Privacy by Design

Executive Summary
Working Knowledge
Technical Spec

Privacy by Design (PbD) is a framework developed by Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario, that establishes seven foundational principles for embedding privacy into the design of systems, business practices, and physical infrastructure. It was adopted as a binding legal requirement under GDPR Article 25 ("Data Protection by Design and by Default") and has become the gold standard that enterprise procurement teams evaluate when selecting data-intensive vendors.

ReGenesis handles some of the most sensitive personal data in enterprise software: coaching transcripts, emotional reflections, AI-derived behavioral insights, and personal development trajectories. For a platform like this, Privacy by Design is not optional — it is existential. An enterprise client will not entrust their executives' most private developmental content to a platform that treats privacy as a compliance afterthought.

The ReGenesis approach maps each of Cavoukian's seven foundational PbD principles to specific, verifiable architecture decisions:

Proactive, not reactive — Privacy Impact Assessments gate every feature before development begins
Privacy as the default — Four-tier visibility tags default every field to the most restrictive appropriate level
Privacy embedded into design — Classification and visibility are required database fields, not optional metadata
Full functionality (positive-sum) — Sasha delivers powerful AI insights within privacy constraints, not despite them
End-to-end security — Encryption from collection through crypto-shredding at deletion
Visibility and transparency — Evidence Packs create a verifiable AI decision trail
Respect for user privacy — Human-in-the-loop model ensures coachee autonomy over AI-generated insights

The differentiator: Most coaching platforms add privacy controls retroactively after a client demands them. ReGenesis is architecturally incapable of violating its own privacy principles because those principles are encoded in the data model, the access control layer, the AI inference pipeline, and the audit system. This is the difference between a privacy policy (a document) and Privacy by Design (an architecture).

The Seven Foundational Principles of Privacy by Design

Dr. Ann Cavoukian's seven principles are not abstract academic concepts — they are practical design constraints that shape every decision in the ReGenesis platform. Here is what each principle means and what it looks like in practice.

Principle 1: Proactive Not Reactive — Preventive Not Remedial

The principle: Anticipate and prevent privacy-invasive events before they happen. Do not wait for privacy risks to materialize and then try to fix them. The Privacy by Design framework recognizes that the cost of remediation after a privacy failure is orders of magnitude higher than the cost of prevention.

What it means for ReGenesis:

Privacy risks are identified during feature design, not after deployment
Every new feature goes through a Privacy Impact Assessment (PIA) before development begins
The Data Minimization architecture ensures the platform never collects data it does not need, eliminating entire categories of privacy risk before they exist
Sasha's AI capabilities are scoped by permission grants — the system cannot observe, analyze, or act on data types that have not been explicitly unlocked
Automated sensitive content detection flags potentially sensitive data at ingestion, before it enters the standard processing pipeline
The blocked data sources list (email_inbox, full_calendar, hr_performance_review, etc.) is enforced at the architectural level — these data types are not just policy-excluded, they are code-rejected

Product implication: When designing a new feature or evaluating a feature request, the first question is always: "What is the minimum data this feature needs to work?" If a feature requires collecting a new category of personal data, that triggers a PIA before any code is written. This adds a day or two per feature but eliminates the risk of retroactive privacy remediations that could take weeks and damage client trust.

Principle 2: Privacy as the Default Setting

The principle: Personal data is automatically protected in any system. The individual does not have to take action to protect their privacy — it is built into the default configuration. If a person does nothing, their privacy is still fully protected.

What it means for ReGenesis:

The four-tier visibility model (client_visible, coach_only, admin_aggregate, system_internal) defaults to the most restrictive level appropriate for each data type
New data fields default to coach_only visibility unless explicitly configured otherwise — and unknown field types default to system_internal (maximum restriction)
Sasha starts in observe mode (lowest permission), not act mode (highest permission) — coachees must actively grant elevated permissions
Aggregate dashboards for corporate admins show anonymized data by default, with a minimum threshold of 5 individuals before any aggregate is displayed (preventing re-identification)
Session transcripts default to coach-only access; the coachee must explicitly choose to share with their corporate admin
Retention periods default to the shortest reasonable period for each data category
Export and portability are available but not automatic — data does not leave the platform unless the user actively requests it

How visibility tags implement privacy-as-default:

Data Type	Default Visibility	Elevation Requires
Session transcripts	`coach_only`	Explicit consent from coachee
Coaching notes	`coach_only`	Explicit consent from coachee
Sasha AI insights	`coach_only`	Explicit consent from coachee
Goal progress	`client_visible`	No elevation needed (already visible to coachee)
Aggregate program metrics	`admin_aggregate`	Minimum 5-person threshold (automatic)
Sensitive flagged content	`system_internal`	Explicit consent + PIA review
Unknown/new field types	`system_internal`	Manual review + configuration required

Product implication: Sensitive data is never accidentally exposed because the defaults are locked down. If a coach or coachee wants to open up access, they actively choose to do so. The system is designed so that the path of least resistance is also the most private path. Enterprise clients can be shown that even without any privacy configuration, their executives' coaching data is protected at the highest level by default: "Data is safe from the moment a coachee is enrolled — no configuration required."

Principle 3: Privacy Embedded into Design

The principle: Privacy is not an add-on or a plugin. It is integral to the system, woven into the core architecture without diminishing functionality. You cannot remove the privacy protections without dismantling the system itself.

What it means for ReGenesis:

Every database record carries a classification tag and a <G id="Visibility Tag">visibility</G> tag — these are not optional metadata; they are required fields enforced at the schema level with NOT NULL constraints
The Consent Architecture is a core service, not a middleware filter that can be bypassed
Sasha's inference pipeline includes mandatory privacy checks at every stage: data retrieval (RBAC), inference (scope verification), output (visibility enforcement), and storage (classification tagging)
Encryption is not a toggle — AES-256 at rest and TLS 1.3 in transit are hardcoded architectural requirements
The Evidence Pack system was designed from inception to store excerpts rather than full transcripts, making data minimization a structural feature of the AI explainability layer
The consent enforcement middleware sits in the request processing pipeline — there is no code path that bypasses it

Product implication: When enterprise legal teams ask "Can the privacy features be turned off?" the answer is "No, and that is the point." Privacy is not a configuration option in ReGenesis — it is the architecture itself. Client data is protected by engineering, not by policy compliance. Policies can be ignored; architecture cannot. Where a competitor says "We take privacy seriously," ReGenesis can say "Privacy is inseparable from the product."

Principle 4: Full Functionality — Positive-Sum, Not Zero-Sum

The principle: Privacy and functionality are not trade-offs. You can have both full privacy protection and full system functionality. Reject false dichotomies like "privacy vs. security" or "privacy vs. usability." Accommodate all legitimate interests and objectives in a doubly enabling, "win-win" manner.

What it means for ReGenesis:

Sasha delivers powerful AI coaching insights without requiring access to data beyond its permission scope — the AI is designed to work within privacy constraints, not despite them
Corporate admins get meaningful program ROI metrics through anonymized aggregates without ever seeing individual coaching content — privacy and business intelligence coexist
Evidence Packs provide full AI explainability (Sasha can show its reasoning) using only excerpts, not full transcripts — data minimization and explainability are both achieved simultaneously
Coaches retain full session management capabilities whether or not the coachee has granted Sasha elevated permissions — the coaching experience does not degrade when privacy settings are restrictive
The consent withdrawal flow is designed so that withdrawing consent for sensitive data processing does not break the core coaching functionality (which operates under contractual necessity)
The three-tier data model (coachee, coach, corporate admin) gives each stakeholder the information they need without exposing information they should not see

Stakeholder	What They Need	What They Get	What They Do NOT Get
Coachee	Personal development support	Full session content, AI insights, goal tracking	Coach's private notes about them
Coach	Effective coaching tools	Session summaries, AI recommendations, evidence trails	Other coaches' client data
Corporate Admin	Program ROI	Anonymized aggregates, trend data, completion metrics	Individual session content, personal reflections

Product implication: This is the principle most frequently referenced in product decisions. The architecture is designed so that Sasha works well within its privacy constraints — not despite them. When a request arises for corporate admins to see session content for ROI measurement, anonymized aggregates serve the legitimate business purpose without compromising individual privacy. Every design decision that delivers more value with less data reinforces this principle. The goal is always: "How does everyone win?"

Principle 5: End-to-End Security — Full Lifecycle Protection

The principle: Strong security measures are essential to privacy, from the first moment data is collected through its entire lifecycle to its final deletion. Security and privacy are complementary, not competing concerns. Data must never exist in an unprotected state at any point in the lifecycle.

What it means for ReGenesis:

Data is encrypted from the moment of collection (TLS 1.3 in transit) through storage (AES-256 at rest) to its final deletion (crypto-shredding with deletion certificates)
Per-user encryption keys (managed via AWS KMS) ensure that deleting a user's key renders all their data permanently inaccessible, even in backups
The audit logging system uses hash-chaining to create a tamper-evident record of all data access events — any tampering with the log breaks the chain
The Data Lifecycle tracks every piece of data from ingestion to deletion, with no data existing outside of defined lifecycle management
Infrastructure Security provides defense-in-depth: network segmentation, WAF, DDoS protection, and regular penetration testing
LLM inference data sent to Anthropic Claude is ephemeral — it is not used for model training and is not retained after the inference call returns
Session data in Sasha's context window is cleared after the interaction ends — there is no persistent LLM memory that could leak across users

Product implication: Enterprise procurement teams can be assured that there is no point in the data lifecycle where personal information exists in an unprotected state. From the moment a session transcript enters the system to the moment it is crypto-shredded years later, every byte is encrypted, classified, access-controlled, and audit-logged. This is end-to-end in the truest sense — not merely "the platform uses HTTPS."

Principle 6: Visibility and Transparency — Keep It Open

The principle: Assure all stakeholders that the system operates according to its stated promises. Make operations and practices visible and verifiable. Subject the system to independent verification. Whatever the business practice or technology involved, it should operate according to the stated promises and objectives, subject to independent review.

What it means for ReGenesis:

Evidence Packs are the primary transparency mechanism — they show exactly what data Sasha used, what reasoning it applied, and what conclusion it reached, creating a verifiable AI decision trail that any stakeholder can examine
The four-tier visibility model is displayed to users in plain language: coachees can see exactly what data is visible to whom at all times
The Consent Architecture records every consent interaction with timestamps, text hashes, and versions — creating a complete, auditable consent history
Privacy notices are written in plain English, not legalese, and are presented at the point of data collection (not buried in a Terms of Service document)
SOC 2 Type II audits provide independent third-party verification that the platform's privacy and security controls work as claimed
The Record of Processing Activities (RoPA) catalogs every data processing activity and is available for regulatory inspection
AI-generated content is always labeled as AI-generated with confidence scores — Sasha never pretends to be human

How Evidence Packs support transparency:

Product implication: Transparency is a significant advantage in enterprise sales. When a CISO asks "How does the AI make decisions?" the answer is an Evidence Pack with citations and reasoning. When a DPO asks "What data is processed and why?" the answer is the RoPA. When a coachee asks "Who can see my data?" the platform shows them clearly. When an auditor asks "Prove the controls work," the answer is SOC 2 Type II. This level of transparency builds trust faster than any marketing material could.

Principle 7: Respect for User Privacy — Keep It User-Centric

The principle: Keep the interests of the individual paramount throughout the entire process. Offer strong privacy defaults, appropriate notice, and user-friendly options. Empower the individual as an active participant in their own data management. Above all, architects and operators must respect the individual as a data subject with rights, autonomy, and dignity.

What it means for ReGenesis:

The coachee owns their data — this is a foundational principle of the three-tier data model (coachee, coach, corporate admin) and is reflected in the sovereign data architecture
Sasha's human-in-the-loop model ensures that AI-generated insights are always presented as suggestions, never as directives — the coach and coachee retain decision-making authority at all times
Coachees control their own Sasha permission levels (observe, analyze, act) and can change them at any time without penalty
Consent withdrawal never penalizes the coachee — core coaching functionality continues under the contractual lawful basis
Data subject access requests (DSARs) are fulfilled through a self-service portal, not a bureaucratic email process — respect means making rights exercise easy
The platform is designed to support data portability — coachees can export their own data in structured formats (JSON, CSV)
The coaching experience does not degrade when privacy settings are restrictive — the platform was designed for restrictive settings as the baseline

How the human-in-the-loop model respects user autonomy:

Sasha Capability	Without Human Approval	With Human Approval
Observe (see data)	Sasha can view data within granted scope	N/A (passive observation)
Analyze (generate insights)	Insights generated and queued	Coach reviews and presents to coachee
Act (take actions)	Blocked — action is drafted only	Coach or coachee approves, then action executes
Escalate (flag concerns)	Alert generated to coach	Coach decides whether and how to address

The Autonomy Guarantee

Sasha will never take an action that affects a coachee without explicit human approval. AI outputs at the "act" level are always drafts that require a human (coach or coachee) to review and approve. This is not a limitation — it is a design choice that respects the fundamental autonomy of the people the platform serves.

Product implication: This is the principle that differentiates ReGenesis from surveillance-oriented productivity tools. The platform is built to serve the coachee's development, not to monitor them for their employer. When coachees feel safe, they are more honest in coaching sessions, which produces better outcomes, which produces better ROI metrics for the enterprise client. Respecting user privacy is not just ethically right — it is the mechanism by which the platform delivers superior business results.

How the Seven Principles Connect

The seven principles form a reinforcing system, not a checklist of independent requirements:

The Business Case for Privacy by Design

Building privacy in from the start costs approximately 10-20% more in initial development. Retrofitting privacy into a system that was not designed for it costs 5-10x that amount and often requires complete re-architecture. For ReGenesis, Privacy by Design is not a cost — it is an investment that eliminates the single largest category of technical debt in enterprise data platforms.