Legal & Consent
What this section is for
Legal & Consent is how the collective keeps its paperwork honest. Every human who joins agrees to a small set of legal documents, and every agreement is recorded with a timestamp, a content hash, and the IP and device you consented from. This lets the org operate under GDPR in Spain and the EU: explicit, auditable, reversible at your request.
This section also surfaces your two core GDPR rights: a copy of everything the org holds about you (Article 15), and account deletion (Article 17).
![TODO: screenshot — Consents index page showing required documents grouped by category]
Key pages at a glance
- Your consents (
/Consent) — any signed-in human reviews documents they've signed and re-signs when versions change. - My Data (
/Profile/Me/Privacy) — Download my Data (Article 15) and Account Deletion (Article 17). - Statutes (
/Legal) — anyone, including signed-out visitors, reads the association's current statutes (pulled directly from GitHub). - Onboarding review queue (
/OnboardingReview) — Consent Coordinator, Volunteer Coordinator, Board, and Admin view humans awaiting activation; only Consent Coordinator, Board, and Admin can clear, flag, or reject. - Manage documents (
/Legal/Admin/Documents) — Board and Admin create, edit, archive, and publish legal documents.
As a Volunteer
Signing your consents. When you first sign in, you'll see documents grouped by team. The Volunteers team's documents apply to everyone; team-specific ones appear once you join that team. Open each document, read it, and tick the explicit consent checkbox. Tabs let you switch between languages — Spanish (Castellano) is always the canonical, legally binding version; other tabs are marked as translations. The checkbox is never pre-ticked.
Your signed consent is a permanent record. Once you tick the box, the system writes an immutable entry: which document version, when, from what IP and browser, and a hash of the exact text you agreed to. Nobody — not Admin, not the database owner — can alter or remove it. This is what makes the audit trail trustworthy, and what protects you in any dispute about what you agreed to.
Viewing your consent history. From /Consent you can see every document you've signed, its version, and whether it's still current. If a document has been updated, you'll see an "Action required" badge and will need to re-sign. There's a per-document grace period (seven days by default) before a missing re-consent affects your team membership.
Downloading your data (Article 15). From your profile, use "Download my data" to get a JSON file containing everything the system holds about you: profile, contact fields, consents, team memberships, shift sign-ups, tickets, feedback, audit entries. Self-service, no request ticket.
Requesting account deletion (Article 17). From your profile, use "Delete my account." Your team memberships are revoked immediately, so you stop showing up in rosters and Google Groups. The data purge runs as a background job shortly after. A few records are kept as required by law (consent records, append-only audit entries), but personal identifiers on those are scrubbed or rewritten to a placeholder.
Related sections
- Profiles — consent status lives on the profile; download/delete start there.
- Onboarding — entering your legal name unlocks app access; signing all required documents (plus name) admits you to the Volunteers team.
- Admin — document management and flagged-review queue.