Compliance Dashboard AI Act Art. 50 GDPR Accountability Access & Suppliers Security Intake

Use this page to map each major HEA-World data category to purpose, role, retention, notice, evidence, and gaps. This is an accountability workspace, not a final legal position.

Framework Rows

GDPR-5-1, GDPR-5-2, GDPR-5-3, GDPR-5-5, GDPR-5-6, GDPR-5-7

Evidence Rule

Unknown lawful basis, unclear retention, or missing notice remains a dashboard gap until reviewed and evidenced.

Source Plan

private/technology&Architecture/compliance/20260706_quick_win_compliance_closure_plan.md

Accountability Table Fields

Field What To Capture Evidence Expectation
Data category Visitor chat, HEA owner profile, creator CRM data, governed skill state, billing, support/contact, analytics, or security logs. One row per meaningful data category, not per raw field.

Platform Data Categories

CategoryExample DataStorage
Visitor chat dataChat messages, history, agent state, conversation metadataKV + R2 archives
HEA creator profileBusiness name, domain, personality, resourcesR2 secure
CRM contacts/leadsName, email, phone, organization, pipeline stateR2 secure (per-HEA isolated)
Billing & company infoCompany name, VAT, billing email, addressKV + Stripe
Connector tokensGmail/Microsoft/IMAP/Shopify/WhatsApp OAuth tokensKV (AES-256-GCM encrypted)
WhatsApp visitor dataPhone numbers, session mapping, message buffersKV (TTL-based)
Trial/presales dataEmail, verification codesKV
Outbound/press contactsNames, emails, campaign dataR2 secure/ops
Usage meteringOperation counts, token usage per creatorKV → R2 archive
Example fields Short examples only, without live personal data. Enough detail to recognize the dataset and boundaries.

Actual Field Examples by Category

  • Chat: free-text messages, visitor_profile, collected_fields (name, email, phone).
  • CRM: name, email, phone, organization, pipeline stage, timeline.
  • Billing: company_name, vat, billing_email, phone, address.
  • Tokens: encrypted OAuth refresh tokens (never exposed in UI).
Purpose Why HEA-World processes the category. Purpose must match product behavior and user-facing copy.

Processing Purposes

  • Chat: Core product — AI chat with website visitors.
  • CRM: Lead management and business relationship tracking for HEA creators.
  • Billing: Subscription management, invoicing, and tax compliance.
  • Connectors: Email sync for CRM, messaging channels.
  • Metering: Usage-based billing and platform health.
Lawful-basis assumption Candidate basis for review, or review needed. Never present as final legal sign-off unless reviewed.

Candidate Lawful Bases

Data CategoryCandidate BasisStatus
Visitor chatLegitimate interest (product operation) + CMP consent delegation — hea_consent.js defaults to necessary-only when no CMP present; client responsible for CMP install✅ Confirmed (2026-07-06)
CRM contactsLegitimate interest (B2B relationship) — contacts derived from email parsing and conversation interactions, not scraped✅ Confirmed (2026-07-06)
BillingContract performance (Art. 6(1)(b))🔵 Candidate basis
Connector tokensContract performance🔵 Candidate basis
Trial dataConsent (signup form)🔵 Candidate basis
OutboundLegitimate interest + opt-out — nurture emails include unsubscribe today; product campaign feature must include opt-out/unsubscribe at build time✅ Confirmed (2026-07-06)
Role HEA-World controller, HEA creator controller, processor, or context-dependent split. Document uncertainty instead of hiding it.

Controller / Processor Role Mapping

  • HEA-World is controller for: platform billing, admin/auth, metering.
  • HEA Creator is controller for: their CRM contacts, their visitor conversations.
  • HEA-World is processor for: chat data processed on behalf of creators, CRM email sync.

Split depends on context — documented as uncertain until legal review.

User-facing notice Privacy policy, trust page, widget disclosure, consent surface, or product setting. Link copy/page evidence once reviewed.

Notice Surfaces

  • Privacy policy: hea_privacy_terms.html (states AI interaction, data collection).
  • Trust page: hea_trust.html (security & compliance).
  • Cookie consent: Cookiebot banner (statistics consent).
  • Chat widget: Configurable disclaimer (default ON).
  • WhatsApp: Auto-prepended first-message disclaimer.
  • Data deletion form: hea_data_deletion.html.

⚠️ Partial Notices exist but DSAR path is manual only.

Retention rule TTL, cleanup policy, permanent until deletion, or manual review needed. Map to KV/R2 registry, cleanup job, or policy note.

Retention Posture by Dataset

DatasetCurrent RetentionStatus
Chat messages (KV)Legacy dual-write (chat:{id}:{ts}) — still written for compatibility alongside chatHistory:. Recommend deprecating dual-write and one-time cleanup.⚠️ Deprecate dual-write
Chat history (KV)Archive to encrypted R2, then delete KV — cron conversation-archive enforces encrypt→write→verify→delete ordering; chatHistory only deleted when no active sessions remain for visitor✅ Archive engine
Conversation archives (R2)3-year retention target⚠️ Sweep not yet active
Chat budget/RAG traces14-day TTL✅ Auto-expire
WhatsApp sessions24h TTL✅ Auto-expire
CRM contacts/leads (R2)Permanent⚠️ No delete path
Billing records (KV)Permanent — retained per EU tax/accounting obligation (7-10 year minimum)✅ Retained — legal obligation
Connector tokens (KV)Delete on disconnect✅ Revocation path exists
Trial rate limiters (KV)Permanent (no TTL) — should add 30-day TTL at write time (counters only, no PII)🔵 Add TTL
Minimisation decision Required, optional, sensitive, or avoidable. Avoidable or sensitive fields need owner decision.

Data Minimisation Assessment

  • Required: chat messages (core product), CRM core fields (name, email).
  • Optional: visitor_profile enrichment fields, collected_fields extraction.
  • Sensitive: OAuth tokens (encrypted), billing company data (VAT).
  • Avoidable: trial rate-limiter email keys (should have TTL), presales email index keys.
Gap Missing notice, missing retention, missing DSAR path, missing owner, or missing evidence. Open gaps should map back to Compliance Dashboard rows.

Open Accountability Gaps

GapDetailStatus
No automated DSAR fulfillmentData deletion form sends email only🔴 Gap
No per-visitor data purgeCannot delete all data for a specific visitor🔴 Gap
No per-CRM-contact deleteCannot hard-delete a single contact/lead🔴 Gap
No self-service data exportNo 'download my data' capability🔴 Gap
Chat messages have no TTLPermanent KV storage⚠️ Partial
Trial keys accumulateNo cleanup for trialrl:email:* keys⚠️ Partial
Retention sweep not active3-year archive sweep is report-only⚠️ Partial