runbookify
← All plans
Compliance, Quality & Risk / Data Privacy & DSAR (Subject Rights)

Consent & Preference Log: Prove Who Said Yes, and When

Record what each person consented to, the exact wording they saw, when, how, and from where — track withdrawals the instant they happen, and pull a proof-of-consent record whenever someone asks 'why am I getting this?'

BeginnerAn afternoonBuilds onNext.jsSupabaseResend
What you'll build

A web tool where you log consent per person and purpose with the exact wording and source, withdrawals take effect immediately and are never overwritten, a privacy owner approves any bulk import or consent-text change before it becomes the active basis, and you can show the current consent state and full history for anyone on demand and export the whole ledger as CSV.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A Supabase account (free)
  • A Vercel account (free)
  • A Resend account (free)
  • Your current consent / preference records (CSV or Google Sheet)
  • The exact consent wording you show people, with version dates
  • Claude Code or any AI coding agent

The problem this kills

Someone replies "why am I getting this email?" and the scramble begins. You dig through a marketing tool, an old signup form, a spreadsheet a teammate kept, and a thread of "I think they opted in at the trade show." You can't find the exact wording they agreed to, you're not sure of the date, and you genuinely don't know whether they later opted out. Under CASL and GDPR, "we're pretty sure they said yes" is not a defense — you need the proof: the purpose, the precise consent text, the timestamp, the source, and whether it's still active.

Worse, withdrawals slip through the cracks. A person opts out, it gets noted in one system but not another, and they keep getting messages — which is exactly the thing that turns a complaint into a fine. You don't need a six-figure consent platform to fix this, and you don't need to be a developer.

What you'll build

A simple internal web tool that is the single, trustworthy record of consent. For each person and each purpose (marketing email, SMS, data sharing, whatever you track), it stores what they consented to, the exact wording they saw, the version of that wording, when, how (web form, paper, phone, import), and the source. When someone withdraws, the tool logs it immediately and the prior consent is never silently overwritten — you keep the full history. You can pull up any person and instantly see their current consent state per purpose plus every change that ever happened. Bulk imports and any change to your consent wording go through a privacy owner's approval before they become the active basis, the tool sends a Resend confirmation, and you can export the entire consent ledger as a CSV for an auditor, a regulator, or a data-subject request.

What's inside the Implementation Plan

The downloadable plan is a step-by-step file you paste into an AI coding agent. It opens by interviewing you about your business — which purposes you collect consent for, where your records live today, the exact fields and naming you use, the precise consent wording and how you version it, your typical and peak volumes, who's allowed to approve a wording change, and the messy edge cases like double opt-in, withdrawals that arrive by email, or one person under two addresses — and then it tailors the data model, the validations, and every later step to your answers. This is not a generic template; the agent reflects a short spec back to you and waits for your thumbs-up before it builds anything. From there it walks the agent through capturing consent with exact wording, logging withdrawals irreversibly, the current-state-per-purpose view, the import/wording-change approval gate, the Resend confirmation, and the full ledger export — each step with a ready-to-copy prompt. There's also a fallback so you can build the whole thing today even with no integration to your marketing tool.

The governance it includes (this is the point)

This is privacy tooling, so it ships with the controls a compliance team actually needs: login so only your team can use it, row-level security so you only ever see your own organization's records, a complete audit trail of who imported, changed, approved, and withdrew — and when — a hard human-approval gate so no bulk import or consent-text change becomes the active legal basis until a privacy owner signs off, and duplicate guards keyed on person + purpose so the same consent can't be recorded twice. Withdrawals are append-only and irreversible: the moment one is logged it takes effect, and the previous state is preserved as history rather than erased.

Who it's for

Privacy officers, marketing-ops leads, and compliance teams who have to demonstrate valid consent and honor opt-outs — and who are tired of stitching the answer together from five systems every time someone asks. If you can describe the purposes you collect consent for and the wording you show people, you can build this.

You've got this — start with the plan, paste the first prompt, answer the interview, and you'll have a defensible consent record taking shape the same afternoon.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.