Docs / Identity / Profile Management

Profile Management

Once a user is in the platform, their profile is the home base — personal details, business info, payout bank, communication preferences, security. Each tab is independently editable and audit-logged.

Profile sections

Personal

Name, email, phone, avatar, date of birth, preferred language, time zone.

Business

Legal entity name, GSTIN, business type, registered address, hotel registration number.

Owner only

Payout bank

Bank name, account number, IFSC, account holder name, payout schedule, payout currency.

Owner only

Security

Password, 2FA (TOTP), trusted devices, active sessions, sign-out everywhere.

Notifications

Per-channel toggles (email, SMS, WhatsApp). Daily digest vs real-time. Marketing opt-in.

Preferences

Default currency display, date format, dashboard layout, calendar week start, dark mode.

UI — profile screen

app.abc.com/settings/profile

Personal Business Payout bank Security Notifications Preferences Danger zone

Personal information

This is how you appear across ABc. Changes are logged.

JPG, PNG · max 2 MB · square crop

First name Last name Email verified Phone verified Time zone Language

Sensitive changes need re-auth

Some changes require the user to re-enter their password (or 2FA code) within the last 5 minutes:

Action	Requires
Change email	Re-auth + OTP to new email
Change phone	Re-auth + OTP to new phone
Change password	Old password
Enable / disable 2FA	Re-auth
Add or change payout bank	Re-auth + penny-drop validation
Delete account	Re-auth + email + 7-day grace period

Two-factor auth (2FA)

TOTP (recommended)

Google Authenticator, Authy, 1Password. Owner scans QR, enters 6-digit code to confirm. Stored as encrypted secret + 8 single-use recovery codes.

SMS fallback

Code sent to verified phone. Less secure (SIM-swap risk) but supported for low-risk accounts. Disabled by default for finance roles.

2FA enforcement policy

Optional for public users. Optional but encouraged for owners. Mandatory for any role with "manage payouts" or "issue refunds" permissions.

Active sessions & devices

Profile shows a list of every active session: device, browser, IP city, last active. Each row has a "sign out" button. A "Sign out everywhere" button kills all sessions including the current one (forces re-login).

app.abc.com/settings/security

Device	Location	Last active
Chrome on macOS This device	Manali, IN	Just now	Current
Safari on iPhone	Manali, IN	2 hours ago
Chrome on Windows	Delhi, IN · new	3 days ago

Danger zone

Deactivate account — soft delete. User cannot sign in but data is retained. Re-activate within 90 days. Bookings continue.
Delete account permanently — only allowed when there are no active bookings & no unsettled payouts. Triggers 7-day grace period with daily reminder emails. Then we anonymise PII and keep only what's required for tax / audit (booking records, payment records).
Export my data — GDPR/DPDP-style request. We generate a ZIP of all personal data + bookings + payments and email a signed S3 link. Available once every 30 days.

API contract

PATCH /api/me

// Request — partial update
{
  "name": "Rohan K. Mehta",
  "time_zone": "Asia/Kolkata",
  "language": "en"
}

// Response — 200 OK
{
  "user": { ... },
  "updated_fields": ["name", "time_zone", "language"],
  "audit_id": "aud_01HW…"
}

// Sensitive — needs recent re-auth (within 5 min)
// PATCH /api/me/email   → 401 if no recent re-auth
// PATCH /api/me/payout-bank → 401 if no recent re-auth