Data Privacy & GDPR
Status: DRAFT
Owner: Engineering / Legal
Last Review: 2026-02-21
Applicable Standards: GDPR (Art. 5, 6, 13–22, 25, 32, 44–49) / CCPA / SOC 2 (P1) / ePrivacy Directive
1. Purpose
This document describes what personal data the Equa platform collects, why it is processed, where it is stored, what rights users have over their data, and what gaps exist in the current privacy posture. It serves as the technical privacy inventory to support a formal privacy policy and Data Protection Impact Assessment (DPIA).
2. Scope
| Component | In Scope | Notes |
|---|
| equa-server | Yes | Backend API, data persistence, authentication, session management |
| equa-web | Yes | Frontend SPA, form data collection, cookie handling |
| PostgreSQL (Cloud SQL) | Yes | Primary data store for all PII |
| AWS S3 | Yes | Document storage (certificates, agreements, uploads) |
| Google OAuth | Yes | Third-party authentication, profile data shared |
| Google reCAPTCHA | Yes | IP address and browser fingerprint shared with Google |
| AWS SES / SMTP | Yes | Email addresses shared for delivery |
| equabot-gateway | Partial | Agent operates within user permission context |
3. Entity-by-Entity Data Inventory
Source: equa-server/modules/persistence/src/schema.ts
3.1 Directly Identifying PII
| Entity | PII Fields | GDPR Category | Purpose |
|---|
| Users (line 410) | email, username, passwordHash, twoFactorSecret, emailVerified, acceptedTerms | Identity, Authentication | Account creation, login, 2FA |
| Profiles (line 716) | fullName, email, dateOfBirth, phone, homeAddress, website | Identity, Contact, Demographics | User profile display, legal notices |
| Members (line 892) | fullName, email, dateOfBirth, address, phone, title | Identity, Contact, Demographics | Equity holder identification, cap table records |
| Addresses (line 473) | street1, street2, street3, country, city, postalCode, province | Contact | Legal notices, certificate delivery, regulatory filings |
| TaxIds (line 871) | value (EIN/SSN), name | Financial, Government ID | IRS reporting (Form 3921, 1099), 409A compliance |
| BankAccounts (line 1282) | accountNumber, registeredNumber, bankName | Financial | Equity transaction settlement |
| Invitations (line 326) | email | Identity | Platform invitations |
| CompaniesInfo (line 344) | email, name, phoneNumber | Identity, Contact | Company onboarding |
| Referrals (line 302) | ipAddress | Network identifier | Referral tracking, anti-abuse |
3.2 Indirectly Identifying / Sensitive Operational Data
| Entity | Fields | GDPR Category | Purpose |
|---|
| Sessions (line 746) | user (UUID), json (serialized session data), expires | Pseudonymous identifier | Authentication state |
| GoogleDriveConnections (line 1847) | accessToken, refreshToken, googleEmail, tokenExpiresAt | Authentication tokens, Identity | Google Drive integration |
| EmailVerifications (line 799) | user (UUID), code | Pseudonymous identifier | Email verification flow |
| Onetimecodes (line 835) | user (UUID), code, available | Pseudonymous identifier | One-time authentication codes |
| Files (line 585) | filename, url, owner (UUID) | Document metadata | Document storage, data room |
| EventLogs | user, action details, timestamps | Behavioral data | Audit trail, security monitoring |
3.3 Equity and Financial Data
| Entity | Key Fields | Purpose |
|---|
| Shareholdings (line 1131) | shares, issueDate, serialNumber, legend, member | Equity certificate records |
| Options (line 808) | shares, startDate, vestingSchedule, member | Stock option grants |
| Plans (line 647) | boardApprovalDate, termYears, name | Equity incentive plans |
| Holdings (line 1417) | authorized, outstanding, fullyDiluted | Cap table summary data |
| Organizations (line 1207) | name, ein, phoneNumber, website | Company identification |
4. Processing Purposes and Lawful Bases
4.1 GDPR Article 6 Lawful Basis Mapping
| Processing Activity | Lawful Basis (Art. 6) | Justification |
|---|
| Account creation and authentication | 6(1)(b) Contract performance | Necessary to provide the equity management service |
| Cap table management, equity grants, option exercises | 6(1)(b) Contract performance | Core service delivery |
| SEC reporting, IRS filings (Form 3921, 1099) | 6(1)(c) Legal obligation | Required by US securities and tax law |
| State blue sky law compliance | 6(1)(c) Legal obligation | Required by state securities regulations |
| Session management and authentication tokens | 6(1)(b) Contract performance | Necessary for secure service access |
| Audit trail and activity logging | 6(1)(f) Legitimate interest | Platform security, fraud prevention, regulatory audit support |
| Anti-abuse controls (reCAPTCHA, IP logging, rate limiting) | 6(1)(f) Legitimate interest | Platform security and integrity |
| Email delivery (transactional) | 6(1)(b) Contract performance | Necessary for service notifications |
| Marketing communications | 6(1)(a) Consent | Only where explicit opt-in consent obtained |
| Google Drive integration | 6(1)(b) Contract performance | User-initiated document sync feature |
4.2 Special Category Data
The platform does not intentionally collect special category data (Art. 9). However, documents uploaded to the data room may contain health information, religious affiliation, or other sensitive data at the user’s discretion. The platform does not parse or process document contents beyond storage and retrieval.
5. Data Storage Architecture
5.1 Primary Database
| Property | Value |
|---|
| Engine | PostgreSQL (Google Cloud SQL) |
| Location | United States |
| Encryption at rest | Google-managed encryption (AES-256) |
| Encryption in transit | TLS between application and database |
5.2 File Storage
| Property | Value |
|---|
| Service | Amazon S3 |
| Content | Document uploads, certificates, legal agreements |
| Encryption at rest | S3 server-side encryption (SSE-S3) |
| Access control | IAM policies restrict access to the application service account |
5.3 Session Storage
| Property | Value |
|---|
| Store | PostgreSQL via TypeORMSessionStore |
| Lifecycle | 29-day rolling expiry (API_SESSION_MAX_AGE) |
| Content | Session ID, user reference, expiry timestamp, serialized session JSON |
| Cookie | express-session cookie — this is personal data under GDPR as it uniquely identifies a user’s browser session |
equa-server/modules/auth/src/sessions.ts
The express-session cookie constitutes personal data under GDPR because it links a browser to an authenticated user session. The session cookie should be documented in any published privacy policy and cookie consent mechanism as a “strictly necessary” cookie that does not require consent but does require disclosure under GDPR Art. 13 and the ePrivacy Directive.
6. Third-Party Data Sharing
| Third Party | Data Shared | Purpose | Legal Basis |
|---|
| Google OAuth | User email, profile name (received from Google during login) | Authentication | Art. 6(1)(b) Contract performance |
| Google reCAPTCHA | IP address, browser fingerprint (sent to Google on signup) | Bot prevention | Art. 6(1)(f) Legitimate interest |
| AWS S3 | Document files (uploaded by users) | Document storage | Art. 6(1)(b) Contract performance |
| AWS SES / SMTP | Recipient email addresses | Email delivery (transactional) | Art. 6(1)(b) Contract performance |
| Google Drive | OAuth tokens, document metadata (user-initiated sync) | Document integration | Art. 6(1)(b) Contract performance |
No Data Processing Agreements (DPAs) are documented with sub-processors. Under GDPR Art. 28, the data controller must have a written DPA with each processor.Recommendation: Execute DPAs with Google Cloud, AWS, and any email delivery provider. Document the DPA register as part of the compliance program.
7. User Rights
Under GDPR (and analogous rights under CCPA), users have the following rights:
7.1 Right of Access (Article 15)
Users can request a copy of all personal data held about them. The platform should provide an export mechanism covering:
- Profile data (name, email, contact information)
- Equity holdings and transaction history
- Activity logs associated with their account
- Session data and authentication history
7.2 Right to Rectification (Article 16)
Users can request correction of inaccurate personal data. Profile fields (name, email, address, phone) are editable through the application. Tax IDs and legal data changes require admin verification.
7.3 Right to Erasure (Article 17)
Users can request deletion of their personal data, subject to legal retention requirements. Key constraints:
- Equity transaction records may need to be retained for 7 years (IRS requirements)
- SEC filing data cannot be deleted while the issuer has reporting obligations
- Audit trail records tied to securities transactions are retained per regulatory requirements
See Data Retention Policy for the full retention schedule.
7.4 Right to Data Portability (Article 20)
Users can request their data in a structured, machine-readable format. The platform should support export in JSON or CSV format covering profile data, equity holdings, and transaction history.
7.5 Right to Restrict Processing (Article 18)
Users can request that processing of their data be limited while disputes about accuracy or lawfulness are resolved.
7.6 Right to Object (Article 21)
Users can object to processing based on legitimate interest (Art. 6(1)(f)). This applies to audit logging and anti-abuse processing. The controller must demonstrate compelling legitimate grounds to continue processing.
8. Email Blacklists
The platform maintains an email blacklist mechanism to:
- Prevent delivery of transactional emails to addresses that have hard-bounced
- Honor unsubscribe requests for non-essential communications
- Comply with CAN-SPAM and GDPR consent withdrawal
Source: equa-server/modules/persistence/src/schema.ts (DomainBlacklists entity line 195, EmailBlacklists entity)
Blacklisted addresses are stored in the database and checked before any email dispatch.
9. Cross-Border Data Transfers
Data is stored and processed in the United States. For users in the European Economic Area (EEA):
| Mechanism | Status |
|---|
| Standard Contractual Clauses (SCCs) | Not yet executed |
| Sub-processor documentation | Not yet formalized |
| Transfer Impact Assessment | Not yet performed |
| Sub-processor | Data Transferred | Location |
|---|
| Google Cloud (Cloud SQL, Cloud Run) | All database records, application hosting | United States |
| AWS (S3) | Uploaded documents | United States |
| Email delivery provider (SES/SMTP) | Recipient email addresses | United States |
No Standard Contractual Clauses (SCCs) or other GDPR Chapter V transfer mechanisms are in place for cross-border data transfers. Under GDPR Art. 44–49, transfers to third countries require an adequacy decision, SCCs, or another approved mechanism.Recommendation: Execute SCCs with each sub-processor and complete a Transfer Impact Assessment (TIA) documenting the legal framework in the destination country.
10. Data Protection Gaps and Recommendations
The following gaps should be addressed to strengthen GDPR compliance posture.
| Gap | Risk | Recommendation |
|---|
| No formal privacy policy published | GDPR Art. 13/14 non-compliance | Draft and publish a privacy policy covering all required disclosures |
| No automated data export | Cannot fulfill Art. 15/20 portability requests efficiently | Build a self-service data export feature |
| No Data Processing Agreements (DPAs) | Art. 28 sub-processor compliance gap | Execute DPAs with Google Cloud, AWS, and email providers |
| No cookie consent mechanism | ePrivacy Directive non-compliance | Implement a cookie consent banner for EU users |
| No Data Protection Officer (DPO) designated | Art. 37 — may be required depending on processing scale | Designate a DPO or document the Art. 37(1) assessment |
| No Data Protection Impact Assessment (DPIA) | Art. 35 — required for high-risk processing (financial PII at scale) | Conduct a DPIA covering equity data processing |
| No consent management for marketing | Art. 7 — consent must be freely given, specific, informed | Implement opt-in consent tracking with withdrawal mechanism |
| Sensitive fields stored in plaintext | Art. 32 — appropriate security measures | Encrypt BankAccounts.accountNumber, TaxIds.value, GoogleDriveConnections.accessToken/refreshToken (see Security Architecture) |
| No automated data retention enforcement | Art. 5(1)(e) — storage limitation | Implement retention-based purge jobs (see Data Retention Policy) |
11. Regulatory References
| Standard | Requirement | Current Status |
|---|
| GDPR Art. 5 | Data processing principles (lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity) | Partial — processing purposes documented, but no retention enforcement or data minimization review |
| GDPR Art. 6 | Lawful basis for processing | Documented — mapped in Section 4 above |
| GDPR Art. 13/14 | Information to be provided to data subjects | Gap — no published privacy policy |
| GDPR Art. 15–22 | Data subject rights (access, rectification, erasure, portability, restriction, objection) | Partial — rights exist conceptually but no self-service tooling |
| GDPR Art. 25 | Data protection by design and by default | Partial — RBAC and permission model exist; default access is minimal (guest role) |
| GDPR Art. 28 | Processor obligations (DPAs) | Gap — no DPAs documented |
| GDPR Art. 32 | Security of processing | Partial — encryption limited to 2FA secrets; see Security Architecture |
| GDPR Art. 33/34 | Breach notification | Documented — see Incident Response Plan |
| GDPR Art. 35 | Data Protection Impact Assessment | Gap — no DPIA performed |
| GDPR Art. 44–49 | Cross-border transfers | Gap — no SCCs or transfer mechanisms in place |
| CCPA | California consumer privacy rights | Partial — analogous to GDPR rights; no CA-specific disclosures |
| SOC 2 P1 | Privacy notice and consent | Gap — no published privacy policy or consent mechanism |
12. Revision History
| Date | Version | Author | Changes |
|---|
| 2026-02-21 | 0.1 | Agent (Phase 5 Session A) | Initial draft |
| 2026-02-21 | 0.2 | Agent (Phase 5 Session B) | Template alignment, entity-by-entity inventory from schema.ts, Art. 6 lawful basis mapping, third-party data sharing, session cookie as personal data, cross-border transfer detail, regulatory references table |
