Proca.Supporter.Privacy (proca v3.4.1)
This module specifies how the supporter presonal data is stored and share between orgs.
Personal data in Proca
Personal data is decoupled from actions in following way:
Each action is identitfied by Action record and can reference a supporter.
Supporter records an individual taking action. Can be identified uniquely by a fingeprint, which is calculated based on current Contact Data format. For instance in Proca.Contact.BasicData, fingerprint is a seeded SHA256 hash of email. If supporter signs up many times, many supporter records will be created, but with same fingerprint. This supporter will be just counted once per campaign. Supporter has many Contact records.
Contact stores personal data and privacy/consent information. It can store encrypted, or unencrypted payload. There is a separate Contact record for each Org receiving contact data.
Contact data can be distributed to:
- Widget Org collecting data on Action Page
- Lead Org running the campaign (if different)
- Not implemented: 3rd Party Org (this can be any other org)
When it is distributed, there is a consent associated with delivery and communication areas (and a scope, currently email, but could be email, sms etc).
Example setups
- Org runs Campaign and Action page - they get contact data, with email opt in true/false
2a. Org (with Page
delivery=true) runs Action Page of Lead Campaign - Org gets data for delivery and email opt in, Lead nothing 2b. Org (with Pagedelivery=true) gets data for delivery and email opt in, Lead gets data iff campaignforce_delivery=true(otherwise) 2c. 2b but other way round. It's (central) Lead that delivers, and Org (Pagedeliver=false) gets data only if email opt in is true - Not implemented: Also some extra partner org can get data
ActionPage has a setting:
delivery: :boolean, defualt: true- means, action page owner delivers signatures
Campaign has a setting:
force_delivery: :boolean, default: false- if true, campaign owner delivers contact data even if action page owner does it already. If false, only delivers if action page does not.
User gives consent in a privacy object (in GraphQL). Right now they can only decide about communication consent, the delivery consent is implicit and they can't say for instance, that their signature should be included in action page owner delivery but not the campaign owner delivery.
Link to this section Summary
Functions
Which contact fields are stored in cleartext supporter record
privacy - for now, a simple privacy map is: %{ opt_in: :boolean, lead_opt_in: :boolean }. Exactly what we have in the API.
List of custom fields keys, which are sensitive and should be cleared after delivery
Which supporter fields are cleared after processing
Link to this section Functions
cleartext_fields(ap)
Which contact fields are stored in cleartext supporter record
consents(action_page, privacy)
Specs
consents(
%Proca.ActionPage{
__meta__: term(),
campaign: term(),
campaign_id: term(),
config: term(),
delivery: term(),
extra_supporters: term(),
id: term(),
inserted_at: term(),
live: term(),
locale: term(),
name: term(),
org: term(),
org_id: term(),
supporter_confirm_template: term(),
thank_you_template: term(),
updated_at: term()
},
%Proca.Supporter.Privacy{lead_opt_in: term(), opt_in: term()}
) :: [
%Proca.Supporter.Consent{
communication_consent: term(),
communication_scopes: term(),
delivery_consent: term(),
org: term()
}
]
privacy - for now, a simple privacy map is: %{ opt_in: :boolean, lead_opt_in: :boolean }. Exactly what we have in the API.
transient_action_fields(action, action_page)
List of custom fields keys, which are sensitive and should be cleared after delivery
transient_supporter_fields(ap)
Which supporter fields are cleared after processing