You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Privacy/compliance gap in the live system. agentculture.org/learn now
persists learner data, but sign-in immediately upserts the learner and issues
a session with no explicit consent step. Verified on the first real sign-in:
authorizing on GitHub created a learners row (GitHub id + display name) with no
"do you consent to save your data?" gate. Before we invite more users (the nav
link is now public), we need explicit, recorded consent.
What we persist today (D1 learn-ledger)
learners — github_user_id, display_name, state (cross-subject profile blob).
records — append-only ledger of learning results (activity, result, mastery, item_id, timestamps).
Privacy invariant already holds: no email, no password — GitHub id + public
display name only. But we DO persist identity + a full learning history, which
is personal data.
Record the consent — store consent as (learner, terms_version, granted_at)
in D1 (a consents table or learners.state). Version it so a terms change
triggers re-consent.
Right to withdraw / delete — a self-serve way for the learner to export and delete their data (remove the learners row + their records), and to
revoke the session. Withdrawal of consent ⇒ deletion.
Privacy policy / terms text — the actual policy page. Coordinate with org (agentculture.org owns the domain and any site-wide privacy policy);
/learn links to it. Where the canonical policy lives (org vs learn) is an open
decision.
Notes
The OAuth callback (handleCallback → upsertLearner) is the enforcement
point: no consent record ⇒ no persistence (issue a short-lived "pending-consent"
session, or block until consent). Design decision needed.
Signed-out browsing stays zero-data (no change) — consent is only for the
signed-in, data-saving path.
GDPR-style framing: consent as the lawful basis; withdrawal + deletion + data
export are the learner rights to support.
Acceptance (rough)
First sign-in shows a consent notice; no learners/records row is written
until the learner consents.
Consent is recorded with a terms version + timestamp; a version bump forces re-consent.
A learner can delete their data (learner + records) and revoke their session.
Privacy policy page exists and is linked from /learn (coordinated with org).
Privacy/compliance gap in the live system. agentculture.org/learn now
persists learner data, but sign-in immediately upserts the learner and issues
a session with no explicit consent step. Verified on the first real sign-in:
authorizing on GitHub created a
learnersrow (GitHub id + display name) with no"do you consent to save your data?" gate. Before we invite more users (the nav
link is now public), we need explicit, recorded consent.
What we persist today (D1
learn-ledger)learners—github_user_id,display_name,state(cross-subject profile blob).records— append-only ledger of learning results (activity, result, mastery, item_id, timestamps).display name only. But we DO persist identity + a full learning history, which
is personal data.
What this issue adds
notice: what is stored, why, how long (retention), and who can see it
(ties to the visibility model in Learn experience: role-based visibility + approved-user LLM tutoring (Bedrock Nova Sonic 2 / Nova Pro) #8). The learner must actively consent before
upsertLearnerpersists anything.in D1 (a
consentstable orlearners.state). Version it so a terms changetriggers re-consent.
delete their data (remove the
learnersrow + theirrecords), and torevoke the session. Withdrawal of consent ⇒ deletion.
org(agentculture.org owns the domain and any site-wide privacy policy);/learn links to it. Where the canonical policy lives (org vs learn) is an open
decision.
Notes
handleCallback→upsertLearner) is the enforcementpoint: no consent record ⇒ no persistence (issue a short-lived "pending-consent"
session, or block until consent). Design decision needed.
signed-in, data-saving path.
export are the learner rights to support.
Acceptance (rough)
learners/recordsrow is writtenuntil the learner consents.
Companion issues: visibility/roles #8, content #9.