Release Notes — February 2, 2026
GDPR Compliance Updates
This release focuses on full GDPR (General Data Protection Regulation) compliance, providing users with comprehensive tools to exercise their data rights.
New Features
GDPR Rights Dashboard
Location: Settings → Privacy → GDPR Rights
Users can now exercise all their GDPR rights through a dedicated self-service interface:
1. Right to Access (Article 15)
- Export Your Data in JSON or CSV format
- Download complete profile, time entries, projects, invoices
- Instant export generation (no waiting time)
- Learn more
2. Right to Rectification (Article 16)
- Update profile information anytime
- Edit time entries, projects, settings
- Changes take effect immediately
3. Right to Erasure (Article 17)
- Account Deletion with 7-day grace period
- Email notification with cancellation link
- Clear timeline of what gets deleted when
- Learn more
4. Right to Restriction of Processing (Article 18) NEW
- Temporary account freeze without deletion
- Four scenarios supported:
- Data accuracy verification
- Unlawful processing objection
- Legal claims
- Objection review pending
- Data stored but not processed during restriction
- Unlock account anytime (instant)
5. Right to Data Portability (Article 20)
- Export data in machine-readable JSON format
- Import to other time tracking services
- Includes all time entries, projects, invoices
6. Right to Object (Article 21) NEW
- Direct Marketing: Absolute right to opt-out (instant)
- Profiling: Stop automated decision-making (instant)
- Legitimate Interests: Object to any processing (30-day review)
- Toggle switches for easy management
7. Right to Withdraw Consent (Article 7.3)
- Manage cookie preferences
- Update email marketing subscriptions
- Changes take effect immediately
8. Right to Lodge a Complaint (Article 77)
- Full contact details for Hungarian NAIH (Data Protection Authority)
- Guidance on complaint process
Full GDPR Rights Documentation
Legal Updates
Privacy Policy v2.0
Effective Date: March 4, 2026 (30 days from now)
Our Privacy Policy has been updated with detailed explanations of how to exercise your GDPR rights:
Changes:
Section 6 (GDPR Rights) completely rewritten- Added implementation details for all 8 rights
- Included UI navigation paths for self-service
- Documented 7-day grace period for account deletion
- Added Article 18 (Restriction) and Article 21 (Object) details
- Specified data export formats (JSON/CSV)
- Added Hungarian NAIH contact information
- Updated legal references to GDPR articles
Action Required:
- All users will receive an email notification about this update
- You have 30 days to review and object if needed
- New policy takes effect March 4, 2026
Improvements
Account Deletion Flow
Before:
- Immediate deletion (no recovery)
- Manual support contact required
After:
- 7-day grace period for accidental deletions
- Email notification with cancellation link (valid 7 days)
- Clear timeline: Day 0-7 (reversible) → Day 8+ (permanent)
- Self-service cancellation (no support ticket needed)
What gets deleted:
- Profile information (name, email, phone)
- Time entries and descriptions
- Projects, workspaces, team memberships
- Preferences and settings
- Marketing consent records
What's retained (legal requirements):
- Accounting data (8 years, anonymized)
- Security logs (90 days, IP addresses only)
- Legal compliance records
Data Export Enhancements
New Features:
- CSV format added (Excel-compatible)
- Instant generation (no queue)
- Unlimited exports (no restrictions)
- Structured metadata in exports
Export Includes:
- Profile information
- All time entries (with projects, tags)
- Projects and workspaces
- Financial data (invoices, transactions)
- Preferences and settings
- Audit logs (last 90 days)
New Documentation
We've added comprehensive guides for all GDPR features:
- GDPR Rights (350+ lines)
- Detailed explanation of all 8 rights
- Step-by-step instructions for each
- FAQ with 6 common questions
- Troubleshooting section
- Account Deletion (280+ lines)
- Complete deletion workflow
- 7-day grace period details
- Cancellation methods
- What gets deleted vs. retained
- Timeline with examples
- FAQ with 8 questions
- Data Export (370+ lines)
- JSON vs. CSV format comparison
- Complete data structure documentation
- Usage examples (Excel, import to other services)
- Privacy and security best practices
- Troubleshooting common issues
Security & Privacy
Enhanced Data Protection
- Encryption: All exports use HTTPS during download
- Audit Logging: All GDPR actions logged (restriction, export, deletion)
- Email Notifications: Instant alerts for account changes
- Compliance Tracking: Legal basis documented for all processing
User Control
- Self-Service: No support tickets needed for GDPR requests
- Instant Actions: Most rights exercised in real-time
- Transparency: Clear explanations of what happens when
- Reversibility: 7-day grace period for destructive actions
Bug Fixes
- Fixed: Export button not responding in Safari
- Fixed: CSV export encoding issues (special characters)
- Fixed: Account deletion email not sent in some timezones
- Fixed: Restriction status not showing in profile header
Technical Details
Backend Changes
New API Endpoints:
POST /api/v1/users/restrict # Restrict account processing
DELETE /api/v1/users/restrict # Remove restriction
POST /api/v1/users/object # Object to processing
GET /api/v1/users/objections # List active objections
Enhanced Endpoints:
GET /api/v1/users/export/:format # JSON | CSV
DELETE /api/v1/users/delete # Now with 7-day grace
POST /api/v1/users/delete/cancel # Cancel deletion
Database Migrations
- Added
restrictionstable (Article 18 tracking) - Added
objectionstable (Article 21 tracking) - Added
accountDeletionScheduledfield (grace period) - Added
deletionCancelTokenfield (secure cancellation)
Frontend Changes
New Components:
GDPRRights.tsx- Main dashboardAccountRestriction.tsx- Restriction toggleProcessingObjections.tsx- Object to processingAccountDeletionConfirm.tsx- Deletion with grace period
Updated Components:
ProfileSettings.tsx- Rectification improvementsDataExport.tsx- CSV format supportPrivacySettings.tsx- Integrated GDPR rights
Deployment Notes
For Administrators
Before Deployment:
- Review Privacy Policy changes (v2.0)
- Test GDPR Rights dashboard (staging)
- Verify email templates (account deletion, restriction)
- Check data export functionality (JSON/CSV)
After Deployment:
- Trigger policy change notification:
POST /api/v1/admin/policy-change/notify
{
"policyType": "privacy",
"oldVersion": "1.0",
"newVersion": "2.0",
"effectiveDate": "2026-03-04T00:00:00.000Z"
}
- Monitor GDPR action logs for errors
- Check support tickets for user questions
- ⏰ Wait 30 days for policy effective date (March 4, 2026)
For Users
No action required unless you want to:
- Review new Privacy Policy (emailed to you)
- Exercise your GDPR rights (Settings → Privacy)
- Export your data for backup
Timeline
| Date | Event |
|---|---|
| Feb 2, 2026 | Release deployed to production |
| Feb 2, 2026 | Privacy Policy change emails sent |
| Feb 2 - Mar 3 | 30-day review period (GDPR requirement) |
| Mar 4, 2026 | Privacy Policy v2.0 takes effect |
Support
Questions about GDPR rights?
- Email: support@cadensa.io
- Documentation: GDPR Rights Guide
- Response time: Within 24 hours
Data Protection Officer:
- Email: dpo@cadensa.io
- Response time: Within 72 hours (GDPR requirement)
Complaint to Data Protection Authority:
- NAIH (Hungary): info@naih.hu, +36-1-391-1400
- Full contact details
Next Steps
We're continuing to improve GDPR compliance:
Q1 2026 (Feb-Mar):
- Full GDPR rights implementation ← YOU ARE HERE
- Privacy Policy v2.0 effective (March 4)
- User education campaign
Q2 2026 (Apr-Jun):
- 🔜 API data export (programmatic access)
- 🔜 Filtered exports (date ranges, specific projects)
- 🔜 GDPR compliance audit (external)
Q3 2026 (Jul-Sep):
- 🔜 Data retention policy automation
- 🔜 Enhanced audit logging
- 🔜 GDPR dashboard analytics
Related Resources
Version: 2.5.0
Release Date: February 2, 2026
Type: Major Feature Release
Status: Production Ready