# Data classification and handling policy

**Version:** 1.0
**Effective date:** 2026-04-17

## 1. Classification levels

| Level | Definition | Examples |
|---|---|---|
| **Public** | Intended for public audiences | Marketing copy, pricing, help articles |
| **Internal** | Normal company operations, not intended for customers | Sprint notes, runbooks, roadmap drafts |
| **Confidential** | Customer-provided data | Proposal content, client emails, catalogue items |
| **Restricted** | Identifies individuals or affects money | Passwords (hashed), payment metadata, API keys, admin audit log |

## 2. Handling requirements

| Requirement | Public | Internal | Confidential | Restricted |
|---|---|---|---|---|
| Encrypt at rest | Optional | Yes | Yes | Yes |
| Encrypt in transit (TLS 1.2+) | Yes | Yes | Yes | Yes |
| Access logged | No | No | Yes | Yes |
| Retention limit | Indefinite | 2 years | Tied to customer account lifecycle | Minimum necessary, see below |
| MFA required to access | No | Yes | Yes | Yes |
| Shareable externally | Yes | With approval | No | No |
| Production only | No | No | Yes | Yes |

## 3. Specific data types

| Data | Level | Store | Retention |
|---|---|---|---|
| User passwords | Restricted | Airtable `Users.Password` (bcrypt hash) | Until account deletion |
| JWT signing secret | Restricted | Netlify env var `JWT_SECRET` | Rotated annually or on suspected compromise |
| Customer proposal content | Confidential | Airtable `Proposals` | Until customer deletes or offboards |
| Client emails | Confidential | Airtable `Proposals.Client Email` | Same as proposal |
| Payment details | Restricted | Stripe only (never us) | Per Stripe retention |
| Audit log | Restricted | Airtable `Admin Audit Log` | 7 years |
| Error reporter logs | Confidential (may contain user input) | Blob storage | 90 days |
| Transactional email logs | Confidential | Resend | 90 days |

## 4. Data minimisation

Fields are only collected where they support a concrete product feature. Fields marked optional are never required. The signup flow captures only: email, password, first name, company name. Anything else is asked in-app later.

## 5. Data subject requests (GDPR)

- Export: available via Settings > Data > Export (JSON of all records tied to the account)
- Delete: available via Settings > Account > Delete account. Hard-deletes within 30 days; audit log anonymised, not deleted (legal retention)
- Portability: same export endpoint; JSON is portable by design
- Rectification: customers edit their own data in-app; for data they cannot edit, they contact us

## 6. Anonymisation

For any analytics or product-improvement use:
- Customer emails replaced with `<hash>@<domain>`
- Free-text fields truncated to 40 chars
- No AI training on customer content - Anthropic API is called in `ZDR` (zero data retention) configuration where available