Prood
Architecture

Privacy & data minimization

Where PII lives, commerce UUID identity, and GDPR-oriented design rules.

Prood separates authentication (Better Auth) from commerce (tenant-scoped Postgres). Buyer email and credentials never duplicate across layers—commerce references buyers by internal UUID only.

Data zones

ZoneStored dataAccess
Better Auth (user, session, …)Email, password hash, nameAuth layer only
customersInternal id (UUID), optional auth_user_id FK, optional profile fieldsTenant RLS; no duplicated email
Order snapshots (orders.shipping_address, billing_address)Name, address, phone for fulfillmentMerchant fulfillment; retention policy applies
Payment providersProcessor-required charge dataThird-party; documented in privacy policy

Commerce identifier rule

customers.id           = internal UUID (commerce-owned)
customers.auth_user_id = FK → Better Auth user.id (nullable for guests)
orders.customer_id     = customers.id (never auth user.id, never email)
carts.customer_id      = customers.id

APIs, checkout Redis sessions, payment metadata, webhooks, and Agent Auth tools use customerId and orderId only. Resolve to PII at display boundaries (merchant customer detail, buyer account page, transactional email send).

What must not propagate

  • Better Auth user.id on orders, carts, Redis checkout sessions, webhooks, logs, or public API responses
  • Buyer email in checkout session Redis payloads, payment metadata, or agent tool schemas when customerId suffices
  • Cross-merchant profile tables — removed in greenfield schema

Guest checkout

  1. Create a customers row with internal UUID only (auth_user_id null).
  2. Fulfillment PII lives in the order address snapshot, not on customers.email.
  3. On register/login, link the guest row: set auth_user_id once; keep using customers.id everywhere.

Logged-in buyers

ensureCustomerForAuthUser() maps Better Auth session → customers.id inside the tenant. Orders and carts always reference that UUID.

Merchant visibility

The dashboard lists customers with email joined from Better Auth at read time (admin-customers query). Email is not stored on the commerce customers row.

Erasure (GDPR)

  • Delete/anonymize Better Auth user → null customers.auth_user_id.
  • Order address snapshots may be retained where legal basis requires (tax/fulfillment); anonymize where possible.
  • Document retention windows in your merchant privacy policy; Prood acts as processor for merchant storefront data.

Auth & tenant

Storefront auth and tenant resolution.

Checkout flow

Payment session metadata (UUIDs only).

Multi-tenant platform

RLS and organization isolation.

Multi-Tenant Platform

How Prood isolates merchant data with Better Auth organizations, host-based tenant resolution, and Postgres row-level security.

Checkout Flow

How the CheckoutSession state machine manages the payment lifecycle with dynamic transitions based on fulfillment type.

On this page

Data zonesCommerce identifier ruleWhat must not propagateGuest checkoutLogged-in buyersMerchant visibilityErasure (GDPR)Related