Proca.Supporter.Privacy (proca v3.4.1)

This module specifies how the supporter presonal data is stored and share between orgs.

Personal data in Proca

Personal data is decoupled from actions in following way:

Each action is identitfied by Action record and can reference a supporter.

Supporter records an individual taking action. Can be identified uniquely by a fingeprint, which is calculated based on current Contact Data format. For instance in Proca.Contact.BasicData, fingerprint is a seeded SHA256 hash of email. If supporter signs up many times, many supporter records will be created, but with same fingerprint. This supporter will be just counted once per campaign. Supporter has many Contact records.

Contact stores personal data and privacy/consent information. It can store encrypted, or unencrypted payload. There is a separate Contact record for each Org receiving contact data.

Contact data can be distributed to:

  • Widget Org collecting data on Action Page
  • Lead Org running the campaign (if different)
  • Not implemented: 3rd Party Org (this can be any other org)

When it is distributed, there is a consent associated with delivery and communication areas (and a scope, currently email, but could be email, sms etc).

Example setups

  1. Org runs Campaign and Action page - they get contact data, with email opt in true/false 2a. Org (with Page delivery=true) runs Action Page of Lead Campaign - Org gets data for delivery and email opt in, Lead nothing 2b. Org (with Page delivery=true) gets data for delivery and email opt in, Lead gets data iff campaign force_delivery=true (otherwise) 2c. 2b but other way round. It's (central) Lead that delivers, and Org (Page deliver=false) gets data only if email opt in is true
  2. Not implemented: Also some extra partner org can get data

ActionPage has a setting:

  • delivery: :boolean, defualt: true - means, action page owner delivers signatures

Campaign has a setting:

  • force_delivery: :boolean, default: false - if true, campaign owner delivers contact data even if action page owner does it already. If false, only delivers if action page does not.

User gives consent in a privacy object (in GraphQL). Right now they can only decide about communication consent, the delivery consent is implicit and they can't say for instance, that their signature should be included in action page owner delivery but not the campaign owner delivery.

Link to this section Summary

Functions

Which contact fields are stored in cleartext supporter record

privacy - for now, a simple privacy map is: %{ opt_in: :boolean, lead_opt_in: :boolean }. Exactly what we have in the API.

List of custom fields keys, which are sensitive and should be cleared after delivery

Which supporter fields are cleared after processing

Link to this section Functions

Link to this function

cleartext_fields(ap)

Which contact fields are stored in cleartext supporter record

Link to this function

consents(action_page, privacy)

Specs

consents(
  %Proca.ActionPage{
    __meta__: term(),
    campaign: term(),
    campaign_id: term(),
    config: term(),
    delivery: term(),
    extra_supporters: term(),
    id: term(),
    inserted_at: term(),
    live: term(),
    locale: term(),
    name: term(),
    org: term(),
    org_id: term(),
    supporter_confirm_template: term(),
    thank_you_template: term(),
    updated_at: term()
  },
  %Proca.Supporter.Privacy{lead_opt_in: term(), opt_in: term()}
) :: [
  %Proca.Supporter.Consent{
    communication_consent: term(),
    communication_scopes: term(),
    delivery_consent: term(),
    org: term()
  }
]

privacy - for now, a simple privacy map is: %{ opt_in: :boolean, lead_opt_in: :boolean }. Exactly what we have in the API.

Link to this function

transient_action_fields(action, action_page)

List of custom fields keys, which are sensitive and should be cleared after delivery

Link to this function

transient_supporter_fields(ap)

Which supporter fields are cleared after processing