Last updated: April 22, 2026
Draft status: This page has been rewritten to match the current code and UI, but it still needs legal review and final organization contact details.
What Beacon Currently Does
Beacon Pulse lets administrators upload WhatsApp exports and turns those exports into derived community summaries, trends, and concept views. The system is built on Cloudflare Workers, D1, R2, Queues, Workers AI, and Cloudflare media tooling.
Data Categories
| Data category | Why Beacon uses it | Public today? | Current retention behavior |
|---|---|---|---|
| Raw chat exports | Parse uploads and generate derived summaries | No | Usually scheduled for deletion 72 hours after successful processing or 168 hours after failure when delete-after-processing is enabled |
| Message hashes | Deduplication and unique-sender counts | No | No automatic expiry was confirmed in the reviewed code; removed by manual clear or community delete |
| Daily summaries | Daily Pulse views and weekly rollups | Yes, currently | No automatic expiry was confirmed in the reviewed code; removed by manual clear or community delete |
| Weekly summaries, concept graphs, health snapshots | Public Pulse views and historical analysis | Yes | No automatic expiry was confirmed in the reviewed code; removed by manual clear or community delete |
| Community and source metadata | Organize uploads and scopes | Community and source lists are publicly listable | Retention not separately documented in reviewed code |
| Quota and usage records | Monitor AI usage and bypass state | No | Retention not separately documented in reviewed code |
| Request and platform logs | Security, debugging, and operations | No | Cloudflare defaults |
What Is Public Today
The public worker currently exposes:
- weekly summaries and weekly history
- daily summaries
- trend summaries
- concept graphs
- public community and source lists
- embeddable Pulse cards
The current public configuration also makes /pulse/daily.json reachable without admin auth. That is a real current behavior, not a future plan.
What Is Not Intended To Be Public
The product is designed not to publicly expose:
- raw message bodies
- names and phone numbers
- direct message quotes
- precise message timestamps
- raw exports in storage
Privacy Protections In The Current Code
- phone numbers, email addresses, and URLs are redacted before AI processing
- sender identities are hashed for counting and deduplication
- prompts instruct the model not to emit names, quotes, or precise timestamps
- outputs go through schema and privacy validation
- invalid model output is retried once and then replaced with a neutral fallback if needed
Admin Access And Deletion
Current admin behavior includes:
- code-level admin auth checks on both workers
- manual clear-by-date-range tools
- optional source-scoped clear
- optional hash clearing
- whole-community deletion from D1 and matching R2 objects
Replay and raw-file-based repair only work while the raw export still exists in R2.
Subprocessors Mentioned In The Current Product
| Processor | Current role |
|---|---|
| Cloudflare | Hosting, Workers, D1, R2, Queues, Workers AI, Access, media tooling, logs |
| Google Fonts | UI font delivery on public/admin pages |
Rights, Controller, And Contact
These details still need human confirmation before this page should be treated as a final public policy:
- legal entity and controller name
- privacy contact email
- lawful basis
- DSAR workflow and response process
- any jurisdiction-specific disclosures
For the technical privacy model, see privacy.
Legal review required before treating this page as final policy text.