Improve data privacy handling and per-group settings for multi-group usage

.github/workflows/deploy_docker.yml

@@ -93,7 +93,6 @@ jobs:
           APPLICATION_TITLE: ${{ vars.APPLICATION_TITLE }}
           CHAIR_NAME: ${{ vars.CHAIR_NAME }}
           CHAIR_URL: ${{ vars.CHAIR_URL }}
-          DEFAULT_SUPERVISOR_UUID: ${{ vars.DEFAULT_SUPERVISOR_UUID }}
           ALLOW_SUGGESTED_TOPICS: ${{ vars.ALLOW_SUGGESTED_TOPICS }}
           THESIS_TYPES: ${{ vars.THESIS_TYPES }}
           STUDY_PROGRAMS: ${{ vars.STUDY_PROGRAMS }}
@@ -102,21 +101,13 @@ jobs:
           LANGUAGES: ${{ vars.LANGUAGES }}
           CUSTOM_DATA: ${{ vars.CUSTOM_DATA }}
           THESIS_FILES: ${{ vars.THESIS_FILES }}
-          SCIENTIFIC_WRITING_GUIDE: ${{ vars.SCIENTIFIC_WRITING_GUIDE }}
           MAIL_SENDER: ${{ vars.MAIL_SENDER }}
-          MAIL_SIGNATURE: ${{ vars.MAIL_SIGNATURE }}
-          MAIL_BCC_RECIPIENTS: ${{ vars.MAIL_BCC_RECIPIENTS }}
-          MAIL_WORKSPACE_URL: ${{ vars.MAIL_WORKSPACE_URL }}
           KEYCLOAK_HOST: ${{ vars.KEYCLOAK_HOST }}
           KEYCLOAK_REALM_NAME: ${{ vars.KEYCLOAK_REALM_NAME }}
           KEYCLOAK_CLIENT_ID: ${{ vars.KEYCLOAK_CLIENT_ID }}
           KEYCLOAK_SERVICE_CLIENT_ID: ${{ vars.KEYCLOAK_SERVICE_CLIENT_ID }}
           KEYCLOAK_SERVICE_CLIENT_SECRET: ${{ secrets.KEYCLOAK_SERVICE_CLIENT_SECRET }}
           KEYCLOAK_SERVICE_STUDENT_GROUP_NAME: ${{ vars.KEYCLOAK_SERVICE_STUDENT_GROUP_NAME }}
-          CALDAV_ENABLED: ${{ vars.CALDAV_ENABLED }}
-          CALDAV_URL: ${{ vars.CALDAV_URL }}
-          CALDAV_USERNAME: ${{ vars.CALDAV_USERNAME }}
-          CALDAV_PASSWORD: ${{ secrets.CALDAV_PASSWORD }}
         with:
           host: ${{ vars.VM_HOST }}
           username: ${{ vars.VM_USERNAME }}
@@ -125,7 +116,7 @@ jobs:
           proxy_username: ${{ vars.DEPLOYMENT_GATEWAY_USER }}
           proxy_key: ${{ secrets.DEPLOYMENT_GATEWAY_SSH_KEY }}
           proxy_port: ${{ vars.DEPLOYMENT_GATEWAY_PORT }}
-          envs: SERVER_TAG,CLIENT_TAG,SPRING_DATASOURCE_DATABASE,SPRING_DATASOURCE_USERNAME,SPRING_DATASOURCE_PASSWORD,APP_HOSTNAME,SERVER_HOST,CLIENT_HOST,APPLICATION_TITLE,CHAIR_NAME,CHAIR_URL,DEFAULT_SUPERVISOR_UUID,ALLOW_SUGGESTED_TOPICS,THESIS_TYPES,STUDY_PROGRAMS,STUDY_DEGREES,GENDERS,LANGUAGES,CUSTOM_DATA,THESIS_FILES,SCIENTIFIC_WRITING_GUIDE,MAIL_SENDER,MAIL_SIGNATURE,MAIL_BCC_RECIPIENTS,MAIL_WORKSPACE_URL,KEYCLOAK_HOST,KEYCLOAK_REALM_NAME,KEYCLOAK_CLIENT_ID,KEYCLOAK_SERVICE_CLIENT_ID,KEYCLOAK_SERVICE_CLIENT_SECRET,KEYCLOAK_SERVICE_STUDENT_GROUP_NAME,CALDAV_ENABLED,CALDAV_URL,CALDAV_USERNAME,CALDAV_PASSWORD
+          envs: SERVER_TAG,CLIENT_TAG,SPRING_DATASOURCE_DATABASE,SPRING_DATASOURCE_USERNAME,SPRING_DATASOURCE_PASSWORD,APP_HOSTNAME,SERVER_HOST,CLIENT_HOST,APPLICATION_TITLE,CHAIR_NAME,CHAIR_URL,ALLOW_SUGGESTED_TOPICS,THESIS_TYPES,STUDY_PROGRAMS,STUDY_DEGREES,GENDERS,LANGUAGES,CUSTOM_DATA,THESIS_FILES,MAIL_SENDER,KEYCLOAK_HOST,KEYCLOAK_REALM_NAME,KEYCLOAK_CLIENT_ID,KEYCLOAK_SERVICE_CLIENT_ID,KEYCLOAK_SERVICE_CLIENT_SECRET,KEYCLOAK_SERVICE_STUDENT_GROUP_NAME
           script: |
             rm -f .env.prod
             cat > .env.prod << ENVEOF
@@ -138,7 +129,6 @@ jobs:
             APPLICATION_TITLE=${APPLICATION_TITLE}
             CHAIR_NAME=${CHAIR_NAME}
             CHAIR_URL=${CHAIR_URL}
-            DEFAULT_SUPERVISOR_UUID=${DEFAULT_SUPERVISOR_UUID}
             ALLOW_SUGGESTED_TOPICS=${ALLOW_SUGGESTED_TOPICS}
             THESIS_TYPES=${THESIS_TYPES}
             STUDY_PROGRAMS=${STUDY_PROGRAMS}
@@ -147,21 +137,13 @@ jobs:
             LANGUAGES=${LANGUAGES}
             CUSTOM_DATA=${CUSTOM_DATA}
             THESIS_FILES=${THESIS_FILES}
-            SCIENTIFIC_WRITING_GUIDE=${SCIENTIFIC_WRITING_GUIDE}
             MAIL_SENDER=${MAIL_SENDER}
-            MAIL_SIGNATURE=${MAIL_SIGNATURE}
-            MAIL_BCC_RECIPIENTS=${MAIL_BCC_RECIPIENTS}
-            MAIL_WORKSPACE_URL=${MAIL_WORKSPACE_URL}
             KEYCLOAK_HOST=${KEYCLOAK_HOST}
             KEYCLOAK_REALM_NAME=${KEYCLOAK_REALM_NAME}
             KEYCLOAK_CLIENT_ID=${KEYCLOAK_CLIENT_ID}
             KEYCLOAK_SERVICE_CLIENT_ID=${KEYCLOAK_SERVICE_CLIENT_ID}
             KEYCLOAK_SERVICE_CLIENT_SECRET=${KEYCLOAK_SERVICE_CLIENT_SECRET}
             KEYCLOAK_SERVICE_STUDENT_GROUP_NAME=${KEYCLOAK_SERVICE_STUDENT_GROUP_NAME}
-            CALDAV_ENABLED=${CALDAV_ENABLED}
-            CALDAV_URL=${CALDAV_URL}
-            CALDAV_USERNAME=${CALDAV_USERNAME}
-            CALDAV_PASSWORD=${CALDAV_PASSWORD}
             SERVER_IMAGE_TAG=${SERVER_TAG:-latest}
             CLIENT_IMAGE_TAG=${CLIENT_TAG:-latest}
             ENVEOF

.gitignore

@@ -3,6 +3,7 @@
 db_backups
 uploads
 postfix-config
+server/data-exports/
 
 # User-specific stuff
 .idea

README.md

@@ -35,9 +35,15 @@ The videos are grouped by the roles student, supervisor, examiner, and research
 - [Manage User Settings](https://live.rbg.tum.de/w/artemisintro/53605)  
   Enables students to configure their account settings, including personal information such as study program and contact details, ensuring all details are up-to-date.
 
-- [Book Interview Slot](https://live.rbg.tum.de/w/artemisintro/70067)  
+- [Book Interview Slot](https://live.rbg.tum.de/w/artemisintro/70067)
   Allows students to view available interview slots and book a preferred timeslot.
 
+- **Request Data Export**
+  Allows students to request an export of all their personal data (profile, applications, theses, uploaded files) as a ZIP file. Accessible from the Privacy page or directly at `/data-export`.
+
+- **Import Profile Picture**
+  Allows students to import their profile picture from Gravatar via the profile settings page. The lookup is performed server-side to protect the user's IP address.
+
 #### Supervisor
 
 - [Create Thesis Topic](https://live.rbg.tum.de/w/artemisintro/53599)  
@@ -98,9 +104,20 @@ The videos are grouped by the roles student, supervisor, examiner, and research
 - [Add Members to Research Group](https://live.rbg.tum.de/w/artemisintro/70056)  
   Shows how research group admins can add members to the research group.
 
-- [Make a Member Research Group Admin](https://live.rbg.tum.de/w/artemisintro/70055)  
+- [Make a Member Research Group Admin](https://live.rbg.tum.de/w/artemisintro/70055)
   Demonstrates how research group admins can grant admin permissions to a member.
 
+- **Configure Scientific Writing Guide**
+  Allows research group admins to set a custom link to scientific writing guidelines in the research group settings. This link is shown to students during the thesis writing phase.
+
+#### Admin
+
+- **Data Retention Management**
+  Admins can view data retention status and manually trigger the cleanup process from the Data Retention admin page. The nightly cleanup automatically deletes rejected applications older than 1 year and expired data export files.
+
+- **Delete Rejected Applications**
+  Admins can permanently delete rejected applications from the application detail page.
+
 #### Thesis Page Permissions
 
 Admins can view and edit all theses on the platform.
@@ -165,6 +182,7 @@ Group heads have the Group Admin role for their group by default (this cannot be
 3. [Customizing E-Mails](docs/MAILS.md)
 4. [Development Setup](docs/DEVELOPMENT.md) (includes [E2E Tests](docs/DEVELOPMENT.md#e2e-tests-playwright))
 5. [Database Changes](docs/DATABASE.md)
+6. [Data Retention Policy](docs/DATA_RETENTION.md)
 
 ## Features
 
@@ -177,10 +195,32 @@ These flowcharts offer a quick reference for understanding how each role engages
 
 ![Thesis Application Flowchart](docs/files/thesis-application-flowchart.svg)
 
+#### Automatic Application Expiration
+
+Applications that have not been reviewed within a configurable period are automatically rejected. Research group admins can configure the expiration delay in weeks (minimum 2 weeks) in the research group settings. When an application expires, the student receives the standard rejection email notification, so they can reapply or pursue other options.
+
+This mechanism ensures that students are not left waiting indefinitely for a response and enables the system to clean up application data after the retention period.
+
 #### Thesis Writing Flowchart
 
 ![Thesis Writing Flowchart](docs/files/thesis-writing-flowchart.svg)
 
+#### Privacy and Data Protection
+
+The platform includes GDPR-compliant privacy and data protection features:
+
+- **Privacy Statement**: A comprehensive privacy page accessible to all users (authenticated and unauthenticated) that documents all data processing activities, legal bases, retention periods, and data subject rights.
+- **Data Export (Art. 15 / Art. 20)**: Authenticated users can request an export of all their personal data from the Data Export page (also linked from the Privacy page). Exports are generated as ZIP files containing structured JSON data (profile, applications, theses, assessments) and uploaded documents (CV, degree report, examination report). Exports are processed overnight and the user receives an email notification with a link to download. Downloads are available for 7 days and users can request a new export every 7 days. See the [Data Retention Policy](docs/DATA_RETENTION.md) for details.
+- **Data Retention**: Automated cleanup of expired data runs nightly. Rejected applications are deleted after 1 year. Data export files are deleted after 7 days. Admins can trigger the cleanup manually from the Data Retention admin page. See the [Data Retention Policy](docs/DATA_RETENTION.md) for the full retention schedule and rationale.
+- **Application Deletion**: Admins can permanently delete rejected applications from the application detail page.
+- **Profile Picture Import**: Users can import their profile picture from Gravatar via their profile settings. The lookup is performed server-side to avoid exposing the user's IP address to external services.
+
+#### Research Group Settings
+
+Research group admins can configure per-group settings:
+
+- **Scientific Writing Guide**: A customizable link to scientific writing guidelines shown to students during the thesis writing phase. Each research group can configure its own link in the research group settings page.
+
 > [!NOTE]
-> **Couldn't find what you were looking for?**  
+> **Couldn't find what you were looking for?**
 > If you need any further help or want to be onboarded to the system, reach out to us at **[thesis-management-support.aet@xcit.tum.de](thesis-management-support.aet@xcit.tum.de)**.