aiskillstore/gdpr-compliance
skills/acurioustractor/gdpr-compliance/SKILL.md
This skill provides comprehensive guidance for implementing and reviewing GDPR-compliant features in Empathy Ledger.
$ install --global
skillsauthnpx skillsauth add aiskillstore/marketplace gdpr-complianceInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 28, 2026, 4:46 PM37.2s2 files scanned
SKILL.md
- name:
- gdpr-compliance
- description:
- This skill provides comprehensive guidance for implementing and reviewing GDPR-compliant features in Empathy Ledger.
GDPR Compliance Skill
This skill provides comprehensive guidance for implementing and reviewing GDPR-compliant features in Empathy Ledger.
GDPR Rights Reference
Article 15 - Right of Access
Requirement: Users can request a copy of their personal data
Implementation:
// GET /api/user/export
const data = await gdprService.exportUserData(userId)
// Returns: stories, media, profile, consent records, activity logs
Article 16 - Right to Rectification
Requirement: Users can correct inaccurate personal data
Implementation:
- Edit profile via profile settings
- Edit stories via story editor
- All changes logged in audit trail
Article 17 - Right to Erasure (Right to be Forgotten)
Requirement: Users can request deletion of their data
Implementation:
// POST /api/user/deletion-request
// Initiates 30-day deletion workflow
// POST /api/stories/[id]/anonymize
// Immediate anonymization of specific story
Anonymization Process:
- Remove PII from story content
- Replace author name with "Anonymous Storyteller"
- Disassociate from profile (set storyteller_id = null)
- Revoke all active distributions
- Anonymize related media
- Keep anonymized audit trail
Article 20 - Right to Data Portability
Requirement: Users can export data in machine-readable format
Implementation:
- JSON export format
- Includes all user-generated content
- Downloadable via vault dashboard
Consent Management
Consent Capture
interface ConsentRecord {
has_consent: boolean // Initial consent given
consent_verified: boolean // Consent verification completed
consent_method?: string // 'written' | 'verbal' | 'digital'
consent_date?: Date
consent_witness_id?: string // For verbal consent
}
Consent Withdrawal
// POST /api/stories/[id]/consent/withdraw
// Triggers:
// 1. Set consent_withdrawn_at timestamp
// 2. Revoke all embed tokens
// 3. Mark all distributions as revoked
// 4. Send webhook notifications
// 5. Queue external takedown requests
// 6. Create audit log entries
Data Processing Lawful Bases
For Empathy Ledger, we rely on:
- Consent (Article 6(1)(a)) - Primary basis for story sharing
- Legitimate Interest (Article 6(1)(f)) - Platform operation, security
Data Minimization
Collect Only What's Needed
- Essential profile data: name, email, organization
- Story content: as provided by user
- Technical data: minimal logging for security
Retention Limits
- Active data: retained while account active
- Deleted data: fully removed within 30 days
- Anonymized data: kept for aggregate statistics only
- Audit logs: anonymized after account deletion
Implementation Checklist
User Data Export
□ Export includes all user stories
□ Export includes media files
□ Export includes profile data
□ Export includes consent records
□ Export includes activity log
□ Format is JSON (machine-readable)
□ Download is secure (authenticated)
Data Deletion
□ Deletion request creates ticket
□ User receives confirmation email
□ 30-day processing window
□ All stories anonymized or deleted
□ All media files removed
□ Profile data erased
□ Audit trail anonymized
□ Third-party distributions notified
Consent Tracking
□ Consent captured before distribution
□ Consent method recorded
□ Consent can be withdrawn
□ Withdrawal cascades automatically
□ Audit trail for consent changes
□ Re-consent required for new purposes
API Endpoints
Data Rights
GET /api/user/export- Export all user dataPOST /api/user/deletion-request- Request account deletionGET /api/user/deletion-request- Check deletion status
Story-Level GDPR
POST /api/stories/[id]/anonymize- Anonymize specific storyPOST /api/stories/[id]/consent/withdraw- Withdraw consent
Audit Access
GET /api/stories/[id]/audit- View story audit trailPOST /api/stories/[id]/audit/export- Export audit report
Database Schema
deletion_requests
CREATE TABLE deletion_requests (
id UUID PRIMARY KEY,
user_id UUID NOT NULL,
tenant_id UUID NOT NULL,
request_type TEXT NOT NULL, -- 'anonymize_story', 'delete_account'
status TEXT DEFAULT 'pending', -- 'pending', 'processing', 'completed'
requested_at TIMESTAMPTZ,
processed_at TIMESTAMPTZ,
completed_at TIMESTAMPTZ
);
Story Anonymization Fields
-- On stories table
anonymization_status TEXT, -- null, 'partial', 'full'
anonymized_fields JSONB, -- Track what was anonymized
consent_withdrawn_at TIMESTAMPTZ -- When consent was withdrawn
Services
GDPRService
class GDPRService {
exportUserData(userId: string): Promise<DataExport>
anonymizeStory(storyId: string): Promise<AnonymizeResult>
anonymizeUserData(userId: string): Promise<AnonymizeResult>
createDeletionRequest(userId: string, type: string): Promise<Request>
processDeletionRequest(requestId: string): Promise<void>
scrubPII(content: string): string
}
Code Review for GDPR
When reviewing code, verify:
- Data Collection: Is this data necessary?
- Consent: Is consent captured before processing?
- Access: Can users access their data?
- Rectification: Can users correct their data?
- Erasure: Can users delete their data?
- Portability: Can users export their data?
- Audit: Are actions logged?
- Security: Is data properly protected?
Related Skills
aiskillstore/hig-components-content
development
VerifiedTrustedCommunity
Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/helpdesk-automation
tools
VerifiedTrustedCommunity
Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/haskell-pro
testing
VerifiedTrustedCommunity
Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/graphql
tools
VerifiedTrustedCommunity
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
244SKILL.mdUpdated Apr 10, 2026