Beacon Platform Docs

Privacy Model

2 min read

This page describes the technical privacy model in the current product. For policy language, see privacy-policy.

What Is Public Today

The public worker currently serves:

  • weekly summaries
  • weekly history
  • daily summaries
  • trends
  • concept graphs
  • public community and source lists
  • embeds

The important current-state detail is that daily summaries are public right now because the checked-in public worker config sets PUBLIC_DAILY_DIGESTS=true.

What Stays Private

  • raw exports in R2
  • message hashes used for deduplication
  • admin-only export, replay, quota, clear, and media endpoints
  • raw object-key management and destructive admin actions

Privacy Controls In Code

Before AI

  • phone numbers are redacted
  • email addresses are redacted
  • URLs are redacted
  • sender identities are hashed for counting and deduplication

During generation

  • prompts tell the model not to include names, direct quotes, or precise timestamps
  • weekly summaries are built from daily digests rather than directly from public raw text

After generation

  • outputs are validated against expected schema
  • privacy checks run on model output
  • invalid output is retried once with stricter instructions
  • persistent failures fall back to a neutral safe summary

Retention And Deletion

Raw exports

Raw-export cleanup is now implemented in code.

  • default retention target after successful processing: 72 hours
  • default retention target after failure: 168 hours
  • cleanup only runs when delete-after-processing is enabled and no pending media work remains

The upload UI exposes this behavior through the checkbox labeled Delete raw export after processing retention window.

Derived data

Daily digests, weekly summaries, concept graphs, and health snapshots do not currently show an automatic expiry in the reviewed code. They remain until an operator clears data or deletes a community.

Manual deletion

Operators can currently:

  • clear daily digests, weekly summaries, and optionally message hashes for a date range
  • scope that clear to a single source
  • delete an entire community, including matching R2 objects and D1 records

Current Caveats

  • Some older docs and visible UI copy still mention 30 days for raw data retention. That does not match the current cleanup defaults in code.
  • Daily summaries are public in the current deployment configuration, even though older docs described them as private-by-default.
  • This page does not answer legal questions such as controller identity, lawful basis, or DSAR workflow ownership. Those still need human confirmation.

Verified against beacon-platform/apps/pulse-public/wrangler.jsonc, apps/pulse-ingest/src/index.ts, and the current public/admin UI on April 22, 2026.

Graph View

Backlinks