DesignMy
MarketplaceDemoPricingGet started

Value Lab — Data Retention & Deletion (Draft)

**Last updated:** 2025-12-25 **Audience:** Library partners (procurement), administrators, and support

> This is a draft operational document. It should be reviewed by counsel and updated to match your final hosting and vendor setup.

1) Goals

Value Lab’s data handling is designed to:

  • retain only what’s needed to run the product and measure outcomes
  • allow libraries to support patron privacy expectations
  • support requests to export or delete user data

2) Data retained in Value Lab

A) Identity & account

  • Email, name (optional), profile image (optional), role

B) Learning & engagement

  • Progress/visit signals for curriculum and founder stories

C) Marketplace submissions (optional)

  • Draft and submitted solution metadata
  • Status + moderation decisions

D) Feedback messages (optional)

  • Feedback content, category, and minimal technical context

3) Retention approach (recommended)

Retention should be set per partner contract and program needs. A common baseline:

  • **Active accounts/programs**: retained while the account remains active
  • **Inactive accounts**: eligible for deletion/de-identification upon request
  • **Transactional records (orders/payments)**: retained per legal/accounting needs, but may be **de-identified** when a user requests deletion

4) User data export

Value Lab supports exporting a user’s data in JSON format (for support and portability).

Endpoint (authenticated):

  • `GET /api/user/data-export`

This returns user-owned records such as attempts, progress visits, founder story visits, feedback submitted by the user, and marketplace submissions owned by the user.

5) User data deletion / de-identification

Value Lab supports deleting a user’s application data from the Value Lab database.

Endpoint (authenticated):

  • `POST /api/user/delete-data`

What happens:

  • user-owned learning attempts, progress, founder story visits, and submissions are deleted
  • feedback submitted by the user is deleted
  • order records (if any) are **de-identified** (userId removed; name/email scrubbed) rather than deleted, to preserve required transactional integrity

**Note:** This does not delete the user’s identity at the authentication provider (Clerk). That is handled separately.

6) Marketplace moderation & retention

Marketplace submissions follow a moderated workflow:

  • Drafts are private
  • Submitted items are under review
  • Only approved items are published

Status changes should be auditable (see `Security_Overview.md`).