Context
We already require ToS + Privacy Notice acceptance at signup, but we need to finalize the re-acceptance flow after docs at https://caution.co/privacy.html and/or https://caution.co/terms.html get updated.
Some groundwork should exist - I started a helper for updating the legal documents on caution.co, but it has not been properly tested and may be incomplete. Please treat it as a starting point to evaluate, not a finished component. Keep, fix, or replace it at your discretion.
Desired behavior
- Legal documents on caution.co are the single source of truth. When ToS or Privacy Notice is updated there, the platform should pick up the new version automatically (or via a lightweight publish step), not through a separate manual update in the dashboard codebase.
- Each update carries a version identifier (e.g. date-based, matching the existing
tos_versionconvention). - On next dashboard login after a version change, the user sees a blocking prompt: what changed (at minimum, which document and a link to it), and an explicit accept action before proceeding. Acceptance is recorded with version + timestamp, same schema as signup acceptance.
- Users with an email on file also receive an email notification about the update. Users without an email rely on the dashboard prompt only, which is expected (email is optional in our signup flow).
Scope of documents
Re-acceptance applies to Terms of Service and Privacy Notice only. Refund policy changes surface through the ToS. Future documents like a DPA are negotiated per-customer and out of scope for click-through. That said, if it is not going to blow up the scope - would be great to build the mechanism as a configurable list of documents requiring acceptance rather than hardcoding two, so adding one later is trivial.
UX
We already have the modal designed, so you should be able to test it and see what the user should experience after ToS has been updated and they log in after that.
Definition of done
- Updating ToS or Privacy Notice on caution.co results in existing users being prompted on next login and re-acceptance being recorded
- Email notification goes out to users with an email on file
- Flow tested end to end, including the existing helper (validated or replaced)
- Signup acceptance flow unaffected
Note: we have a separate ticket for implementing a full ToS/Privacy acceptance flow via CLI (#175) which is not a priority for now, and is not part of this ticket.