PII Self Management

PII Self-Management (Data Export & Account Deletion)

Panopticon provides users with the ability to export their personal data and delete their own accounts. These features are accessible from the User Consent page and help comply with GDPR data subject rights (Right of Access, Right to Erasure, Right to Data Portability).

Data Export

Users can download a complete copy of their personal data in XML format by clicking "Download My Data" on the consent page.

What is Included

The exported XML file contains:

• Profile information: User ID, username, full name, and email address.
• Consent records: Whether the user has consented to the ToS, and the timestamp of consent.
• Owned sites: List of sites created by the user, including site ID, name, URL, and creation date.
• MFA methods: Titles and types of configured Multi-Factor Authentication methods (secrets are never exported).
• Passkey labels: Labels of registered passkeys (credential data is never exported).

File Format

The export is an XML file named panopticon-userdata-{username}-{date}.xml. Example structure:

<?xml version="1.0" encoding="UTF-8"?>
<userdata exported="2025-01-15T10:30:00+00:00" version="1.0">
  <profile>
    <id>42</id>
    <username>johndoe</username>
    <name>John Doe</name>
    <email>john@example.com</email>
    <consent>
      <tos>true</tos>
      <timestamp>2025-01-10T08:00:00+00:00</timestamp>
    </consent>
  </profile>
  <sites>
    <site>
      <id>1</id>
      <name>My Website</name>
      <url>https://example.com</url>
      <created_on>2025-01-01 12:00:00</created_on>
    </site>
  </sites>
  <mfa_methods>
    <method>
      <title>My TOTP App</title>
      <type>totp</type>
    </method>
  </mfa_methods>
  <passkeys>
    <passkey>
      <label>YubiKey 5</label>
    </passkey>
  </passkeys>
</userdata>

Account Self-Deletion

Users can permanently delete their own account from the consent page. This is a destructive, irreversible operation.

How it Works

1. The user navigates to the consent page (or is redirected there).
2. In the "Permanently Delete My Account" section (marked as a danger zone), the user must:
   • Type their username exactly as confirmation.
   • Click the "Permanently Delete My Account" button.
   • Confirm the action in a browser dialog.
3. Upon successful deletion:
   • The user account is permanently removed from the database.
   • All sites owned by the user are deleted (via database foreign key cascading).
   • The user's session is destroyed and they are redirected to the login page.

Restrictions

• Sole administrator protection: If the user is the only Super User account in the system, self-deletion is blocked. An informational message explains this restriction. This prevents the system from being left without any administrative access.
• Username verification: The user must type their username correctly to confirm deletion. This prevents accidental deletions.

What is Deleted

When a user account is deleted:

• The user record in the #__users table
• All sites created by the user (via FK cascade on created_by)
• Associated MFA records
• Associated passkey records
• Task queue entries related to the user's sites

Note: Data that may exist in backup files or external systems is not affected by account deletion. Administrators should note this in their Privacy Policy.

For Administrators

• These features are only available when user registration is enabled (user_registration set to admin or self).
• The default Privacy Policy template includes references to these data subject rights. Customise it to match your specific practices.
• Consider your backup retention policy when documenting data deletion in your Privacy Policy, as backups may contain deleted user data.