Privacy & security

Identity data stays on-device. The platform never builds a patron profile.

Laurel Secure receives only pass, fail, or unable to verify. It stores aggregate counts, not a patron entity, persistent profile, or identity record.

01 · The never-store boundary

What the platform does not retain.

The privacy boundary is defined by what crosses from the on-device check and what the platform stores after it arrives.

Identity fields

No personal attributes

Names, birth dates, addresses, portraits, and document identifiers remain within the on-device identity interaction; they are not retained by the platform.

Credential data

No credential payload

The credential exchange remains local. The platform receives one closed outcome, not the identity data used to produce it.

Event data

No patron-level history

Verification storage is aggregate-only, so the platform does not retain a row for an individual patron check.

Profile data

No patron entity

There is no patron entity or persistent patron profile for the platform to build, retrieve, or display.

02 · The device boundary

The age decision crosses. Identity does not.

Verification happens locally. Once the check is complete, the result moves into an aggregate-only data path.

Verification boundary

Explanatory model · no live patron data

03 · The guarantees

Three structural limits carry the privacy claim.

Closed output

Three outcomes only

Pass, fail, and unable to verify are the complete patron-derived vocabulary that crosses the device boundary.

Aggregate storage

Counters, not profiles

The platform stores aggregate outcome counts without a patron entity or persistent patron profile behind them.

Report threshold

k=3 before render

Day-level buckets below three remain suppressed. They do not appear when reports render until the threshold is met.

04 · The breach question

Start with the data that exists.

If platform data were exposed, operational business data and aggregate counts would still require a response. The boundary does not remove the responsibility to protect that information.

What the platform would not contain is a stored patron identity record or persistent patron profile. Identity data stays on-device, and the retained verification data is aggregate-only.

Platform data surface Retention model
Identity fields Not retained by the platform
Patron profile No patron entity or persistent profile
Outcome storage Aggregate counts only
Day-level reports Suppressed below k=3 before render

Bring the boundary to your review.

Ask us where data moves, what crosses, and what the platform retains.