1. Purpose
This policy defines what data the Signal Network stores, where it lives, how long it persists, and what protections apply.
It exists to ensure users understand what is kept, what is discarded, and what cannot be deleted.
2. Core Principle
Proofs are permanent. Metadata is minimal. Content stays with the user.
The Signal Network does not centralize proof content. It centralizes proof-of-existence.
3. Data Classification
All data in the Signal Network falls into one of three classes:
3.1 User Content (Stored Locally)
| Data Type | Location | Retention |
|---|---|---|
| Proof body/content | User's site | Permanent until user deletes |
| Proof titles | User's site | Permanent until user deletes |
| Vault contents | User's site | Permanent until user deletes |
| Categories | User's site | User-controlled |
| Media/attachments | User's site | User-controlled |
User content never leaves the user's container unless explicitly shared.
3.2 Network Metadata (Stored Centrally)
| Data Type | What Is Stored | What Is NOT Stored |
|---|---|---|
| Node identity | Hashed node_id | Real name, email (unless opted in) |
| Proof existence | Hashed proof_id + timestamp | Proof content, titles |
| Categories | Hashed category_id | Human-readable category names |
| Visibility state | Flag (private/shared/public) | Access logs |
| Trust metrics | Activity count, time active | Behavioral content |
Central records are hashes and flags, not content.
3.3 Cryptographic Attestations (Permanent, Non-Readable)
| Data Type | Purpose | Deletable? |
|---|---|---|
| Proof-of-existence hash | Proves a proof existed at a time | No |
| Timestamp anchor | Immutable time record | No |
| Ownership attestation | Links proof to node (hashed) | No |
Attestations persist for integrity. They contain no readable content.
4. What the Network Does NOT Store
The Signal Network explicitly does not centrally store:
- Full proof content
- Human-readable proof bodies
- Private vault contents
- Plaintext titles
- Plaintext category names
- Email content
- Browsing behavior
- IP addresses (beyond session necessity)
- Behavioral analytics
If it's readable, it stays with the user.
5. Retention Rules
5.1 User Content
| Action | Result |
|---|---|
| User creates proof | Stored on user's site indefinitely |
| User deletes proof | Removed from user's site |
| User deletes account | All user content deleted from their container |
User controls their content lifecycle.
5.2 Network Metadata
| Action | Result |
|---|---|
| User creates proof | Hashed metadata added to central registry |
| User deletes proof | Metadata flagged as inactive; hash persists |
| User deletes account | Metadata flagged as inactive; attestations persist |
Hashes are not deleted. They prove history without revealing content.
5.3 Cryptographic Attestations
| Action | Result |
|---|---|
| Proof published | Attestation created (permanent) |
| Proof deleted | Attestation remains (proves it existed) |
| Account deleted | Attestations remain (non-readable) |
Attestations are append-only. This is by design.
6. Fragmentation & Breach Resistance
Central metadata is cryptographically fragmented:
- No single database contains complete records
- Fragments are distributed across shards
- Breach of one shard yields incomplete, non-reconstructable data
- Full reconstruction requires authorization context
Design goal: stolen data is useless data.
7. Access to Stored Data
7.1 User Access
Users may:
- View all their own content (via their site)
- Export their proofs and vault contents
- Request a copy of their hashed metadata
- Delete their content (attestations persist)
7.2 Network Access
Signal Network operators may access:
- Hashed metadata (for trust thresholds, abuse prevention)
- Aggregate statistics (non-identifying)
Signal Network operators may NOT access:
- Proof content (without user authorization)
- Private vault contents
- Plaintext titles or categories
7.3 Third-Party Access
Third parties may NOT access:
- Any user data (content or metadata)
- Registry contents
- API data (without user authorization)
Exception: Lawful process, governed by Lawful Process Handling protocol.
8. Data Portability
Users may export:
- Full proof content (from their site)
- Vault contents
- Category structures
- Attestation receipts (hashed)
Export format: JSON, Markdown, or native WordPress export.
Users own their data. They can leave with it.
9. Data Deletion
9.1 What Can Be Deleted
- Proof content (user-controlled)
- Vault contents (user-controlled)
- Account and site (user-requested)
- Visibility settings (immediate)
9.2 What Cannot Be Deleted
- Proof-of-existence attestations
- Timestamps
- Hashed ownership records
These persist for network integrity. They contain no readable content.
9.3 Deletion Process
- User requests deletion via dashboard or support
- Content removed from user's site within 30 days
- Metadata flagged as inactive
- Attestations remain (non-readable)
10. Relationship to Other Policies
This policy operates in conjunction with:
- Privacy & Consent Policy v1 - governs consent and default states
- Visibility & Discovery Policy v1 - governs who sees what
- Lawful Process Handling - governs legal requests
- Revocation Protocol - governs removal of access
11. Policy Supremacy
This policy supersedes:
- UI descriptions of data handling
- Marketing language about storage
- Informal assumptions about retention
If a conflict exists, this policy controls.
Canonical Summary
- Proofs are permanent, user-controlled
- Metadata is minimal, hashed, non-readable
- Attestations persist for integrity
- Content stays with the user
- Stolen data is useless data
- Users can export everything they own
- Deletion removes content, not existence