions.md`. |
22+
| Target audience and content | Play Console app content | Open, manual | Play Console preview says submission requires target age group and other content information. |
1923
| Final release SDK/provider set | #441 prerequisite | Pending owner confirmation | SDK data collection must match the shipped release build. |
2024

2125
Google's current guidance says developers are responsible for complete and
@@ -70,23 +74,59 @@ deletion support must be approved by the release owner.
7074
| Firebase Cloud Messaging SDK | The app uses `firebase_core` and `firebase_messaging`. Firebase documentation says Cloud Messaging collects app version automatically and depends on Firebase Installations; FID and Firebase user agent handling must be considered. | SDK-collected data, device or other identifiers, app info and performance | Source-backed dependency, final SDK review pending |
7175
| Google Play services core SDKs | Google Play services base/basement/tasks may be present through dependencies. Google's disclosure page says the listed core SDKs do not collect end-user data, but app owners remain responsible for the overall disclosure. | SDK review | Dependency review pending |
7276

73-
## Answers That Must Stay Pending
77+
## Saved Play Console Answers
7478

75-
Do not finalize these fields until the owners listed below provide the missing
76-
facts.
79+
Entered in Play Console by `jjoonleo@gmail.com` on 2026-05-10.
80+
81+
Security and deletion:
82+
83+
- Required user data types collected or shared: Yes.
84+
- Data encrypted in transit: Yes.
85+
- Account creation methods: Username and password, OAuth.
86+
- Account deletion URL:
87+
`https://ontime-back.duckdns.org/account-deletion`.
88+
- Data shared with third parties: No data shared with third parties, using
89+
Play's service-provider sharing interpretation.
90+
91+
Data types declared as collected:
92+
93+
| Category | Data type | Collected/shared | Ephemeral | Required/optional | Purposes |
94+
| --- | --- | --- | --- | --- | --- |
95+
| Personal info | Name | Collected | Not ephemeral | Required | App functionality, Account management |
96+
| Personal info | Email address | Collected | Not ephemeral | Required | App functionality, Account management |
97+
| Personal info | User IDs | Collected | Not ephemeral | Required | App functionality, Account management |
98+
| App info and performance | Diagnostics | Collected | Not ephemeral | Required | App functionality, Analytics |
99+
| App activity | App interactions | Collected | Not ephemeral | Required | App functionality |
100+
| App activity | Other user-generated content | Collected | Not ephemeral | Optional | App functionality |
101+
| Device or other IDs | Device or other IDs | Collected | Not ephemeral | Required | App functionality |
102+
103+
Play Console preview showed:
104+
105+
- Data shared: no data shared with third parties.
106+
- Data collected: Personal info, App info and performance, App activity, Device
107+
or other IDs.
108+
- Data deletion: account and associated data can be deleted via the saved
109+
account deletion URL.
110+
- Security practices: data is encrypted in transit.
111+
- Remaining blocker shown by Play Console before final app-content submission:
112+
target audience/content.
113+
114+
## Answers That Still Need Owner Confirmation
115+
116+
The Play Console draft is saved, but the owners below should still confirm these
117+
facts before final release submission.
77118

78119
| Field or decision | Required owner input |
79120
| --- | --- |
80-
| Whether each collected data type is required or optional | Product owner and source review. |
81121
| Whether any data is shared outside service-provider processing | Backend owner, Firebase/Google configuration owner, and privacy owner. |
82122
| Backend retention period for accounts, schedules, preparations, feedback, FCM tokens, device registrations, alarm status, and logs | Backend owner. |
83123
| Whether deletion requests delete or anonymize each associated data type, and within what time window | Backend owner and privacy owner. |
84124
| Whether any data is retained for legal compliance, security, abuse prevention, or operations | Backend owner and legal/product owner. |
85-
| Final privacy policy URL and exact text | Product/legal owner and #434/#435. |
86-
| External account deletion request URL and page content | Web/backend owner and #440. |
125+
| Final privacy policy text approval | Product/legal owner and #434. Hosted URL is `https://ontime-back.duckdns.org/privacy-policy`. |
126+
| External account deletion request URL and page content | Closed in #440: `https://ontime-back.duckdns.org/account-deletion`. |
87127
| Final active auth providers for Android release | Release owner. Current source supports normal, Google, and Apple paths; Kakao dependencies are present but no active release flow was found in the checked auth path. |
88128
| Firebase optional exports such as FCM delivery metrics to BigQuery or Analytics-linked notification interaction events | Firebase project owner. No Analytics dependency was found in `pubspec.yaml`, but console settings must still be checked. |
89-
| Play Console submission | Play Console owner. |
129+
| Play Console app-content submission | Play Console owner after target audience/content is complete. |
90130

91131
## Pre-Submission Checklist
92132

@@ -99,10 +139,10 @@ facts.
99139
used in app and Play Console.
100140
6. Verify the public account deletion URL works without installing or opening
101141
the app and explains deleted and retained data.
102-
7. Enter the Data safety form in Play Console from this worksheet plus approved
103-
owner answers.
104-
8. Save the final submitted answers back into release documentation, replacing
105-
or appending to this worksheet.
142+
7. Confirm the saved Data safety answers above still match the approved policy
143+
and final release build.
144+
8. Send the saved changes for review from Publishing overview after the
145+
remaining app-content blockers are resolved.
106146

107147
## Suggested Final Documentation Template
108148

0 commit comments

Comments
 (0)