This page is the contract. Raw worker chats, case files, IDs, contact details, and private documents stay on the worker device or trusted NGO hardware unless an authorized user creates a sanitized submission. Sensitive PII is anonymized by the local Gemma 4 workflow before anything is submitted; the server runs a second PII detector before storage or display.
| Category | Stays local | May cross hub | Enforcement |
|---|---|---|---|
| Worker case content | Always | Never | Local Gemma 4 anonymization must happen before submission; server schemas reject raw case fields. |
| Worker names · IDs · contacts | Always | Never | Server-side PII detector rejects identifier-shaped strings before storage. |
Anonymized pattern_id (e.g. fee_request) | Originates locally | Yes. opt-in | Per-turn opt-in. K-anon ≥ 30 floor or rejected. |
| Corridor / sector buckets | Originates locally | Yes. anonymized only | Anonymized buckets only; no time-of-day precision. |
| Public-source URLs | — | Yes (intended) | Reviewed by curators before publication. |
| Pack version + pull-time | — | Yes (audit) | For reproducibility of the audit log. |
| Outbound emails / reports | — | Never auto-sent | No automated outbound channel exists. Human signs every artifact. |
The hub has no endpoint that accepts worker case content. None will be added.
DueCare drafts; the user or trusted caseworker decides. The hub does not send messages on anyone's behalf.
DueCare is not a law firm, an emergency response service, or an official complaint authority. It cites public sources and routes to verified contacts.
The server rejects raw-PII submissions before storage and redacts detector-class PII in admin/debug views.