feat: legal consent – ToS/Privacy/Cookie, consent gate, GDPR delete/e…

[bandanadivya]

PR: Legal documents, consent gate, and GDPR compliance

Summary

Adds Terms of Service, Privacy Policy, and Cookie Policy, gates app usage on consent, and implements GDPR-style data export and deletion.

Issue

• Problem: No ToS or Privacy Policy; legal exposure for data collection and financial operations.
• Required: Terms of Service (disclaimers, liability, smart contract risks), Privacy Policy (GDPR/CCPA compliant), Cookie Policy, /legal pages, consent checkboxes at signup, consent stored in DB, and data export/deletion.

Changes

Legal documents & pages

• Terms of Service – Disclaimers, liability, smart contract/protocol risks, no financial/tax advice, limitation of liability, changes to terms.
• Privacy Policy – Data collected, purpose/legal basis, GDPR/CCPA rights (access, export, deletion, etc.), retention, security, sharing.
• Cookie Policy – Necessary cookies/local storage, user control.
• /legal-style views – Legal component for terms | privacy | cookies; reachable from landing footer and from consent modal.

Consent flow

• Consent check on connect – When a user connects a wallet (or reconnects), app calls GET /api/consent/status?userId=<address>. If consent is not recorded, user is shown a consent gate (full-page) and cannot reach the dashboard until they accept.
• Consent modal – Three checkboxes (Terms, Privacy, Cookies) with links to open the full legal doc. “Accept and continue” is enabled only when all three are checked; submits to POST /api/consent and then proceeds to dashboard.
• Landing – Footer links: “Terms of Service”, “Privacy Policy”, “Cookie Policy” open the corresponding legal view. Wallet selection triggers consent check; if not accepted, onNeedsConsent(publicKey) shows the consent gate.

Backend

• Migration 008 – Table legal_consent (user_id, terms_accepted_at, privacy_accepted_at, cookie_accepted_at, ip_address, user_agent, timestamps).
• DB service – recordConsent, getConsent, hasFullConsent, deleteUserData (removes consent + portfolios + rebalance history for user).
• API – GET /api/consent/status, POST /api/consent, DELETE /api/user/:address/data (JWT-protected when enabled).

GDPR

• Export – Existing export (JSON/CSV/PDF) remains the way to export portfolio data.
• Delete my data – Dashboard control that calls DELETE /api/user/:address/data, then logs out and navigates to landing. Confirmation modal explains that consent records, portfolios, and rebalance history are permanently deleted.

Acceptance criteria

• Legal documents (ToS, Privacy, Cookie Policy) published and reachable from the app.
• Users must accept all three before using the app (consent gate on first connect and on reconnect if no consent).
• Consent acceptance is stored in the database (with optional IP/user-agent).
• GDPR-style features: data export (existing flows) and data deletion (new “Delete my data” flow) implemented.

How to test

1. Legal pages – From landing, click footer links “Terms of Service”, “Privacy Policy”, “Cookie Policy”; confirm each doc loads and “Back” returns to landing.
2. Consent gate – Connect a new wallet (or use one with no consent). Confirm consent modal appears, all three checkboxes required, and links open the legal docs. Accept and confirm redirect to dashboard.
3. Reconnect – Disconnect, reconnect same wallet; if consent was given, go straight to dashboard. Clear consent in DB and reconnect; consent gate should appear again.
4. Export – From dashboard, use Export JSON/CSV/PDF (with a real portfolio) and confirm download.
5. Delete my data – Click “Delete my data” on dashboard, confirm in modal; confirm user is logged out and sent to landing, and that user data is removed from the backend.

closes #95

[vercel]

Someone is attempting to deploy a commit to the ritik4ever's projects Team on Vercel.

A member of the Team first needs to authorize it.