Privacy
Local Herald is a civic-infrastructure utility. We are privacy-first by design. This page describes exactly what we keep, what we never collect, and how we operate in service of that promise.
What we log
Server logs include:
- Request ID (an opaque identifier per HTTP request)
- Route and HTTP method
- Status code and request duration
- Error code if applicable
Server logs exclude:
- Secrets and raw tokens
- Full request bodies containing sensitive or user-submitted data
- Internal stack traces (never exposed to API responses, either)
Local Herald is privacy-first: we avoid behavioral analytics, avoid cross-session tracking, and treat operational monitoring as fundamentally different from surveillance.
What data we keep, and what we don't
| We keep | We don't keep |
|---|---|
| Request IDs (per-request opaque identifiers) | Raw IP addresses (only a non-reversible SHA-256+pepper hash) |
| Feedback body text you submit through the modal | Behavioral analytics, click trails, cross-session identifiers |
| Optional submitter email, if you provide one | Third-party JavaScript or trackers (blocked by our Content-Security-Policy) |
| Admin audit log of feedback state changes (resolve / ignore + actor) | Postmark email open / click tracking (we set TrackOpens:false and TrackLinks:'None') |
| Operational metrics: request counts, error rates, durations | Referral attribution, ad-network identifiers |
How feedback submissions are protected
- IP hashing. When you submit feedback, your IP address is hashed with a
server-side pepper before being written to the database. The raw IP is never persisted.
This is enforced by
apps/api/src/lib/ip-hasher.ts. - Rate limits. The feedback endpoint is rate-limited per IP (5 submissions per hour) to discourage abuse without blocking legitimate users.
- Anti-spam check. A proof-of-work challenge (ALTCHA) runs in your browser. No CAPTCHA service is contacted; no third-party tracker is loaded. The code is open and self-hosted.
- No reveal in errors. API errors return public-safe codes only โ never database driver messages, SQL statements, stack traces, or infrastructure details.
Email handling
When an operator emails you (e.g., reply to feedback you submitted), we use Postmark with open- and click-tracking explicitly disabled. We do not track whether you opened a message or which links you clicked.
Data retention
At pilot scale, feedback rows are retained for operational triage. We do not have a fixed automated retention window yet; if you need a row removed, email us and we'll take care of it.
Changelog
| Date | Change | Author |
|---|---|---|
| 2026-06-06 | Initial policy authored from docs/SECURITY_MODEL.md ยง13 | (operator) |