Private health data (PHI) never leaves your box. Models flow down, receipts flow up, PHI crosses never.
This is the one rule the whole system is built around. It is not a privacy policy you have to trust โ it's a structural property you can verify. Two sides, opposite invariants:
| LocalDiabetic (the vault, on your NAS) | OpenDiabetic (the hive, the cloud/compute) |
|---|---|
| Records never leave the box. | Cloud records never enter a person's vault. |
| Holds PHI at rest โ the only place it lives. | Holds open models, templates, non-PHI receipts. |
| Receives models flowing down. | Receives receipts flowing up. |
The Nudge emits only the generic reminder text you declared (e.g. "Time for your foot check"). The medical detail stays in the vault behind a pointer you follow on the box. PHI cannot leak to your phone because the engine never loads PHI in the first place.
When the vault sends a note to the on-device model to organize, it exists only in memory for that one request. In the edge brain's code, the only file ever written is a non-PHI receipt ledger. Record content never reaches a disk write, so phi_persisted is structurally always false.
# the only write path in the edge brain
def _append_receipt(rec): # rec = lengths + hashes + flags, NO content
with open(LEDGER, "a") as f:
f.write(json.dumps(rec) + "\n")
# record content is passed to the model in RAM and returned โ never to any open(..., "w")The on-device model is scoped to organize, summarize, and draft reminders. A request to diagnose is refused outright (HTTP 422). This keeps the system a filing cabinet, not a medical device.
Every action mints a hash-chained receipt carrying lengths, durations, a model name, and honest flags (phi_touched, phi_persisted: false) โ and no record content. These are safe to ship to the hive. The content is not.