# PDPA Compliance Guide - MoreMiniMore Website

## ✅ Features Implemented

This website is now **PDPA-compliant** with the following features:

### 1. Cookie Consent System
- **Component:** `src/components/consent/CookieBanner.astro`
- **Features:**
  - Accept All / Reject All buttons (equal prominence)
  - Stores consent in localStorage
  - Slides up from bottom on first visit
  - Thai language with link to Privacy Policy
  - Dispatches 'consentGiven' event for other components

### 2. Conditional Analytics Loading
- **Integration:** Umami Analytics
- **Behavior:** Only loads when user accepts analytics cookies
- **Implementation:** In `src/layouts/Layout.astro`

### 3. Consent API Endpoints
- **POST /api/consent** - Log new consent
- **GET /api/consent** - Retrieve consent logs (admin)
- **DELETE /api/consent/:sessionId** - Right to be forgotten

### 4. Admin Dashboard
- **URL:** `/admin/consent-logs`
- **Features:**
  - Password-protected access
  - View last 100 consent records
  - Statistics (total, acceptance rate, etc.)
  - Delete individual records
  - Export CSV (coming soon)
- **Default Password:** `changeme` (MUST change in production!)

### 5. Updated Legal Pages
- **Privacy Policy:** All 14 PDPA Section 36 requirements
- **Terms & Conditions:** 17 comprehensive sections
- Both in Thai language with professional legal terminology

## 🔧 Configuration

### Environment Variables

Create a `.env` file in the root directory:

```bash
# Copy from example
cp .env.example .env

# Edit with your values
nano .env
```

**Required Variables:**
```bash
# Admin password (CHANGE THIS!)
ADMIN_PASSWORD=your-secure-password-here

# Database (for production)
ASTRO_DB_REMOTE_URL=file:./data/consent.db
```

**Optional Variables:**
```bash
# Umami Analytics
UMAMI_WEBSITE_ID=xxx-xxx-xxx
UMAMI_DOMAIN=analytics.example.com
```

## 🚀 Deployment

### Docker (Recommended)

```bash
# Build image
docker build -t moreminimore:latest .

# Run container
docker run -d \
  -p 80:80 \
  -e NODE_ENV=production \
  -e ASTRO_DB_REMOTE_URL=file:/app/data/consent.db \
  -e HOST=0.0.0.0 \
  -e PORT=80 \
  -e ADMIN_PASSWORD=your-secure-password \
  --name moreminimore \
  moreminimore:latest
```

### Easypanel Auto-Deploy

The website is configured for automatic deployment via Easypanel:

1. Push changes to Gitea main branch
2. Easypanel auto-builds (~3 minutes)
3. New version deployed automatically

**Environment Variables in Easypanel:**
- Set all variables from `.env.example`
- Use strong `ADMIN_PASSWORD`
- Configure database if using remote SQLite/Turso

## 📊 Managing Consent Logs

### Access Admin Dashboard

1. Navigate to: `https://your-domain.com/admin/consent-logs`
2. Enter admin password
3. View consent records

### Export Data

Click "Export CSV" button to download consent logs (feature in development)

### Right to be Forgotten

Users can request deletion by:
1. Contacting: contact@moreminimore.com
2. Admin deletes record via dashboard
3. Or via API: `DELETE /api/consent/:sessionId`

## 📝 PDPA Compliance Checklist

### Before Going Live:

- [ ] Change `ADMIN_PASSWORD` from default
- [ ] Test cookie consent banner appears
- [ ] Verify Umami loads only with consent
- [ ] Review Privacy Policy for accuracy
- [ ] Review Terms & Conditions for accuracy
- [ ] Test admin dashboard access
- [ ] Enable HTTPS (required for PDPA)
- [ ] Set up regular backups

### Ongoing Maintenance:

- [ ] Review consent logs monthly
- [ ] Update legal pages when laws change
- [ ] Keep admin password secure
- [ ] Monitor for consent withdrawals
- [ ] Document data processing activities

## 🔒 Security Notes

### Current Implementation:
- Client-side password check (development)
- **Production should use server-side authentication**

### Recommended Improvements:
1. Add server-side session management
2. Implement rate limiting on admin page
3. Add IP whitelist for admin access
4. Use HTTPS only
5. Regular security audits

## 📞 Support

For questions about PDPA compliance or this implementation:
- **Email:** contact@moreminimore.com
- **Phone:** 080-995-5945
- **Line:** @moreminimore

## 📚 Resources

- **PDPC Thailand:** https://www.pdpc.or.th
- **PDPA Full Text:** https://www.pdpc.or.th/กฎหมายและกฎระเบียบ/พ.ร.บ.-คุ้มครองข้อมูลส่วนบุคคล/
- **Umami Analytics:** https://umami.is/docs
- **Astro DB:** https://docs.astro.build/en/guides/astro-db/

---

**Last Updated:** March 10, 2026  
**Version:** 1.0.0