GDPR self-service and cookie consent
Added authenticated data export, 30-day account deletion scheduling, cancel and purge flows, and a shared cookie consent banner for public and logged-in shells.
This is the public record of visible product work. It stays in JSON so new entries can be added without touching the template.
Added authenticated data export, 30-day account deletion scheduling, cancel and purge flows, and a shared cookie consent banner for public and logged-in shells.
Cookie-authenticated POST requests now require a per-session CSRF token, and HSTS is enabled when the Hub runs behind HTTPS or HUB_FORCE_HSTS=1.
Added branded reports that roll up SEO, Content, Social, Web, and Ads into a single dashboard module with download and summary views.
Launched the ads module with campaign drafts, deterministic copy generation, status updates, CSV export, and dashboard access when licensed.
Tightened the public and dashboard layouts for 375/414px screens, closed drawer links on tap, and added the first Playwright smoke test for the public pages.
Signup now verifies email softly, resend requests are rate-limited, and the admin audit log captures login, password lifecycle, plan, and license changes.
Shipped a public help page with real SMB FAQs and a support contact form that saves messages and emails Juan and Ana with reply-to support.
Added public terms and privacy pages, linked them from the login footer, and rendered branded HTML for 404 and 500 errors while keeping JSON for API clients.