# Privacy & Compliance

## Overview

Fire-OS is designed with privacy and compliance in mind. This document outlines our data handling practices and compliance status.

## GDPR Compliance

### Data Subject Rights

Fire-OS supports all GDPR data subject rights:

| Right | Implementation |
|-------|----------------|
| **Right to Access** | Users can export all their data via dashboard |
| **Right to Rectification** | Users can edit their data at any time |
| **Right to Erasure** | Account deletion removes all personal data |
| **Right to Portability** | Data exported in standard JSON format |
| **Right to Object** | Users can opt out of marketing communications |
| **Right to Restrict** | Account pause feature available |

### Lawful Basis for Processing

| Data Category | Lawful Basis |
|--------------|--------------|
| Account data | Contract performance |
| Usage analytics | Legitimate interest |
| Marketing emails | Consent |
| Support communications | Contract performance |
| Financial records | Legal obligation |

### Data Processing Agreements

- Supabase: DPA in place
- Vercel: DPA in place
- Stripe: DPA in place
- Resend: DPA in place

### International Data Transfers

- Primary data storage: US (Supabase)
- CDN: Global (Vercel Edge Network)
- Standard Contractual Clauses (SCCs) in place for EU data

## Data Retention Policies

### Active Account Data

| Data Type | Retention | Justification |
|-----------|-----------|---------------|
| User profile | Until deletion | Service delivery |
| Customer records | Until deletion | Business operations |
| Prospect data | 2 years inactive | Sales cycle length |
| Email history | 1 year | Reference and audit |
| Call recordings | 90 days | Quality assurance |
| Audit logs | 90 days | Security monitoring |

### After Account Deletion

| Data Type | Retention | Reason |
|-----------|-----------|--------|
| Anonymized analytics | Indefinite | Product improvement |
| Financial records | 7 years | Tax compliance |
| Audit logs | 90 days post-deletion | Security |

### Automated Deletion

- Inactive trial accounts: Deleted after 30 days
- Unverified accounts: Deleted after 7 days
- Expired invitations: Deleted after 14 days

## Privacy by Design

### Minimization
- Only collect data necessary for the service
- Optional fields clearly marked
- No tracking beyond operational needs

### Purpose Limitation
- Data used only for stated purposes
- No selling of customer data
- No third-party advertising

### Security by Default
- All connections encrypted
- Passwords hashed
- API keys encrypted
- Sessions expire automatically

## User Consent

### Account Creation
- Terms of Service acceptance required
- Privacy Policy link provided
- Marketing opt-in separate from account creation

### Marketing Communications
- Explicit opt-in required
- Easy unsubscribe in every email
- Preference center available
- Consent records maintained

### Cookies
- Essential cookies: No consent required
- Analytics cookies: Consent required
- No third-party tracking cookies

## Data Breach Response

### Detection
- Automated monitoring for unauthorized access
- Alert thresholds for unusual activity
- Regular log review

### Assessment (Within 24 hours)
1. Identify scope of breach
2. Determine data affected
3. Assess risk to individuals
4. Document findings

### Notification (Within 72 hours)
1. Notify relevant supervisory authority
2. Notify affected individuals (if high risk)
3. Update status page
4. Prepare public statement if necessary

### Remediation
1. Contain the breach
2. Eliminate vulnerability
3. Restore from backup if needed
4. Review and improve controls

## SOC 2 Roadmap

### Type I (Target: Q2 2024)
- [ ] Finalize control documentation
- [ ] Implement remaining controls
- [ ] Engage auditor
- [ ] Complete Type I audit

### Type II (Target: Q4 2024)
- [ ] 6-month operating period
- [ ] Continuous control monitoring
- [ ] Evidence collection
- [ ] Complete Type II audit

### Trust Service Criteria

| Criteria | Status |
|----------|--------|
| Security | In progress |
| Availability | In progress |
| Processing Integrity | Planned |
| Confidentiality | In progress |
| Privacy | In progress |

## Compliance Documentation

### Available Upon Request
- Data Processing Agreement (DPA)
- Sub-processor list
- Security questionnaire responses
- Penetration test summary (redacted)
- SOC 2 report (when available)

### Contact for Compliance Requests
- Email: compliance@fire-os.com
- Response time: Within 5 business days

## California Consumer Privacy Act (CCPA)

### Rights Supported
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of sale (we don't sell data)
- Right to non-discrimination

### Verification Process
- Identity verification required for requests
- Response within 45 days
- No fee for requests

## Industry-Specific Compliance

### Financial Services
- Not currently PCI DSS compliant
- Stripe handles all payment card data
- Financial records retained per regulations

### Healthcare
- Not currently HIPAA compliant
- PHI should not be stored in Fire-OS
- HIPAA compliance under evaluation for future

## Contact

For privacy or compliance inquiries:
- Privacy: privacy@fire-os.com
- Compliance: compliance@fire-os.com
- DPO (EU): dpo@fire-os.com