Skip to content
Privacy & retention

Your story is not
our property.

What we keep, for how long, and how it disappears.

UMI exists so neighbours can help neighbours — not so anyone can build a file on the poor. The board runs on consent, not surveillance: you choose what to share, and what you share has an expiry date.

Sensitive personal details are stored encrypted, one key per record. When a record's time is up, we destroy its key — a practice called crypto-shred. A record without its key is permanent gibberish, to us and to anyone else, forever. Deletion here is not a promise to look away; it is a lock with no key left in the world.

The schedule

What Kept Then
"On behalf of" names on fulfilled or expired requests 12 months crypto-shredded automatically
Casework notes (closed cases) seven years crypto-shredded automatically; a revoked consent freezes the case immediately
Contact details exchanged across communities until fulfilled + 72 hours crypto-shredded automatically, on both sides
Backups 30 days aged out — after that, a shred is absolute even against restores
The audit trail (who did what, never the content) kept contains no personal details by design; IP addresses are stored only as salted hashes

If you ask us to erase you

Ask your coordinator, or write to us. Within 30 days your encrypted records are crypto-shredded and your account is deactivated. Once the last backup ages out, nothing anywhere can bring the content back.

What we never do

We do not sell data. We do not advertise. We do not profile. Contact details are revealed only to the person you agreed to be connected with, only after you both said yes — and every disclosure is recorded in the audit trail. The poor are not a market.