Skip to main content

Privacy and right to erasure

Personal information held by Nebula is governed by the Australian

Privacy Principles (APP). Users can request erasure under APP 11.2

or the GDPR right-to-erasure where applicable.

How to request erasure

A user submits a UserDeletionRequest via /settings/account. The

request is reviewed by the admin (the user can revoke before

processing). On approval the cron worker:

  1. Anonymises the User row (replaces email, name, hashedPassword)
  2. Marks atoms authored by the user with extractedById = null
  3. Removes session and token rows
  4. Logs the deletion in ExportLog with the original userId hash

What survives erasure

Anchored proofs survive. The atom's chain of provenance does not

change; only the link to the user who authored it is severed. This

is necessary for the integrity of the agreement record.

Classification field

The Atom.classification enum (UNCLASSIFIED, OFFICIAL,

OFFICIAL_SENSITIVE, PROTECTED) drives access policies and LLM

gating. Defence pack projects default to OFFICIAL_SENSITIVE; the

pack handler can elevate.

Cross links

  • /docs/security/pii: redaction layer
  • /docs/security/audit: ExportLog