Customer portal privacy and security settings
Summary
Section titled “Summary”The customer portal privacy and security page lets customers control what the AI voice assistant can share about their account when someone calls. It combines privacy tier selection, voice PIN management, password management, and suspicious access alert preferences on a single page at /portal/privacy. The /portal/security route redirects here.
Garage owners should understand these settings because customers may ask questions about them, and the chosen tier affects how the AI voice assistant responds to inbound calls. The staff-side companion guide is Customer privacy tiers and voice PINs (staff guide), which covers how each tier changes what the AI says, the Owner PIN master override, and how to set a customer’s voice PIN from their record.
Prerequisites
Section titled “Prerequisites”- The customer must be signed in to the portal (validated via
validatePortalSession). - The organisation must have at least one active communication channel (voice number, WhatsApp, or business phone) for the contact section to appear.
- SMS verification must be configured for privacy-downgrade OTP verification.
1. Privacy tier selection
Section titled “1. Privacy tier selection”The page displays four privacy tiers in a 2×2 grid. Each tier is a selectable card with an icon, title, and description. The current tier is highlighted with a “Current” badge. Any pending change shows a “Pending” badge.
Tier definitions
Section titled “Tier definitions”| Tier | UI title | Behaviour |
|---|---|---|
FULL | Open Access | Callers can ask about vehicles, bookings, and account details. |
PIN | PIN Required | Callers must provide the customer voice PIN before any data is shared. |
RESTRICTED | Limited Info | Only vehicle status and current bookings are shared. No financial or contact details. |
BLOCKED | Zero Disclosure | No caller is told the person is a customer. |
Tiers are ordered by exposure level: FULL (most exposed) → PIN → RESTRICTED → BLOCKED (least exposed).
Upgrade flow (raising security, towards BLOCKED)
Section titled “Upgrade flow (raising security, towards BLOCKED)”- Upgrades take effect immediately.
- No OTP verification is required.
- A confirmation dialog asks the customer to confirm the change.
- An audit log entry is created and a confirmation email is sent.
- If there is a pending downgrade, it is automatically cancelled.
Exception: Selecting the PIN tier requires a voice PIN to be set first. If no PIN exists, the dialog shows an error with a link to open the Set Voice PIN dialog.
Downgrade flow (lowering security, towards FULL)
Section titled “Downgrade flow (lowering security, towards FULL)”- Downgrades require OTP verification and a cooling-off period.
- The system sends a 6-digit verification code via SMS (preferred) or email (fallback).
- Email is excluded as a channel if the customer email was changed within the last 7 days.
- The destination is masked in the UI (e.g.,
+44 •••• ••12). - After OTP verification, a
PendingPrivacyChangerecord is created with an effective date based on the cooling-off period.
Cooling-off periods
Section titled “Cooling-off periods”| Current tier | Cooling-off period |
|---|---|
BLOCKED | 48 hours |
| All other tiers | 4 hours |
During the cooling-off period:
- The customer remains at the current (higher security) tier.
- A pending change banner shows the requested tier and the effective date.
- The customer can cancel the pending change at any time.
- Only upgrades (raising security) are allowed while a downgrade is pending. The pending downgrade is automatically cancelled if an upgrade is confirmed.
Lateral moves
Section titled “Lateral moves”PIN→RESTRICTEDis treated as a downgrade (removes PIN authentication gate).RESTRICTED→PINis treated as an upgrade (adds PIN authentication gate).
2. Voice PIN management
Section titled “2. Voice PIN management”The Voice PIN card displays the current PIN status (“Set” or “Not set”) with a green or grey badge.
PIN requirements
Section titled “PIN requirements”- 4-6 digits only.
- No sequential patterns (e.g., 1234).
- No repeated digits (e.g., 1111).
Actions
Section titled “Actions”- Set Voice PIN: Opens a dialog for customers without a PIN. Can also be triggered from the privacy tier error dialog via a custom
open-set-pin-dialogevent. - Change Voice PIN: Opens a dialog for customers with an existing PIN.
- Remove PIN: Opens a confirmation dialog. The customer must enter their current PIN to confirm removal.
PIN removal at PIN tier
Section titled “PIN removal at PIN tier”If the customer is at the PIN privacy tier and removes their PIN, the system warns that this will trigger a privacy downgrade from PIN-protected to Open Access with a 4-hour cooling-off period.
Security messaging
Section titled “Security messaging”The card displays a warning: “Your mechanic will never ask for this PIN.”
3. Password management
Section titled “3. Password management”The Password card displays the current password status (“Set” or “Not set”) with a green or grey badge.
Password requirements
Section titled “Password requirements”- At least 8 characters.
- Must contain a number or special character.
Actions
Section titled “Actions”- Set Password: Opens a dialog for customers without a password. Description: “Set a password so you can check on your car from any device.”
- Change Password: Opens a dialog for customers with an existing password. Description: “You can sign in with your email and password from any device.”
Password presence is determined by whether the customer has an auth_id value.
4. Alert preferences (BLOCKED tier only)
Section titled “4. Alert preferences (BLOCKED tier only)”The Alert Preferences card only appears when the customer privacy tier is BLOCKED. The card contains a single toggle switch.
Suspicious access alerts
Section titled “Suspicious access alerts”- Enabled: The customer receives a notification if a caller enquires about their account or vehicles. The AI assistant denies access and the customer is notified.
- Disabled: The AI assistant still denies access at the BLOCKED tier, but no notification is sent.
The toggle persists immediately via an optimistic UI update. If the server call fails, the toggle reverts.
What triggers an alert
Section titled “What triggers an alert”- Someone calls and asks about the customer account by name or registration.
- Only applies when the privacy level is set to Blocked.
The blocked_access_notify preference can be pre-set at any tier. Enforcement only occurs at the BLOCKED tier in the voice pipeline.
5. Contact channels section
Section titled “5. Contact channels section”The page shows the available contact channels for the garage if any exist:
- Voice AI numbers: Listed with phone number and optional location name.
- WhatsApp: Shown if a WhatsApp config with
onlinestatus exists. - Main line: The organisation business phone number as a fallback.
An informational note clarifies: “Your privacy settings control what our AI voice assistant can share about your account when someone calls. They do not affect WhatsApp, messages, or conversations with our staff.”
Expected Outcome
Section titled “Expected Outcome”- Privacy tier changes that raise security take effect immediately. The UI refreshes to show the new tier.
- Privacy tier changes that lower security create a pending change with a cooling-off period. The pending change banner displays the effective date and a cancel option.
- A cooling-off cron job activates pending changes after the cooling-off period expires.
- Voice PIN and password changes take effect immediately.
- Alert preference changes take effect immediately.
- All privacy tier changes, alert preference changes, and PIN operations are recorded in the privacy audit log.
- Confirmation emails are sent for tier changes (fire-and-forget; email failure does not block the operation).
- The page path is revalidated after each server action to reflect the latest state.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Resolution |
|---|---|---|
| ”You need to set a PIN before selecting this tier” | The customer selected PIN Required but has no voice PIN. | Set a voice PIN first using the Voice PIN card, then select the PIN tier. |
| ”You already have a pending privacy change” | A downgrade is already pending. | Cancel the existing pending change first, or wait for the cooling-off period to expire. |
| ”No verification method available” | The customer has no phone number and their email was changed within the last 7 days. | Wait for the 7-day email guard to expire, or add a phone number to the customer record via the garage. |
| ”Verification service not available” | SMS verification is not configured for this organisation. | The garage must contact support to configure SMS verification. The customer should contact the garage directly to change their privacy settings. |
| ”Invalid verification code” | The OTP code was wrong or expired. | Re-enter the code or click resend to receive a new one. |
| ”Failed to load settings” | The customer record was not found. | The customer may have been deleted. Redirect to login. |
| ”This change has already been applied” | The cron job activated the pending change between page load and cancellation attempt. | Refresh the page. The new tier is already active. |
| ”This change has already been cancelled” | The pending change was already cancelled (e.g., by an upgrade). | Refresh the page. Submit a new downgrade request if needed. |
| Toggle reverts after clicking | The server action to update the alert preference failed. | Check network connectivity. Retry. If persistent, check server logs for database errors. |
| PIN removal warning about privacy downgrade | Customer is at PIN tier. | Expected behaviour. Removing the PIN at PIN tier triggers a downgrade to Open Access with a 4-hour cooling-off period. |
| Security page redirects to privacy page | /portal/security redirects to /portal/privacy. | Expected behaviour. The security page is a redirect to the combined privacy and security page. |