UFTAPrivacy — v0 draft
The minimum data required to operate safely and reliably.
Privacy and minimization is one of UFTA's non-negotiables. This page is the v0 draft of how that posture lands in practice. A formal policy ships with the first ratified release.
Posture
- Collect the minimum data required to operate the canonical-object model and trust system.
- Public surfaces show status and expiry indicators, not raw documents or identifiers.
- Authorized verifiers request privacy-preserving proofs via IDConnect — time-bounded, pairwise.
- No cross-partner tracking. Each partner sees only the data its scope grants.
- Receipts are durable and readable by the parties involved; they are not a public surface.
What UFTA stores (high-level)
- Identity
- Foodie and provider records anchored to an IDConnect subject. No untethered free-text identity.
- Operational data
- Schedules, availability, offerings, events, and venue information necessary for discovery and booking.
- Compliance evidence
- Permits, insurance, and inspection artifacts tied to the entity that holds them. Stored at rest, not on public surfaces.
- Aura signals
- Composite reputation scoring with sub-signals (operational, trust, community, freshness) and a semantic embedding. TTL-bounded.
- Receipts
- Hash-chained audit log of publish, adopt, and dispute lifecycle events. Not deleted; readable by the parties named on the receipt.
Rights
Foodies and providers can read what UFTA holds about them, request corrections, and raise disputes. Specific rights and request workflows ship with the ratified policy.