← Back to Documentation

🔐 GDPR Compliance

Complete privacy compliance features including cookie consent, data exports, and user rights management

GDPR Overview

Soonie comes with comprehensive GDPR (General Data Protection Regulation) compliance features built-in. These tools help you respect user privacy, obtain proper consent, and manage data subject rights according to EU privacy law.

🍪
Cookie Consent

Banner with accept/decline options and privacy policy link

📜
Privacy Policy

Detailed modal with comprehensive information about data processing

Email Consent

Required checkbox for subscription with clear consent language

📤
Data Export

CSV and JSON export formats for data portability

🗑️
Right to Erasure

Individual email deletion with GDPR confirmation

📋
Transparency

Clear information about data processing and retention

Legal Basis for Processing

Article 6(1)(a) - Consent

Soonie processes personal data based on explicit consent from data subjects:

  • What we collect: Email addresses for launch notifications
  • Why we collect it: To send a single notification when your product launches
  • Legal basis: Consent freely given by the user
  • Retention period: Until launch notification is sent or upon user request for deletion

Cookie Consent Management

🍪 Cookie Banner Features

The cookie consent banner appears after 2 seconds and includes:

We use cookies to enhance your experience and remember your theme preference. We also collect email addresses for launch notifications in compliance with GDPR. [Privacy Policy] [Accept All] [Decline]

Configuration Options

// Enable/disable cookie consent banner define('COOKIE_CONSENT_REQUIRED', true); // Enable/disable GDPR features define('GDPR_ENABLED', true);

Cookie Types Used

Cookie Purpose Duration Required
theme Remember user's theme preference 1 year No
cookieConsent Store consent choice Permanent (localStorage) Yes

Email Collection Compliance

📧 Consent Requirements

Before email collection, users must:

  • Check the consent checkbox explicitly
  • Read the privacy policy (linked in checkbox text)
  • Understand data usage through clear messaging

Consent Checkbox Text

I agree to the Privacy Policy and consent to my email being stored for launch notifications. You can unsubscribe at any time.

Technical Implementation

// Email submission requires explicit consent if (!isset($_POST['gdpr_consent']) || $_POST['gdpr_consent'] !== '1') { $message = 'Please accept our privacy policy to continue.'; }

Data Subject Rights Management

🗂️ User Rights Under GDPR

Right to Access
Right Article Implementation
Article 15 CSV and JSON export functions
Right to Rectification Article 16 Delete and re-add with correct email
Right to Erasure Article 17 Individual email deletion in admin panel
Right to Data Portability Article 20 CSV and JSON export formats
Right to Withdraw Consent Article 7 Contact data controller or request deletion

📤 Data Export Formats

CSV Export (Simple Format)

Email,Timestamp user@example.com,2025-01-15 14:30:25

JSON Export (Complete GDPR Data)

{ "export_date": "2025-01-15T14:30:25+00:00", "data_controller": "Your Company Name", "purpose": "Launch notification signup data", "lawful_basis": "Consent (GDPR Article 6(1)(a))", "subscriber_data": [...], "total_records": 150 }

GDPR Configuration Settings

⚙️ Basic GDPR Settings

// Enable GDPR compliance features define('GDPR_ENABLED', true); // Require cookie consent banner define('COOKIE_CONSENT_REQUIRED', true); // Data retention policy define('DATA_RETENTION_DAYS', 0); // Manual deletion only // Auto-delete after launch define('AUTO_DELETE_AFTER_LAUNCH', true);

Contact Information

// Data controller contact for GDPR requests define('GDPR_CONTACT_EMAIL', 'privacy@yourcompany.com'); // Privacy policy last updated define('PRIVACY_POLICY_DATE', date('F Y'));

Privacy Policy Modal

📜 Comprehensive Information

The privacy policy modal includes all required GDPR disclosures:

Data Collection Section

  • What personal data we collect (email address)
  • When we collect it (subscription signup)
  • Why we collect it (launch notifications)

Data Usage Section

  • How we use the data (single notification email)
  • Who has access (no third-party sharing)
  • Storage location (secure server storage)

User Rights Section

  • Right to access personal data
  • Right to rectification (correction)
  • Right to erasure ("right to be forgotten")
  • Right to withdraw consent
  • Right to data portability

Data Protection Measures

🛡️ Technical Safeguards

1. File Protection

# .htaccess protects email files <Files "emails.txt"> Order Allow,Deny Deny from all </Files>

2. Input Validation

// Email validation and sanitization $email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

3. CSRF Protection

// Token validation on all forms if (CSRF_PROTECTION && !verifyCSRFToken($_POST['csrf_token'])) { // Reject submission }

Organizational Measures

  • Access Control: Admin panel password protection
  • Data Minimization: Only collect necessary data (email)
  • Purpose Limitation: Clear purpose stated (launch notifications)
  • Storage Limitation: Option for automatic deletion
  • Documentation: Complete audit trail of processing activities

International Compliance

🌍 Additional Privacy Laws

UK GDPR (UK DPA 2018)

  • Same requirements as EU GDPR
  • Covered by existing implementation

CCPA (California Consumer Privacy Act)

  • Right to know: ✅ Privacy policy disclosure
  • Right to delete: ✅ Admin panel deletion
  • Right to opt-out: ✅ Consent withdrawal

Other Regional Laws

  • PIPEDA (Canada): Consent and transparency ✅
  • LGPD (Brazil): Data subject rights ✅
  • PDPA (Singapore): Consent and purpose limitation ✅

Compliance Checklist

✅ Pre-Launch Checklist

  • Admin password changed from default
  • Privacy policy reviewed and updated
  • Contact information added for data protection inquiries
  • Cookie consent banner tested
  • Email consent checkbox working
  • Data export functions tested
  • Email deletion feature tested
  • HTTPS enabled for secure data transmission
  • File permissions properly configured
  • Records of processing documented

✅ Ongoing Compliance

  • Regular backups of email data
  • Monitor data requests and respond within 30 days
  • Update privacy policy as needed
  • Security patches applied promptly
  • Staff training on data protection procedures
  • Breach procedures documented and tested

Support for Data Subject Requests

📞 Handling User Requests

Email Deletion Requests

Verify the request authenticity
  • Locate the email in admin panel
  • Use "Delete (GDPR)" button
  • Confirm deletion to requestor

    • Data Access Requests

    1. Verify identity of requestor
    2. Export data using JSON format
    3. Provide within 30 days
    4. No fee for first request
      5. Response Templates Available: Use pre-written templates for deletion confirmations and data export responses to ensure compliance and consistency.
      ⚠️ Legal Disclaimer: This documentation provides guidance for GDPR compliance. For specific legal advice, consult with a qualified data protection attorney.
      ← Admin Panel Troubleshooting →