Data Privacy Policy (Internal)
Version: 1.0 · Effective: July 14, 2026 · Owner: Security Lead / DPO delegate
This is the internal engineering-facing companion to the public Privacy Policy. It defines how personal data must be handled inside the codebase and operations.
1. Data classification
| Class | Examples | Handling |
| --- | --- | --- |
| Public | Marketing site, /llms.txt | No restriction |
| Internal | Aggregate metrics, feature flags | Employees only |
| Confidential | Customer PII, job photos, invoices | RLS + audit log |
| Restricted | Passwords, API keys, service-role key, MFA seeds | Secret store only, never logged |
2. Lawful basis (GDPR)
Contract performance (product delivery), legitimate interest (security & analytics), consent (marketing, precise location), legal obligation (tax, audit).
3. Data minimization
- Server functions accept only the fields they use — enforced by Zod
.strict()schemas. - AI features send image descriptions (Gemini) rather than raw photos to third-party LLMs where feasible.
- Logs redact tokens, passwords, and full email addresses (last 4 of local-part only).
4. Encryption
- In transit: TLS 1.2+ enforced by Cloudflare; HSTS enabled.
- At rest: AES-256 (Supabase managed). Backups inherit the same encryption.
- Application-level: OAuth tokens for third parties (Microsoft, Google) stored encrypted via Supabase Vault; the app never reads the raw column.
5. Retention
| Data | Retention | Deletion trigger |
| --- | --- | --- |
| Account & profile | Life of account | User deletion request |
| Job / customer records | Life of account + 30 d | Account-wide deletion |
| Invoices & financial | 7 years (tax law) | Statutory expiry |
| audit_logs | 2 years | Rolling purge |
| security_events | 1 year | Rolling purge |
| Backups | 30 days | PITR window |
6. Data subject rights
- Access, correction, portability, deletion, restriction, objection.
- Requests via
/data-deletionorengmartin@ecopowerhub.ai. - Fulfilled within 30 days (GDPR) / 45 days (CCPA). Extensions documented in
audit_logs.
7. Cross-border transfers
US-based processing. EU/UK transfers rely on Standard Contractual Clauses with sub-processors. China transfers require explicit consent (PIPL).
8. Sub-processors
Maintained in vendors/assessments.md. Customers are notified 30 days before adding a new sub-processor that materially changes data flow.
9. AI-specific
Customer content is not used to train foundation models. Prompts and outputs may be stored in audit_logs for debugging up to 90 days.
10. Breach handling
See incident-response-plan.md. GDPR supervisory authority notified within 72 hours of confirmed personal-data breach.
Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.