Privacy Notices Overview
Privacy Notices help privacy, legal, and data-governance teams keep the catalog aligned with GDPR-style processing disclosures. In Qarion, a privacy notice is a versioned policy record that owns one or more processing purposes. Data products point to those purposes from their compliance metadata, which lets the RoPA dashboard show which products are covered, which products are missing a lawful basis, and which mappings need follow-up.
Use Privacy Notices when you need to:
- Maintain a controlled list of active, draft, and archived privacy notices.
- Define the processing purposes that products are allowed to use.
- Link catalog products to a lawful basis, retention period, data-subject categories, and processing purpose.
- Review space-level or organization-level Records of Processing Activities (RoPA).
- Export RoPA evidence for legal review, audits, or remediation planning.
Where Privacy Work Happens
| Surface | Route | Use it for |
|---|---|---|
| Privacy Notices | /privacy-notices | Create, search, edit, archive, or delete privacy notices in the current space. Organization scope shows an aggregated, read-only list across spaces. |
| Privacy Notice Detail | /privacy-notices/{noticeId} | Review notice metadata, open the hosted policy URL, and maintain the processing purposes attached to the notice. |
| RoPA Dashboard | /ropa-dashboard | Review product coverage, compliance gaps, purpose mappings, lawful basis, retention, owners, recipients, and exportable RoPA evidence. |
| Product edit compliance section | Product detail edit flow | Attach products to a lawful basis, processing purpose, retention period, and data-subject categories. |
Notice Lifecycle
Privacy notice lifecycle is represented by the notice status and validity dates.
| Status | Meaning | Recommended admin behavior |
|---|---|---|
DRAFT | A notice version is being prepared and is not yet the governing policy. | Use while legal, DPO, or product owners are reviewing wording and purpose coverage. Keep products mapped to the current active version until the draft is approved. |
ACTIVE | The notice version currently governs the linked processing purposes. | Set valid_from, keep content_url pointed at the published policy text, and confirm products are mapped to purposes under the active notice. |
ARCHIVED | The notice version has been superseded but remains available for audit history. | Set valid_to, keep the URL available where possible, and confirm new or edited products no longer point at retired purposes. |
Qarion does not add a separate privacy-notice approval workflow in the current UI. Treat the status change from DRAFT to ACTIVE as the publish control, and keep your team convention explicit: who reviews the policy text, who changes the status, and when the older version is archived.
Create And Publish A Notice
- Open
/privacy-noticesin the space that owns the processing activities. - Create a notice with a name, version, status, hosted
content_url, and optional validity dates. - Keep new notices in
DRAFTwhile policy text, purpose coverage, and product mappings are being reviewed. - Open the notice detail page and add processing purposes. Each purpose needs a name; descriptions and the
is_essentialflag help reviewers distinguish strictly necessary processing from optional or consent-driven processing. - When review is complete, set the approved version to
ACTIVE, setvalid_from, and archive the superseded version withvalid_towhen applicable. - Review
/ropa-dashboardfor unmapped products, missing lawful basis values, and compliance gaps.
Link Products To Notices
Products are linked to privacy notices through processing purposes. Edit the product and update the compliance fields:
| Product field | Why it matters |
|---|---|
| Lawful basis | Explains the legal basis for processing, such as Consent, Contract, Legal Obligation, Public Task, Vital Interests, or Legitimate Interests. |
| Processing purpose | Selects a purpose from a privacy notice. This is the field that maps the product into RoPA coverage. |
| Retention period | Records how long the product data is retained. |
| Data-subject categories | Lists the people represented in the data, such as Customers, Employees, or Applicants. |
RoPA rows also enrich the product with catalog context such as environment, sensitivity, owner, data categories, and active recipients. If a product has PII or PHI sensitivity but no lawful basis, Qarion marks the row as a compliance gap.
Review RoPA Coverage
Use the RoPA dashboard to monitor privacy documentation quality across a space or, when available, across the selected organization.
The dashboard includes:
- Summary counts for total products, mapped products, unmapped products, missing lawful basis, and compliance gaps.
- Search across product names, lawful basis values, and processing purposes.
- Filters for lawful basis, environment, sensitivity, and mapping status.
- Product links for drilling back into the catalog record.
- Owner links for follow-up with accountable users.
- CSV export for audit packets and offline review.
Use mapping_status=unmapped or the unmapped filter first during cleanup. Then review rows with missing lawful basis or compliance-gap indicators before publishing a notice version as active.
Organization Scope
Privacy Notices and RoPA support both space and organization review:
- Space scope is the operational view. Create, edit, delete, and purpose-management actions happen in the current space.
- Organization scope aggregates notices and RoPA rows across spaces. Use it to find inconsistent purpose naming, missing mappings, and space-level remediation owners. Edit the source notice or product in the owning space.
Administrator Responsibilities
Privacy administrators should own these operating controls:
- Keep notice versions, validity windows, and hosted policy URLs current.
- Maintain a clear processing-purpose catalogue under each active notice.
- Coordinate legal or DPO review before changing a notice from
DRAFTtoACTIVE. - Archive superseded versions instead of overwriting policy history.
- Review RoPA coverage after new products, schema sensitivity changes, data contracts, or purpose changes.
- Follow up on products with missing lawful basis, missing processing purpose, or PII/PHI compliance gaps.
- Export RoPA evidence before audits and confirm exported data reflects the intended scope.
Troubleshooting
| Symptom | Check |
|---|---|
| A product is missing from a notice's coverage | Edit the product and confirm it has a processing purpose selected from the expected notice. |
| A RoPA row is marked unmapped | The product does not have a processing purpose. Add or correct the product compliance metadata. |
| A compliance gap appears | The product likely has PII or PHI sensitivity and no lawful basis. Set the lawful basis or review the sensitivity classification. |
| Organization scope shows a notice you cannot edit | Organization scope is an aggregated view. Switch to the source space shown on the row and edit the notice there. |
| The policy link is unavailable | Update the notice content_url to a reachable HTTPS URL for the published policy text. |
Related Features
- Consent Management - consent master designation and purpose compatibility checks.
- Privacy Notices & RoPA compliance guide - compliance-oriented framing for privacy notices and RoPA reports.
- Product Details - catalog product metadata that feeds privacy coverage.
- Privacy Notices API - automation reference for notice, purpose, RoPA summary, and RoPA export endpoints.