Skip to content

Account Lifecycle

This page documents Coldtivate's current account and cooling user profile lifecycle behavior, with a focus on the distinction between archival and anonymization.

The policy covers both User accounts, such as Registered Employees and Operators, and cooling user profiles. Archival is currently implemented for cooling user profiles. Account deletion for all User-backed account types is implemented as anonymization and deactivation rather than hard deletion.

It is intended as a policy and implementation reference for product, support, QA, frontend, and backend teams.

Note: The frontend does not currently expose archival flows in the UI. Archival is a supported backend capability but not yet a fully exposed end-user feature.

Lifecycle Options

1. Archive

Temporarily removes a cooling user profile from active operational use while preserving the record for possible restoration. Prefer this when removal should be reversible.

  • the person is temporarily inactive or should be suspended from daily operations
  • the company wants to remove the profile without losing its state
  • historical traceability should be preserved

For cooling user profiles, archival is modeled through is_archived, archived_at, and archived_by.

Archival is not currently a general lifecycle state for Registered Employee or Operator User accounts.

2. Anonymize

Permanently removes personally identifying information from a profile or user account. The record stays in the database but is no longer attributable to the original person. Prefer this when retaining identifiable data would be inappropriate.

  • the user requests account deletion
  • compliance or retention rules require personal data removal
  • restoration is not the expected outcome

The backend does not hard-delete records. Instead, it relies on anonymization to preserve historical operational relationships while removing PII.

Current Backend Support

The backend supports the following lifecycle operations:

  • user account anonymization (User records; sets is_active=False and clears PII)
  • cooling user profile archival
  • cooling user profile restoration
  • cooling user profile anonymization
  • dependency checks that may block archival, restoration, or deletion

Relevant backend areas:

  • services/user.py - delete_user_account, archive_farmer_profile, restore_farmer_profile, anonymize_farmer_profile
  • farmer views - archive, restore, and operator-proxy-delete actions
  • dependency validation before destructive lifecycle actions proceed

Account Type Behavior

Cooling Users

Cooling users can exist as smartphone accounts linked to a User record, or as operator-managed profiles without a full app login.

  • archival is available for cooling user profiles and is reversible
  • restoration is available for archived cooling user profiles
  • deletion is implemented as anonymization, not hard deletion
  • anonymization clears identifying profile fields and removes cooling unit associations
  • active produce in storage can block deletion/anonymization until check-out is completed

Operators can remove a cooling user profile from their company through the supported proxy deletion flow. This anonymizes the profile after dependency checks pass.

Registered Employees

Registered Employees are User accounts linked to a company through the service provider relationship.

  • deletion is implemented through User account anonymization and deactivation
  • the User record remains in the database with is_active=False
  • identifying account fields such as name, phone, and email are cleared or replaced
  • if the deleted Registered Employee is the last active employee for a company, company-level anonymization is triggered

When last-employee cleanup is triggered, the backend anonymizes or disables company-owned data needed to prevent orphaned identifiable organization records. This includes company details, cooling units, locations, cooling user profiles linked to the company, and active operator accounts for that company.

Operators

Operators are User accounts linked to a company through the operator relationship.

  • deletion is implemented through User account anonymization and deactivation
  • the User record remains in the database with is_active=False
  • identifying account fields such as name, phone, and email are cleared or replaced
  • the operator is removed from cooling units they were assigned to
  • active produce owned through any linked cooling user profile can block deletion until check-out is completed

Operator account deletion does not use the cooling user profile archival fields. If the person should later regain access, a new or restored access path must be handled through the supported account management flow rather than profile restoration.

Data Retention And Side Effects

Archival

  • profile remains in the database
  • profile is excluded from normal active listings/queries
  • restoration remains possible
  • historical relationships remain intact

Anonymization

  • identifying fields are cleared or replaced with anonymous placeholders
  • the record becomes non-attributable but remains in the database
  • relevant company and cooling unit associations are removed or disabled where required by the account type
  • related operational history is preserved in anonymized form

Fields affected can include first/last name, phone, email, gender, language, cooling user identifier, company association, linked cooling units, and assigned cooling unit operators.

Anonymization can also trigger organization-level side effects. For example, when the last active employee of a company is removed, the company's own data and associated cooling units are also anonymized.

Operational Guidance

Cooling User Profile Archive Procedure

  1. Check whether unresolved operational dependencies block archival.
  2. Archive the profile through the supported backend/API flow.
  3. Confirm the profile no longer appears in active operational queries.

Cooling User Profile Restore Procedure

  1. Confirm the profile is currently archived.
  2. Restore the profile through the supported backend/API flow.
  3. Verify the profile is visible again in active workflows.

Cooling User Account Deletion Procedure

  1. Confirm the cooling user is deleting their own linked User account.
  2. Check whether active produce or other dependencies block account deletion.
  3. Review expected downstream side effects for the linked cooling user profile.
  4. Execute the supported account deletion flow.
  5. Verify the User account is inactive and identifying account/profile data has been anonymized.

Registered Employee Or Operator Account Deletion Procedure

  1. Confirm the requester is deleting their own account through the supported user account deletion flow.
  2. Check whether dependency validation blocks deletion.
  3. For Registered Employees, confirm whether the account is the last active employee for the company.
  4. Review expected company-level side effects if last-employee cleanup will be triggered.
  5. Execute the supported account deletion flow.
  6. Verify the account is inactive and identifying fields are no longer exposed.

Operator-Managed Cooling User Profile Deletion Procedure

  1. Confirm the requester has the Operator role and belongs to the same company as the cooling user profile.
  2. Check whether unresolved produce or check-out dependencies block deletion.
  3. Execute the supported operator proxy deletion flow.
  4. Confirm company-specific cooling unit associations were removed by the flow.
  5. Verify the profile has been anonymized and no longer appears as an identifiable active profile.

Troubleshooting

Profile cannot be archived

  • the requester is not authorized
  • unresolved dependencies are blocking archival
  • the profile is already archived

Profile cannot be restored

  • the requester is not authorized
  • the target profile is not archived

Profile cannot be deleted

  • unresolved produce or check-out dependencies exist
  • consider archival instead

Account cannot be deleted

  • the requester is trying to delete another user's account
  • active crates or unresolved produce dependencies exist
  • dependency remediation, such as processing outstanding check-outs, must happen first

Unexpected company data was anonymized

  • the deleted account was the last active Registered Employee for the company
  • last-employee cleanup anonymizes company-level records and disables associated operational data
  • confirm the remaining active employee count before deleting a Registered Employee account

UI does not show the expected lifecycle action

The backend may support the action, but frontend support is incomplete or not yet exposed. Confirm whether the action is available only through the backend/API.