Pentest Reveals Raw Visitor IPs Stored Indefinitely in Contact & Analytics Tables

A recent penetration test has uncovered a significant privacy exposure: the application's database is storing raw, unhashed visitor IP addresses in at least two core tables with indefinite or poorly managed retention. This stands in stark contrast to the secure handling of IPs in the `login_attempts` table, where they are correctly stored as salted SHA-256 hashes.

The issue centers on the `contact_submissions` and `page_views` tables. In `contact_submissions`, the raw IP is captured via `app/routes/contact.py` and stored in a `TEXT` column with no automatic purge mechanism; deletion requires manual admin intervention. For `page_views`, the analytics service logs the raw IP, and while a CLI script (`manage.py purge-analytics`) exists with a default 90-day retention, it is a manual job with no automated scheduler deployed by default. This creates a persistent data store of identifiable user information.

This discrepancy reveals an inconsistent and risky data-handling posture. The indefinite storage of raw IPs in contact forms creates a long-term privacy liability, while the reliance on manual cleanup for analytics data means logs can easily outlive their intended retention window. The finding highlights a critical gap between security best practices—demonstrated in the login system—and operational data collection, leaving user anonymity unprotected in routine site interactions.