# Key Decisions

> Last Verified: 2026-02-17 | Owner: John

# Drop — Key Decisions

## Strategic Decisions

### Pass-Through PSD2 Model (2026-02-08)
**Decision:** Drop will NOT hold customer funds. All money remains in users' bank accounts.
**Rationale:** Avoids e-money licence requirement, reduces regulatory burden, faster to market.
**Implementation:** AISP (read balances) + PISP (initiate payments) via Open Banking.

### Rebrand from Zica to Drop (2026-02-08)
**Decision:** Rename product from "Zica" to "Drop" for cultural sensitivity.
**Rationale:** "Zica" has negative connotations in some cultures.
**Status:** Complete — domain getdrop.no secured.

### Target Market Expansion (2026-02-08)
**Decision:** Drop is for ALL Scandinavia residents, not just diaspora.
**Rationale:** Larger addressable market, avoid pigeonholing product.
**Messaging:** General-purpose payment app with low fees.

### Banking Partnership Strategy (2026-02-09)
**Decision:** Pursue agent model under SpareBank 1 licence (70/30 revenue split).
**Status:** Updated pitch sent 2026-02-16, awaiting response.
**Fallback:** Direct PSD2 integration with multiple banks.

## Technical Decisions

### Tech Stack
- **Frontend:** Next.js 16 + React 19 + Tailwind v4 (modern, fast, scalable)
- **Backend:** Next.js API Routes (monolith simplicity for MVP)
- **Database:** SQLite (zero-ops, sufficient for MVP scale)
- **Auth:** JWT in httpOnly cookies (secure, stateless)
- **Hosting:** Vercel (zero-config, global CDN)

### Feature Flagging
**Decision:** Cards feature behind feature flags.
**Rationale:** Requires banking partner, not critical for MVP.
**Implementation:** Environment variable toggle.

## Compliance Decisions

### Age Restriction: 18+
**Decision:** Enforce minimum age 18 via BankID validation.
**Rationale:** PSD2 compliance, reduces KYC complexity.
**Future:** Investigate 15-17 with parental consent (task #830).

### Data Retention
**Decision:** Implement 7-year transaction retention for AML compliance.
**Status:** Implemented in data-retention.ts service.

### GDPR Rights
**Decision:** Full GDPR compliance with rectification, restriction, objection APIs.
**Status:** Implemented user/rectification, user/restriction, user/objection endpoints.

## Design Decisions

### UI Source of Truth
**Decision:** Figma Make export is single source of truth for UI.
**Location:** mockups/figma-make-export/ (10 screens, Vite+React)
**Rule:** Always check Make export before implementing UI changes.

### Bilingual Support (NO/EN)
**Decision:** Norwegian primary, English secondary.
**Implementation:** i18n with language toggle.