EU legal compliance: privacy policy, cookie disclosure, CGU, GDPR rights

[jbourdin]

Summary

Ensure the application meets EU/French legal requirements for a webapp processing user accounts.

Requirements

1. Privacy Policy

CMS page (EN + FR) covering:

• What personal data is collected (email, screen name, preferred locale, last login, IP via logs)
• Purpose of processing (account management, deck lending tracking, event participation)
• How long data is kept (account lifetime + deletion policy)
• Who data is shared with (no third parties; Scaleway hosting, Bunny CDN, Friendly Captcha for bot protection)
• User rights: access, rectification, deletion, portability (GDPR Articles 15-20)
• Legal basis for processing (legitimate interest for core features, consent for optional features)
• Contact details of the data controller

2. Cookie / Consent Disclosure

• The app uses only essential cookies (Symfony session, CSRF token) — no analytics, no ads, no tracking
• No consent banner needed, but cookies must be disclosed in the privacy policy
• Document Friendly Captcha's proof-of-work mechanism (no tracking cookies, GDPR-compliant by design)

3. Legal Notice / Mentions Légales (partially done)

Already created in v1.3.1. Still missing:

• Publication director ("directeur de la publication")
• Formal contact email or form (currently points to GitHub issues — may not satisfy the requirement for non-technical users)

4. Terms of Use / CGU

CMS page (EN + FR) covering:

• Rules for using the service
• Account creation requirements (email verification, age)
• User responsibilities (accurate deck lists, returning borrowed decks)
• Content ownership (user-submitted deck lists, CMS content)
• Termination conditions (account deletion, bans)
• Deck lending/borrowing disclaimer (already in legal notice — reference it)

5. GDPR: Right to Deletion (Article 17)

• Account deletion feature exists (F12.6)
• Verify the deletion flow is documented in the privacy policy
• Verify deletion is mentioned in the CGU

6. GDPR: Data Export / Portability (Article 20)

• Data export feature exists (F12.7)
• Verify export is documented in the privacy policy
• Verify export is mentioned in the CGU

7. Consent Records

• Record timestamp when user agrees to CGU at registration
• Store which version of the CGU was accepted
• Consider requiring re-acceptance when CGU changes

Notes

• Privacy policy and CGU can be CMS pages in the "Legal" footer category
• Most content is editorial (not code) — can be entered via admin CMS editor
• Consent recording may require a small schema change (user entity or separate table)