User token not declared in the privacy API and mentioned in the description

This affects the other plugin mod_amanote too.

It is not described well to the end users and administrators, but effectively, your plugins send the current user’s mobile app web service token to your system. I suppose that is then used to act on the user’s behalf to be able to fetch the requested PDF and eventually save the relevant *.ama file back to Moodle.

So your plugins are actually sharing the user’s token properties (the token itself and its validuntil timestamp) with an external system and this is something that is not clearly communicated with the admins via the plugin description and the privacy API implementation. You only mention the user’s name and email - yet the token is effectively the username+password.

I believe that in both plugins

1. the privacy API must correctly declare the token and the token’s validity timestamp as the user private data shared with the external system
2. the actual implementation should be better described to the admins at the plugin description page

This design itself is not a problem. It’s effectively a stripped down custom version of what OAuth and similar protocols do. But admins and users must be better informed about what’s going on - as your system is given all the permissions that the user has.

‌