docs: update privacy policy and Play Console evidence

docs/Account-Deletion-Request-URL.md

@@ -6,8 +6,8 @@ is entered in Play Console, and is recorded below.
 
 Issue: #440
 Parent track: #464
-Status: externally blocked until a web/backend owner hosts the page and a Play
-Console owner enters the URL.
+Status: complete. URL is public, request workflow is confirmed, and the delete
+account URL field is saved in the Play Console Data safety draft.
 
 ## Policy Source
 
@@ -27,12 +27,13 @@ Console owner enters the URL.
 
 ## Final URL Record
 
-- Final account deletion request URL: `TODO`
-- Hosting owner: `TODO`
-- Backend/privacy owner confirming deletion and retention behavior: `TODO`
-- Play Console owner who entered the URL: `TODO`
-- Date verified: `TODO`
-- Evidence location: `TODO`
+- Final account deletion request URL: `https://ontime-back.duckdns.org/account-deletion`
+- Hosting owner: Backend owner
+- Backend/privacy owner confirming deletion and retention behavior: Backend owner
+- Play Console owner who entered the URL: `jjoonleo@gmail.com`
+- Date verified: `2026-05-10`
+- Evidence location: #440 issue comments with `curl` verification summary and
+  Play Console save note
 
 ## Dependencies Before Publishing
 
@@ -45,7 +46,8 @@ Console owner enters the URL.
 
 ## Page Content Template
 
-Replace every `TODO` before publishing.
+Use the following content expectations when reviewing the hosted page. Replace
+every remaining `TODO` before closing #440.
 
 ```text
 Title: Delete your OnTime account
@@ -55,19 +57,24 @@ this page. You do not need to install or open the OnTime app to submit a
 request.
 
 What we delete
-- TODO: List account identity data deleted after #439 confirms server behavior.
-- TODO: List schedule, preparation, notification, feedback, or profile data
-  deleted after #439 confirms server behavior.
+- OnTime deletes the local account and associated app data, including schedules,
+  preparation data, notification schedules, user settings, alarm settings, alarm
+  status, device records, FCM tokens, and session tokens.
 
 What we may retain
-- TODO: List any data retained for legal, security, fraud prevention,
-  regulatory, or operational reasons.
-- TODO: State the retention period or review process for each retained data
-  type.
+- Optional account deletion feedback may be retained for up to 1 year for
+  service quality review and deletion-related support issues.
+- Operational logs, monitoring records, and security records may be retained for
+  up to 90 days for service operation, debugging, security, and abuse
+  prevention.
+- Backup copies containing deleted account data are removed according to normal
+  backup rotation and retained for no longer than 30 days.
+- Data may be retained longer only when required by law or an active security
+  investigation.
 
 How to request deletion
 Option A: Submit the deletion request form below.
-Option B: Email TODO_SUPPORT_EMAIL with the subject "OnTime account deletion".
+Option B: Email jjoonleo@gmail.com with the subject "OnTime account deletion".
 
 Required information
 - The email address or login provider used for the OnTime account.
@@ -83,7 +90,7 @@ Privacy policy
 TODO_PRIVACY_POLICY_URL
 
 Contact
-TODO_SUPPORT_EMAIL
+jjoonleo@gmail.com
 ```
 
 ## Implementation Options
@@ -100,28 +107,25 @@ page that only tells users to reinstall/open the app.
 
 ## Verification Checklist
 
-- [ ] Open the URL in a private/incognito browser while signed out.
-- [ ] Confirm the URL uses HTTPS and does not redirect to login.
-- [ ] Confirm the page references OnTime or the Google Play developer name.
-- [ ] Confirm the deletion request path is visible without searching through
+- [x] Open `https://ontime-back.duckdns.org/account-deletion` in a
+      private/incognito browser while signed out.
+- [x] Confirm the URL uses HTTPS and does not redirect to login.
+- [x] Confirm the page references OnTime or the Google Play developer name.
+- [x] Confirm the deletion request path is visible without searching through
       unrelated content.
-- [ ] Submit a test request using a test account or staging support workflow.
-- [ ] Confirm the request reaches the responsible owner or backend system.
-- [ ] Confirm the page deletion/retention text matches #439 and #434.
-- [ ] Enter the URL in Play Console.
-- [ ] Save a screenshot or note showing the Play Console field value.
-- [ ] Replace the `TODO` values in the final URL record above.
+- [x] Submit a test request using a test account or staging support workflow.
+- [x] Confirm the request reaches the responsible owner or backend system.
+- [x] Confirm the page deletion/retention text matches #439 and #434.
+- [x] Enter the URL in Play Console.
+- [x] Save a screenshot or note showing the Play Console field value.
+- [x] Replace the remaining `TODO` values in the final URL record above.
 
 ## Human Tasks Remaining
 
-1. Backend/privacy owner: complete #439 and provide final deletion and retention
-   language.
+1. Backend/privacy owner: confirm the hosted page uses the final deletion and
+   retention language from #434.
 2. Product/legal owner: approve privacy policy text in #434.
-3. Web/backend owner: host a public HTTPS deletion request page or form using
-   the approved language.
-4. Support owner: confirm the receiving workflow is monitored and deletion
-   requests can be fulfilled.
-5. Play Console owner: enter the final URL in the required account deletion or
-   Data safety field.
-6. Release owner: update the final URL record and attach evidence before
-   closing #440.
+3. Web/backend owner: verify the public HTTPS deletion request page or form
+   remains available at `https://ontime-back.duckdns.org/account-deletion`.
+4. Play Console owner: continue #441 separately to complete the full Data
+   safety questionnaire before release submission.

docs/Backend-Account-Deletion-Retention-Report.md

@@ -0,0 +1,118 @@
+# Backend Account Deletion Retention Report
+
+Date: 2026-05-10
+Related issues: #434, #439, #440, #441, #458
+Audience: OnTime backend and environment owners
+
+## Purpose
+
+This report asks backend owners to confirm and, if needed, implement the
+retention behavior that the OnTime privacy policy draft now states. The goal is
+to keep the privacy policy, Google Play Data safety answers, backend behavior,
+and account deletion QA aligned.
+
+## Proposed Retention Policy
+
+Use these retention periods unless product/legal owners later require a stricter
+policy:
+
+| Data category | Retention after account deletion | Reason |
+| --- | --- | --- |
+| Local OnTime account row | Delete immediately | Account deletion request |
+| User-owned app data, including schedules, preparation data, notification schedules, user settings, alarm settings, alarm status, device records, FCM tokens, and session tokens | Delete immediately by database cascade or equivalent cleanup | Account deletion request |
+| General feedback linked to the user account | Delete immediately by database cascade or equivalent cleanup | Account deletion request |
+| Optional account deletion feedback | Retain for up to 1 year | Service quality review and deletion-related support issues |
+| Operational logs, monitoring records, and security records | Retain for up to 90 days | Service operation, debugging, security, and abuse prevention |
+| Database backups or disaster recovery snapshots | Retain for no longer than 30 days under normal backup rotation | Disaster recovery |
+| Legal, compliance, or active security investigation records | Retain only as long as required for the legal/compliance/investigation purpose | Legal compliance or active security investigation |
+
+## Backend Confirmation Needed
+
+Before #434 privacy policy approval, backend/environment owners should confirm:
+
+- The account deletion endpoints still hard-delete the local OnTime account row.
+- Database cascades or explicit cleanup remove associated user-owned app data.
+- Optional account deletion feedback is stored separately from the deleted user
+  account and does not contain plaintext email.
+- There is, or will be, a cleanup mechanism that deletes
+  `account_deletion_feedback` rows older than 1 year.
+- Production application logs, hosting logs, monitoring events, analytics,
+  audit records, and security records do not retain account-related data for
+  more than 90 days unless an exception applies.
+- Database backups and snapshots are rotated out within 30 days unless an
+  exception applies.
+- Any exception is documented with data category, reason, owner, and maximum
+  retention duration.
+- Google and Apple provider token revocation remains best-effort unless release
+  environment testing proves a stronger guarantee.
+
+## Recommended Backend Tasks
+
+1. Add retention cleanup for account deletion feedback.
+   - Target table: `account_deletion_feedback`
+   - Target rule: delete rows where `created_at` is older than 1 year.
+   - Recommended verification: unit or integration test for cleanup cutoff.
+
+2. Confirm production logging retention.
+   - Target rule: logs, monitoring records, and security records retained for
+     up to 90 days.
+   - Recommended verification: screenshot, config export, or written owner
+     confirmation from the logging/hosting provider.
+
+3. Confirm backup retention.
+   - Target rule: database backups and disaster recovery snapshots retained for
+     no longer than 30 days under normal rotation.
+   - Recommended verification: backup policy document, provider setting, or
+     written owner confirmation.
+
+4. Document exceptions.
+   - If legal compliance, abuse prevention, or active investigation requires
+     longer retention, record the data category, reason, owner, and maximum
+     retention period.
+   - Do not use open-ended language such as "as needed" without a defined owner
+     and review trigger.
+
+5. Send release evidence back to frontend/release owners.
+   - Update #434 when the privacy policy wording is accurate.
+   - Update #441 so the Google Play Data safety form can reflect the same
+     deletion and retention behavior.
+   - Update #458 so account deletion QA knows which retained data is expected.
+
+## Draft Privacy Policy Wording
+
+The frontend privacy policy draft currently uses this retention language:
+
+```text
+When a user deletes their OnTime account, OnTime deletes the local account and
+associated app data, including schedules, preparation data, notification
+schedules, user settings, alarm settings, alarm status, device records, FCM
+tokens, and session tokens.
+
+If the user submits optional account deletion feedback, OnTime may retain that
+feedback for up to 1 year to review service quality and deletion-related support
+issues. This feedback is stored separately from the deleted account and uses a
+hashed email value instead of the plaintext email address.
+
+Operational logs, monitoring records, and security records may be retained for
+up to 90 days for service operation, debugging, security, and abuse-prevention
+purposes, unless a longer period is required for legal compliance or an active
+security investigation.
+
+Backup copies containing deleted account data are removed according to the
+normal backup rotation and are retained for no longer than 30 days, unless a
+longer period is required by law or security investigation.
+```
+
+Backend owners should either confirm this language or propose exact replacement
+wording before #434 is approved.
+
+## Policy References
+
+- Google Play User Data policy:
+  https://support.google.com/googleplay/android-developer/answer/10144311
+- Google Play account deletion requirements:
+  https://support.google.com/googleplay/android-developer/answer/13327111
+- Google Play Data safety form guidance:
+  https://support.google.com/googleplay/android-developer/answer/10787469
+- Korea Personal Information Protection Commission privacy guidance:
+  https://www.pipc.go.kr/eng/user/cmm/privacyGuideline.do

docs/Google-Play-Data-Safety.md

@@ -1,21 +1,25 @@
 # Google Play Data Safety Worksheet
 
-This worksheet advances release issue #441 under parent track #464. It is not a
-final Google Play declaration and must not be pasted into Play Console until the
-open prerequisites below are resolved.
+This worksheet advances release issue #441 under parent track #464. The Google
+Play Data safety questionnaire was completed and saved in Play Console on
+2026-05-10 using the answers recorded below. The privacy policy URL was also
+saved in Play Console on 2026-05-10. The app-content submission is still blocked
+by separate Play Console requirements outside the Data safety form.
 
 ## Status
 
-Current status: externally blocked.
+Current status: Data safety questionnaire saved in Play Console; app-content
+submission externally blocked.
 
 Blocking prerequisites:
 
 | Input | Source issue | Status on 2026-05-10 | Why it blocks submission |
 | --- | --- | --- | --- |
-| Approved privacy policy text | #434 | Open, manual | Google Play requires a privacy policy and the Data safety answers must match it. |
-| Backend deletion and retention truth | #439 | Open, manual/backend | Data deletion support, retention exceptions, and associated data deletion are server-side facts. |
-| External account deletion request URL | #440 | Open, manual | Play requires an outside-app deletion path for apps with accounts. |
+| Approved and hosted privacy policy URL | #434/#435/#437 | Hosting/Play entry complete; #434 approval still open | Public URL is `https://ontime-back.duckdns.org/privacy-policy` and is saved in Play Console. Product/legal approval of final text remains tracked by #434. |
+| Backend deletion and retention truth | #439 | Closed with static backend evidence | Data deletion support, retention exceptions, and associated data deletion are documented; production retention enforcement still needs owner confirmation before final submission. |
+| External account deletion request URL | #440 | Closed | Public URL is `https://ontime-back.duckdns.org/account-deletion`; Play Console delete account URL field is saved in the Data safety draft. |
 | Manifest permission audit | #442 | Closed | Evidence is available in `docs/Android-Manifest-Permissions.md`. |
+| Target audience and content | Play Console app content | Open, manual | Play Console preview says submission requires target age group and other content information. |
 | Final release SDK/provider set | #441 prerequisite | Pending owner confirmation | SDK data collection must match the shipped release build. |
 
 Google's current guidance says developers are responsible for complete and
@@ -70,23 +74,59 @@ deletion support must be approved by the release owner.
 | Firebase Cloud Messaging SDK | The app uses `firebase_core` and `firebase_messaging`. Firebase documentation says Cloud Messaging collects app version automatically and depends on Firebase Installations; FID and Firebase user agent handling must be considered. | SDK-collected data, device or other identifiers, app info and performance | Source-backed dependency, final SDK review pending |
 | Google Play services core SDKs | Google Play services base/basement/tasks may be present through dependencies. Google's disclosure page says the listed core SDKs do not collect end-user data, but app owners remain responsible for the overall disclosure. | SDK review | Dependency review pending |
 
-## Answers That Must Stay Pending
+## Saved Play Console Answers
 
-Do not finalize these fields until the owners listed below provide the missing
-facts.
+Entered in Play Console by `jjoonleo@gmail.com` on 2026-05-10.
+
+Security and deletion:
+
+- Required user data types collected or shared: Yes.
+- Data encrypted in transit: Yes.
+- Account creation methods: Username and password, OAuth.
+- Account deletion URL:
+  `https://ontime-back.duckdns.org/account-deletion`.
+- Data shared with third parties: No data shared with third parties, using
+  Play's service-provider sharing interpretation.
+
+Data types declared as collected:
+
+| Category | Data type | Collected/shared | Ephemeral | Required/optional | Purposes |
+| --- | --- | --- | --- | --- | --- |
+| Personal info | Name | Collected | Not ephemeral | Required | App functionality, Account management |
+| Personal info | Email address | Collected | Not ephemeral | Required | App functionality, Account management |
+| Personal info | User IDs | Collected | Not ephemeral | Required | App functionality, Account management |
+| App info and performance | Diagnostics | Collected | Not ephemeral | Required | App functionality, Analytics |
+| App activity | App interactions | Collected | Not ephemeral | Required | App functionality |
+| App activity | Other user-generated content | Collected | Not ephemeral | Optional | App functionality |
+| Device or other IDs | Device or other IDs | Collected | Not ephemeral | Required | App functionality |
+
+Play Console preview showed:
+
+- Data shared: no data shared with third parties.
+- Data collected: Personal info, App info and performance, App activity, Device
+  or other IDs.
+- Data deletion: account and associated data can be deleted via the saved
+  account deletion URL.
+- Security practices: data is encrypted in transit.
+- Remaining blocker shown by Play Console before final app-content submission:
+  target audience/content.
+
+## Answers That Still Need Owner Confirmation
+
+The Play Console draft is saved, but the owners below should still confirm these
+facts before final release submission.
 
 | Field or decision | Required owner input |
 | --- | --- |
-| Whether each collected data type is required or optional | Product owner and source review. |
 | Whether any data is shared outside service-provider processing | Backend owner, Firebase/Google configuration owner, and privacy owner. |
 | Backend retention period for accounts, schedules, preparations, feedback, FCM tokens, device registrations, alarm status, and logs | Backend owner. |
 | Whether deletion requests delete or anonymize each associated data type, and within what time window | Backend owner and privacy owner. |
 | Whether any data is retained for legal compliance, security, abuse prevention, or operations | Backend owner and legal/product owner. |
-| Final privacy policy URL and exact text | Product/legal owner and #434/#435. |
-| External account deletion request URL and page content | Web/backend owner and #440. |
+| Final privacy policy text approval | Product/legal owner and #434. Hosted URL is `https://ontime-back.duckdns.org/privacy-policy`. |
+| External account deletion request URL and page content | Closed in #440: `https://ontime-back.duckdns.org/account-deletion`. |
 | Final active auth providers for Android release | Release owner. Current source supports normal, Google, and Apple paths; Kakao dependencies are present but no active release flow was found in the checked auth path. |
 | Firebase optional exports such as FCM delivery metrics to BigQuery or Analytics-linked notification interaction events | Firebase project owner. No Analytics dependency was found in `pubspec.yaml`, but console settings must still be checked. |
-| Play Console submission | Play Console owner. |
+| Play Console app-content submission | Play Console owner after target audience/content is complete. |
 
 ## Pre-Submission Checklist
 
@@ -99,10 +139,10 @@ facts.
    used in app and Play Console.
 6. Verify the public account deletion URL works without installing or opening
    the app and explains deleted and retained data.
-7. Enter the Data safety form in Play Console from this worksheet plus approved
-   owner answers.
-8. Save the final submitted answers back into release documentation, replacing
-   or appending to this worksheet.
+7. Confirm the saved Data safety answers above still match the approved policy
+   and final release build.
+8. Send the saved changes for review from Publishing overview after the
+   remaining app-content blockers are resolved.
 
 ## Suggested Final Documentation Template