Email and consent

Account verification, password reset, security alerts, and unsubscribe confirmations are transactional. They are sent regardless of marketing preferences.

Marketing emails are off by default. Users opt in explicitly during signup or from /app/settings → Notifications.

The marketing site newsletter form writes a row to consent_records with the consent type, source, and a hashed IP. Consent is auditable.

Stored in email_preferences per user. Granular toggles for marketing, product updates, educational, and launch resources. An unsubscribed_all flag overrides the rest.

Every marketing email includes an unsubscribe link with a hashed token from unsubscribe_tokens. /unsubscribe and /email-preferences work without sign-in via the token.

email_suppressions is the do-not-send list. Email send code checks it before any marketing send. The table has no client RLS access — only server functions read/write it.

consent_records is append-only. It captures consent_type, value, source, and user agent. Users can read their own records; nobody can update or delete them.