4leggedIT
4leggedIT
Portal Planning Docs

Permissions & Privacy

Human-readable (non-technical)
Use this page to understand the story, decisions, and why the work matters.
Technical building data
Use this page to implement: entities, rules, workflows, and required behaviors.
Last updated: Feb 8, 2026

Summary

  • Sensitive data (especially stray locations) is staff-only by default.
  • External portals are relationship-based and see only Public fields/events.
  • Volunteers execute work via tasks/routes/check-ins without full sensitive context.

Privacy classifications

  • Public — visible to external portal users linked to the animal (adopters, fosters), and internally.
  • Internal — visible to internal staff/volunteers only.
  • Sensitive — restricted to staff roles; hides exact stray locations, trap plans, and certain case notes.

Roles (initial)

Internal

  • Admin
  • Coordinator / Case Manager
  • Foster Coordinator
  • Medical
  • Volunteer / Feeder
  • Read-only Auditor

External

  • Foster (external portal)
  • Adopter (external portal)

Sensitive Case rules (strays + special cases)

When an animal is in Monitoring (no custody):

  • Default SensitiveCase = true
  • Exact GPS, route context, trap plans, and internal notes are Sensitive
  • External users never see exact GPS; they may see a “general area” (rounded location) if needed
  • All stray-era location events remain Sensitive even after custody starts (staff-only by default).

When custody starts:

  • SensitiveCase can remain true (case-by-case) or be downgraded by staff when safe.

Lost dog recovery privacy

Lost dog recovery requests often involve owned dogs and sensitive owner details.

  • Requester contact details (owner phone/email/address) should be Sensitive by default.
  • Case notes about unsafe situations (encampments, threats, conflict) should be Sensitive.
  • Volunteers may participate via assigned tasks, but should only see the minimum information needed to execute safely.

External portal access

Access is relationship-based:

  • A Foster sees animals where there is an active AnimalContact relationship with role foster (or similar).
  • An Adopter sees animals where there is an adopter relationship and the adoption is finalized.

External portal capabilities:

  • View redacted animal record (Public fields/events only).
  • View selected documents if marked shareable (vaccination record, care instructions, etc.).
  • Foster-only: add notes and uploads that create Events (default Internal visibility unless staff shares).

Volunteer / Feeder access

Volunteers/Feeders can:

  • See tasks assigned to them.
  • Run assigned routes and record check-ins.
  • Create sightings with GPS + photos (Sensitive by default for monitoring strays).
  • Reference Location alias names even when exact GPS is redacted, so coordination remains usable.

They should not:

  • See exact location history unless explicitly granted.
  • See internal case notes and approval decisions unless needed.

Redaction policy (examples)

Always Sensitive

  • Exact GPS for stray animals (including monitoring-era sightings/check-ins)
  • Trap locations/plans and operational notes
  • Cruelty/hoarding/unsafe-person notes

Public (shareable) examples

  • Basic animal profile + public photos
  • Vaccines completed (high-level) and care instructions
  • Post-adoption medical summary (optional)

Location alias policy

  • Alias names are a shared “human map” for volunteers (e.g., “Stop A”, “Location A”).
  • Alias names are Internal by default (not public-facing), and can be Sensitive if they reveal trap sites or unsafe situations.

Audit trail expectations

  • Log: who viewed/changed sensitive data, who advanced workflow stages, who approved/denied, and who exported records.
  • Store decision reason codes for transparency and future learning.
© 2026 4leggedIT. All rights reserved. Version 20260208-001