Netorigo
Sign in
Back to Journal
communityen

Privacy-first user profiles

Default-private profiles, per-post opt-in for cross-company visibility. Separate GDPR consent for community. 5 fields stored, 7 deliberately omitted.

The Community module's user-profile system is built on default-private. The consumer default of "everything public, opt-out available" doesn't apply on a B2B partner-portal. Instead: everything private, opt-in available.

Default visibility

A new user's profile is visible by default only to their tenant peers and Netorigo staff. An engineer registering at a logistics tenant does not automatically appear to a finance tenant's peer, and rightly so. If they want cross-company visibility (for example to mention in a tough NAV-rule thread that they have years of experience on the topic), they opt in per-post.

The per-post opt-in is not a global toggle. Each post individually chooses whether to expose author attribution ("Anna K., logistics tenant") to cross-tenant peers. This prevents the failure mode where a user once flips "public" and forgets that their next post sits in a sensitive edge-case topic.

GDPR consent

We ask for two separate consents at signup:

  1. Product T&Cs consent. Netorigo platform base licence, audit, contract terms.
  2. Community-profile consent. A separate explicit consent that the data stored there (post content, peer attribution, Helpful Answer count, thank-you token flow) may be used for the community platform's purposes.

The two consents are intentionally separate. A user can decline the community consent and still use the Netorigo platform (admin, finance, logistics). They just won't get access to the community module - an acceptable outcome.

The 5 fields we store

The community profile stores the following 5 fields:

  1. Display name. User-chosen name (default: surname + first-name initial, e.g. "Anna K.").
  2. Tenant identifier. Which tenant they're affiliated with (the tenant name, not their personal employer if those differ).
  3. Job role. Optional free-text field ("Finance controller", "Warehouse manager"). Empty by default.
  4. Tags-of-interest. User-chosen tag set they subscribe to for the weekly digest.
  5. Helpful Answer + thank-you-token aggregate counts. Aggregates only, not the individual trail.

The 7 fields we deliberately do NOT store

  1. Long-term IP retention. Only on the request, in the audit log for 30 days, hashed after that.
  2. Behavioural fingerprinting (browser fingerprint, click trail, mouse movement). None.
  3. Geo-location. Neither auto-detected nor manually entered.
  4. Profile picture. Debated. Decided against: peer attribution is enough, and a profile picture would just add another opt-in decision.
  5. External social-profile links. LinkedIn, X, etc. Debated, decided against (reduces opt-in pressure to "complete" the profile).
  6. Bio / about text. Free-text means GDPR-sensitive data risk.
  7. Phone number or email on the profile. Stored on the base Netorigo account, but the community profile does not surface them to peers (no DM either, see the earlier post).

Right-to-erasure flow

GDPR Article 17 (right to erasure) is fairly concrete for the community module. The flow:

  1. The user files an "Account deletion" request on Settings > Privacy.
  2. A 14-day soft-delete period starts. During it the profile is inactive but posts remain visible. The user can cancel deletion.
  3. After 14 days, hard-delete: the profile record is removed, posts remain, but author attribution flips to "[deleted user]".

Keeping the posts is deliberate: if a single reply suddenly vanished from a 30-post-long thread, that would break the discussion context of the other 29 posts and disadvantage the untouched peer users (whose own answers stay).

The pseudonymisation layer for KB training

When we train the LLM on tenant content for KB + auto-FAQ generation, a pseudonymisation layer runs: all user names, company identifiers, account numbers, phone, email are swapped for placeholders (<USER_42>, <COMPANY_7>, <INVOICE_xx>). The LLM only sees the pseudonymised form. The pseudonym map sits in a separate encrypted store and never leaves vendor infrastructure.

Back to Journal