kunthawat/moreminimore-website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
55aca29a0851bb953722771ae64432634e3286e4
moreminimore-website/PDPA-COMPLIANCE.md
Kunthawat Greethong b76da284cc docs: Add complete PDPA-compliant legal pages and documentation 
Legal Pages Updated:
 Privacy Policy - All 14 PDPA Section 36 requirements
  - Data controller information
  - Purpose of data processing
  - Types of data collected
  - Legal basis for processing
  - Data retention period
  - Data sharing & disclosure
  - Cross-border transfers
  - Automated decision making
  - Cookies & tracking technologies
  - 8 data subject rights
  - Security measures
  - DPO contact
  - Right to lodge complaint
  - Policy version & effective date

 Terms & Conditions - 17 comprehensive sections
  - Acceptance of terms
  - Services description
  - Intellectual property rights
  - User obligations
  - Data processing & PDPA compliance
  - Cookies & tracking
  - Limitation of liability
  - Indemnification
  - Termination conditions
  - Modifications to terms
  - Governing law (Thailand)
  - Dispute resolution
  - Contact information
  - Severability
  - Waiver
  - Assignment
  - Version & effective date

Documentation Added:
 .env.example - Environment variables template
 PDPA-COMPLIANCE.md - Complete compliance guide
  - Feature documentation
  - Configuration instructions
  - Deployment guide
  - Admin dashboard usage
  - Security recommendations
  - PDPA compliance checklist

All legal pages are in Thai language with professional terminology.
2026-03-10 21:28:39 +07:00

4.4 KiB
Raw Blame History

PDPA Compliance Guide - MoreMiniMore Website

Features Implemented

This website is now PDPA-compliant with the following features:

1. Cookie Consent System

  • Component: src/components/consent/CookieBanner.astro
  • Features:
    • Accept All / Reject All buttons (equal prominence)
    • Stores consent in localStorage
    • Slides up from bottom on first visit
    • Thai language with link to Privacy Policy
    • Dispatches 'consentGiven' event for other components

2. Conditional Analytics Loading

  • Integration: Umami Analytics
  • Behavior: Only loads when user accepts analytics cookies
  • Implementation: In src/layouts/Layout.astro

3. Consent API Endpoints

  • POST /api/consent - Log new consent
  • GET /api/consent - Retrieve consent logs (admin)
  • DELETE /api/consent/:sessionId - Right to be forgotten

4. Admin Dashboard

  • URL: /admin/consent-logs
  • Features:
    • Password-protected access
    • View last 100 consent records
    • Statistics (total, acceptance rate, etc.)
    • Delete individual records
    • Export CSV (coming soon)
  • Default Password: changeme (MUST change in production!)

5. Updated Legal Pages

  • Privacy Policy: All 14 PDPA Section 36 requirements
  • Terms & Conditions: 17 comprehensive sections
  • Both in Thai language with professional legal terminology

🔧 Configuration

Environment Variables

Create a .env file in the root directory:

# Copy from example
cp .env.example .env

# Edit with your values
nano .env

Required Variables:

# Admin password (CHANGE THIS!)
ADMIN_PASSWORD=your-secure-password-here

# Database (for production)
ASTRO_DB_REMOTE_URL=file:./data/consent.db

Optional Variables:

# Umami Analytics
UMAMI_WEBSITE_ID=xxx-xxx-xxx
UMAMI_DOMAIN=analytics.example.com

🚀 Deployment

Docker (Recommended)

# Build image
docker build -t moreminimore:latest .

# Run container
docker run -d \
  -p 80:80 \
  -e NODE_ENV=production \
  -e ASTRO_DB_REMOTE_URL=file:/app/data/consent.db \
  -e HOST=0.0.0.0 \
  -e PORT=80 \
  -e ADMIN_PASSWORD=your-secure-password \
  --name moreminimore \
  moreminimore:latest

Easypanel Auto-Deploy

The website is configured for automatic deployment via Easypanel:

  1. Push changes to Gitea main branch
  2. Easypanel auto-builds (~3 minutes)
  3. New version deployed automatically

Environment Variables in Easypanel:

  • Set all variables from .env.example
  • Use strong ADMIN_PASSWORD
  • Configure database if using remote SQLite/Turso

📊 Managing Consent Logs

Access Admin Dashboard

  1. Navigate to: https://your-domain.com/admin/consent-logs
  2. Enter admin password
  3. View consent records

Export Data

Click "Export CSV" button to download consent logs (feature in development)

Right to be Forgotten

Users can request deletion by:

  1. Contacting: contact@moreminimore.com
  2. Admin deletes record via dashboard
  3. Or via API: DELETE /api/consent/:sessionId

📝 PDPA Compliance Checklist

Before Going Live:

  • Change ADMIN_PASSWORD from default
  • Test cookie consent banner appears
  • Verify Umami loads only with consent
  • Review Privacy Policy for accuracy
  • Review Terms & Conditions for accuracy
  • Test admin dashboard access
  • Enable HTTPS (required for PDPA)
  • Set up regular backups

Ongoing Maintenance:

  • Review consent logs monthly
  • Update legal pages when laws change
  • Keep admin password secure
  • Monitor for consent withdrawals
  • Document data processing activities

🔒 Security Notes

Current Implementation:

  • Client-side password check (development)
  • Production should use server-side authentication

Recommended Improvements:

  1. Add server-side session management
  2. Implement rate limiting on admin page
  3. Add IP whitelist for admin access
  4. Use HTTPS only
  5. Regular security audits

📞 Support

For questions about PDPA compliance or this implementation:

📚 Resources

Last Updated: March 10, 2026
Version: 1.0.0

Reference in New Issue View Git Blame Copy Permalink