Skip to content

Learn: explicit user consent before saving learner data (consent gate + right to delete) #10

Description

@OriNachum

Privacy/compliance gap in the live system. agentculture.org/learn now
persists learner data, but sign-in immediately upserts the learner and issues
a session with no explicit consent step
. Verified on the first real sign-in:
authorizing on GitHub created a learners row (GitHub id + display name) with no
"do you consent to save your data?" gate. Before we invite more users (the nav
link is now public), we need explicit, recorded consent.

What we persist today (D1 learn-ledger)

  • learnersgithub_user_id, display_name, state (cross-subject profile blob).
  • records — append-only ledger of learning results (activity, result, mastery, item_id, timestamps).
  • Privacy invariant already holds: no email, no password — GitHub id + public
    display name only. But we DO persist identity + a full learning history, which
    is personal data.

What this issue adds

  1. Consent gate — at first sign-in (before the first write), present a clear
    notice: what is stored, why, how long (retention), and who can see it
    (ties to the visibility model in Learn experience: role-based visibility + approved-user LLM tutoring (Bedrock Nova Sonic 2 / Nova Pro) #8). The learner must actively consent before
    upsertLearner persists anything.
  2. Record the consent — store consent as (learner, terms_version, granted_at)
    in D1 (a consents table or learners.state). Version it so a terms change
    triggers re-consent.
  3. Right to withdraw / delete — a self-serve way for the learner to export and
    delete their data (remove the learners row + their records), and to
    revoke the session. Withdrawal of consent ⇒ deletion.
  4. Privacy policy / terms text — the actual policy page. Coordinate with
    org
    (agentculture.org owns the domain and any site-wide privacy policy);
    /learn links to it. Where the canonical policy lives (org vs learn) is an open
    decision.

Notes

  • The OAuth callback (handleCallbackupsertLearner) is the enforcement
    point: no consent record ⇒ no persistence (issue a short-lived "pending-consent"
    session, or block until consent). Design decision needed.
  • Signed-out browsing stays zero-data (no change) — consent is only for the
    signed-in, data-saving path.
  • GDPR-style framing: consent as the lawful basis; withdrawal + deletion + data
    export are the learner rights to support.

Acceptance (rough)

  • First sign-in shows a consent notice; no learners/records row is written
    until the learner consents.
  • Consent is recorded with a terms version + timestamp; a version bump forces re-consent.
  • A learner can delete their data (learner + records) and revoke their session.
  • Privacy policy page exists and is linked from /learn (coordinated with org).

Companion issues: visibility/roles #8, content #9.

  • learn-cli (Claude)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions