Consent & your audience data
How NextWave records who agreed to what — on your own site, in your own database — and how export and erasure work.
When someone at your event agrees to be tracked — to play bingo, get push notifications, or receive your emails — NextWave writes that agreement to a consent ledger: a permanent, append-only record in your own WordPress database. Every grant and every revocation becomes a new row; nothing is ever edited or deleted. Whether someone currently has consent is always answered by their latest row, and the full history stays intact underneath it.
Your audience, your database — we never see it
nwp_* tables, exactly like your members. There is no central NextWave service collecting it, no phone-home, and no third party in the loop. You own your crowd — anonymous visitors included.Anonymous first
Nobody has to hand over a name or email to join in. A visitor who consents gets an anonymous engagement identity that tracks their play across your events; if they later become a member, that history carries over. A visitor who declines still plays — just untracked. And anyone who revokes stops accruing new data immediately.
What people can consent to
Consent is granted per purpose, never as one blanket yes:
| Scope | Plain meaning |
|---|---|
| Engagement | Tracking event participation — check-ins, games, votes. |
| Push | Push notifications on their device. |
| Email marketing | Your marketing emails. |
| SMS marketing | Your marketing texts. |
| CRM sync | Syncing their details into your CRM. |
Someone can say yes to engagement tracking and no to marketing — revoking one scope leaves the others untouched.
Policy versioning
Every ledger row records not just that someone agreed, but which exact words they agreed to. Each scope has consent copy you can edit under Settings → Consent Policy in WP Admin:
- Saving changed copy automatically bumps that scope's version (saving unchanged copy bumps nothing).
- New consents record the new version. Old grants keep the version they agreed to — you can always prove which text was on screen for any given yes.
Global Privacy Control
Browsers that assert the Global Privacy Control signal are honored automatically: NextWave refuses to record a CRM-sync grant for them and logs the opt-out on the ledger as a first-class event. No configuration needed.
Export & erasure
Both GDPR rights work two ways — self-service and operator-driven:
- Self-service — a visitor's own device (holding its entity token) can fetch its complete data bundle or erase itself via the Entity & Consent API — no support ticket, no admin involvement.
- WordPress native — NextWave registers with WordPress's built-in privacy tools. Under Tools → Export Personal Data and Tools → Erase Personal Data, enter the person's email and the “NextWave engagement identities” exporter/eraser handles every identity linked to their membership, alongside whatever else WordPress exports.
What survives an erasure — and why
Erasure is destructive but auditable. It removes:
- Push notification subscriptions — deleted outright.
- Personal detail inside activity records — payloads are anonymized; only event types and timestamps remain.
- The identity itself — reduced to a revoked, PII-free stub.
Two things are deliberately retained:
- Consent ledger rows — your proof of lawful processing. If a regulator or the person themselves asks “did you ever have permission?”, the ledger answers with dates, scopes, and the exact policy version agreed to. Deleting it would erase your defense along with the data.
- The member profile (name and email, where one exists) — that is your own business record in your CRM, out of scope for engagement-identity erasure. WordPress's eraser reports both retentions honestly in its results.
Building on top of this?