diff --git a/README.md b/README.md index b986498..6c795ae 100644 --- a/README.md +++ b/README.md @@ -1,84 +1,125 @@ -# Egret — Privacy Rights & Data Request Management +
-> *Part of the Circuit Forge LLC "AI for the tasks you hate most" suite.* +# Plover -**Status:** Backlog — not yet started. Peregrine must prove the model first. +**Local-first privacy rights assistant. CCPA/GDPR Data Subject Access Requests (DSARs), erasure requests, regulatory escalation — no cloud required.** + +[![Status](https://img.shields.io/badge/status-backlog-lightgrey)](https://git.opensourcesolarpunk.com/Circuit-Forge/plover) +[![License](https://img.shields.io/badge/license-BSL%201.1-blue)](LICENSE) +[![CircuitForge](https://img.shields.io/badge/CircuitForge-LLC-green)](https://circuitforge.tech) + +[Website](https://circuitforge.tech) · [Roadmap](https://git.opensourcesolarpunk.com/Circuit-Forge/roadmap) · [All Products](https://circuitforge.tech/#products) + +
+ +--- + +> *Part of the [Circuit Forge LLC](https://circuitforge.tech) menagerie — AI for the tasks the system made hard on purpose.* + +**Status:** Backlog — not yet started. See the [roadmap](https://git.opensourcesolarpunk.com/Circuit-Forge/roadmap) for priority order. ## What it does -Egret manages your privacy rights across companies worldwide: submitting Data Subject Access Requests (DSARs), Right to Erasure requests, data portability requests, opt-out-of-sale notices, and escalating to regulatory bodies when companies stonewall or miss their legal deadlines. +Plover manages your privacy rights across companies worldwide: submitting Data Subject Access Requests (DSARs), Right to Erasure requests, data portability requests, opt-out-of-sale notices, and escalating to regulatory bodies when companies stonewall or miss their legal deadlines. -The name is intentional: *egret* sounds like *egress* — data flowing out of companies' systems and back under your control. Egrets are patient, methodical, and precise. White, clean. That's the goal. +The word "plover" traces to Latin *pluvia* (rain) — plovers were once believed to detect approaching rain and navigate by it. The common snipe plover probes into mud to find what is buried, hidden, and otherwise inaccessible. That is exactly what this product does: extracts data that companies have buried and are legally required to give you. + +## Why it is hard + +Privacy rights exist on paper but are designed to be abandoned: + +- Companies have no incentive to make DSAR submission easy; most bury the form or require accounts +- Legal deadlines are short but enforcement is weak for individuals (30 days GDPR, 45 days CCPA) +- Responses are often partial, evasive, or in formats designed to be unreadable +- Escalation paths (Data Protection Authorities, state Attorneys General, the Federal Trade Commission) require formal complaints with specific formats +- Identity verification requirements vary and are sometimes used as gatekeeping ## Legal frameworks supported | Regulation | Region | Key rights | -|---|---|---| +|------------|--------|-----------| | GDPR | EU / EEA | Access, erasure, portability, rectification, restrict processing | | CCPA / CPRA | California, USA | Know, delete, opt-out of sale/sharing, correct, limit sensitive use | | PIPEDA | Canada | Access, correction, withdrawal of consent | | LGPD | Brazil | Access, deletion, portability, correction, anonymization | -| PDPA | Thailand / Singapore | Access, correction, deletion, portability | | UK GDPR | United Kingdom | Post-Brexit GDPR equivalent | -| State privacy laws | USA (VA, CO, CT, TX, OR, MT, +) | Access, deletion, opt-out (varies by state) | +| State privacy laws | USA (VA, CO, CT, TX, OR, MT, and others) | Access, deletion, opt-out (varies by state) | | APPI | Japan | Disclosure, correction, use limitation | -## Why it's hard - -Privacy rights exist on paper but are designed to be abandoned: -- Companies have no incentive to make DSAR submission easy — most bury the form or require accounts -- Legal deadlines are short but enforcement is weak for individuals (30 days GDPR, 45 days CCPA) -- Responses are often partial, evasive, or in formats designed to be unreadable -- Escalation paths (DPAs, state AGs, FTC) require formal complaints with specific formats -- Identity verification requirements vary and are sometimes used as gatekeeping - ## Core pipeline ``` -Inventory data exposures (companies with your data + what category) -→ Generate tailored DSAR / erasure / opt-out letter per company -→ Submit via verified channel (email / web form / certified mail) -→ Track deadline (GDPR: 30 days; CCPA: 45 days; grace periods) -→ Monitor for response → Review compliance of response -→ If non-compliant / no response: draft DPA / state AG complaint -→ Track escalation status +Inventory data exposures (companies holding your data and what category) + → Generate tailored DSAR, erasure, or opt-out letter per company and jurisdiction + → Submit via verified channel (email, web form, or certified mail) + → Track legal deadline (GDPR: 30 days; CCPA: 45 days; with grace periods) + → Monitor for response → Human reviews company response for completeness + → LLM flags if response does not meet legal minimums + → If non-compliant or no response: draft DPA or state AG complaint + → Track escalation status ``` -## Key differentiators vs. other products - -- Multi-jurisdiction: the correct legal framing, citation, and deadline vary by company location AND your location -- Identity verification workflow: guide user through what to submit (and what NOT to overshare) -- Partial response detection: AI reviews company response for completeness vs. legal requirements -- Escalation chain: ICO → CNIL → Datatilsynet → state AG → FTC → small claims, based on jurisdiction and response - ## Response handling -When a company responds, Egret: -1. Parses the response (email / PDF / portal export) -2. Checks against your original request — what was addressed, what was dodged -3. Flags if the response doesn't meet legal minimums +When a company responds, Plover: + +1. Parses the response (email, PDF, or portal export) +2. Checks against your original request: what was addressed, what was dodged +3. Flags if the response does not meet legal minimums for the applicable regulation 4. Drafts a follow-up or escalation letter as needed ## Company database A structured, community-maintained database of: + - DSAR submission endpoints (email, web form URL, or postal address) per company - Average response time (crowdsourced) -- Compliance rating (historically responsive / stonewalls / partial) +- Compliance rating: historically responsive, stonewalls, or partial - Required identity verification documents -MIT-licensed, like the job board scrapers in Peregrine — the community maintains it because company policies change constantly. +MIT-licensed, like the job board scrapers in Peregrine. The community maintains it because company policies change constantly. -## Product code (license key) +## Privacy · Safety · Accessibility -`CFG-EGRT-XXXX-XXXX-XXXX` +**Privacy:** DSAR responses may contain your own personal information. Plover processes all response analysis locally. Response documents are never routed through a cloud LLM without your explicit consent per-request. + +**Safety:** Plover drafts letters and tracks deadlines. It does not file complaints on your behalf without your review and approval. Legal interpretations are reference material, not legal advice. + +**Accessibility:** Letter templates are available in plain language and formal legal language. Escalation workflows are guided step-by-step. The jurisdiction matrix covers 50+ countries with plain-English summaries of your rights in each. + +## Tiers + +| Tier | What you get | +|------|-------------| +| **Free** | DSAR and erasure letter generation, deadline tracker, local LLM response review, company database | +| **Paid** | Automated submission monitoring, email sync for response tracking, regulatory escalation templates, cloud sync across devices | +| **Premium** | Multi-person household support, business DSAR compliance tools (for small businesses managing inbound DSARs), fine-tuned response analysis model | + +## Get involved + +Plover is pre-development. The best thing you can do right now is open an issue with: + +- A specific company or industry where you have tried to exercise privacy rights and found it difficult +- Regulations or jurisdictions you want prioritized +- Experience with regulatory body complaint processes (what worked, what did not) +- Identity verification gatekeeping tactics you have encountered + +Early issues shape what gets built first. Star the repo to follow progress. + +## Product code + +License key format: `CFG-PLVR-XXXX-XXXX-XXXX` ## Tech notes -- Shared `circuitforge-core` scaffold -- Jurisdiction detection: user location + company HQ → applicable law +- Built on the shared [circuitforge-core](https://git.opensourcesolarpunk.com/Circuit-Forge/circuitforge-core) scaffold +- Jurisdiction detection: user location plus company headquarters location determines applicable law - Letter template library: per-regulation, per-right, per-escalation-level -- Email sync: monitor company responses, flag when deadline approaches -- Response analysis: LLM review of company responses against legal checklists -- Vision module: scan physical mail responses, PDF exports from companies -- ⚠️ Sensitive data handling: DSAR responses may include PII — local-only processing, never routed through cloud LLM without explicit consent +- Email sync: monitor company responses and flag when deadline approaches +- Response analysis: local LLM review of company responses against legal checklists +- Vision module: scan physical mail responses and PDF exports from companies +- Company database: MIT-licensed, community-maintained DSAR endpoint registry + +## License + +[Business Source License 1.1](LICENSE) — free for personal non-commercial self-hosting. Converts to MIT after four years. Commercial use requires a [paid license](https://circuitforge.tech/pricing).