Guarantees
- No raw messages in public tables or responses.
- PII redaction before AI (phones, emails, URLs).
- Prompts and output validation prohibit names, quotes, phone numbers, and timestamps.
- Weekly summaries are generated only from daily digests.
Sources: beacon-platform/docs/privacy.md, beacon-platform/docs/architecture.md
Non-goals and limitations
- Perfect anonymization is not guaranteed.
- Admin endpoints must be protected in production (Access or token).
- Confidence reflects data availability, not factual correctness.
- Retention is not enforced in code.
Sources: beacon-platform/docs/privacy.md, beacon-platform/AUDIT_REPORT.md
Data handling
- R2: raw WhatsApp exports (private).
- D1: exports metadata, message_hashes, daily_digests, weekly_summaries_public, ai_quota_usage.
- Deletion: /clear and community delete endpoints remove summaries and optionally hashes.
- Retention: requires R2 lifecycle rules or manual cleanup.
Sources: beacon-platform/docs/privacy.md, beacon-platform/docs/architecture.md, beacon-platform/infra/CLEANUP_GUIDE.md
AI safety controls
- Daily and weekly models run behind strict JSON schema validation.
- Privacy regex checks remove or reject unsafe outputs.
- One retry with stricter prompts, then fallback to neutral summaries.
Sources: beacon-platform/docs/privacy.md, beacon-platform/docs/architecture.md
Public interface boundaries
- /pulse.json, /pulse/history.json, /pulse/trends.json, /pulse, /pulse/embed are public.
- /pulse/daily.json is internal-only unless PUBLIC_DAILY_DIGESTS is enabled.
Sources: beacon-platform/docs/privacy.md, beacon-platform/AUDIT_REPORT.md