The 7 Absolutes
Seven things we will never do. Seven things we will always do. Not aspirations. Enforceable commitments, versioned in git, permanent by design.
When a person entrusts their email address, their membership, their communications to a platform, they are extending trust.
That trust is not a commodity to be monetized. It is an obligation to be honored.
Most platforms bury their privacy practices in legal documents nobody reads. We took a different approach. We wrote a Compact: a versioned, auditable, published contract between us and every person whose data passes through our systems.
The Compact has teeth. Every version is permanent. Changes can only strengthen protections, never weaken them. If we violate it, the violation is disclosed publicly within 72 hours.
At the center of the Compact are the 7 Absolutes: seven iron prohibitions and seven active commitments that define the boundaries of what we will and won't do with your data, your communications, and your trust.
Never sell your contact information
Not to advertisers. Not to data brokers. Not to partners. Not to anyone. Your relationships belong to you.
Never harvest behavioral data for advertising
No tracking pixels for ad networks. No profiling for targeted ads. No selling your attention to the highest bidder.
Never use dark patterns
No hidden opt-ins. No confusing unsubscribe flows. No guilt-driven retention screens. No pre-checked consent boxes. If you want to leave, you leave.
Never hold your data hostage
Export everything. Contacts, messages, membership lists, configuration. CSV, JSON, API. If you outgrow us, you leave with all of it.
Never weaken a privacy commitment
Version 2.0 of the Compact can add protections. It cannot remove them. This rule applies to itself.
Never read your private communications
We don't read, analyze, or mine the content of group messages for any purpose other than delivering them and enforcing your group's own moderation policies.
Never share member lists without explicit consent
No cross-organization sharing without recorded, per-instance consent from both the member and the organization's authorized representative. Your membership is your business.
Record consent, never assume it
Every opt-in is a recorded event with a timestamp, a channel, a specific permission, and an audit trail that can't be retroactively modified. Silence is not consent. Pre-checked boxes are not consent.
STOP means STOP
When you opt out, delivery ceases immediately. The opt-out is recorded with the same rigor as the opt-in. No "are you sure?" No "you'll miss out." You can come back on your own terms.
Minimize data, always
We collect only what's necessary to deliver the service. We retain only what's justified. We delete when the justification ends. Delivery data is for operations, never profiling.
Enforce boundaries between groups
A member of one organization cannot see the members of another unless they belong to both. Authorization to communicate does not mean authorization to view. This is enforced at the architecture level.
Make everything portable
Any authorized administrator can export complete member lists, message archives, group configuration, and usage history. CSV and JSON. Self-service, immediate. No "contact us to get your data."
Maintain a complete audit trail
Every message archived with sender, group, subject, recipients, source, type, and timestamp. The audit trail is known, accessible, trusted, and allowed. It serves your organization's interests, not ours.
Publish everything that matters
The Compact itself, versioned in git. Our data retention policies. Our subprocessor list. Our security incident history. Transparency isn't a feature we ship. It's the foundation we build on.
Commitments are only as strong as the architecture that enforces them. Every prohibition and every promise is embedded in the platform's trust model. Privacy boundaries aren't policies someone follows. They're walls the system enforces.
Hierarchical boundaries
Trust mirrors your organization's structure. A post commander sees their post. A county commander sees aggregate counts, not individual member data. Every level has a defined trust boundary.
Communication is not access
Authorization to send a message to a group does not grant visibility into that group's membership, archives, or settings. Sending and seeing are separate permissions.
Cross-group trust is explicit
Groups authorize other groups for cross-posting one at a time, deliberately, by their administrator. Trust is never inherited, never assumed, never automatic.
Every access is logged
Platform administrators can see everything. And every time they do, it's recorded. Power and accountability are inseparable.
A promise without enforcement is marketing. Here's how we make the Absolutes binding:
- Versioned and permanent. The full Compact is tracked in git. Every change has a commit message explaining what changed and why. No protection established in a previous version can ever be removed.
- Violations are disclosed. If we discover a violation, we disclose it publicly within 72 hours. We document the root cause, implement a fix, and update the Compact if the violation reveals a gap.
- Fair pricing, no bait-and-switch. Published prices are the prices. Existing subscribers keep their rate. No increases without 90 days written notice. The free tier is real and permanent.
- The Compact survives us. If the company ceases operations, all user data is exported and delivered to group administrators. No data is sold, transferred, or retained. The obligations outlive the entity that made them.
Privacy is a matter of justice. When a person entrusts their data to a platform, that trust is an obligation to be honored. Not a commodity to be monetized.
Seven nevers. Seven always.
No exceptions.