Safety & Privacy

1

Platform floor — non-negotiable

Illegal content, sexually explicit material, and content harmful to minors is blocked at the platform level. This layer is always on and cannot be modified or loosened by any administrator.

2

Library policy layer — configurable upward only

Each library can add restrictions on top of the platform floor via the admin panel — for example, restricting topics to library-relevant subjects. Libraries cannot remove or weaken floor-level protections.

3

Real-time AI moderation — automated per session

Every patron session is screened in real time using OpenAI Omni Moderation, running alongside the Claude conversational model. This layer catches issues that emerge dynamically during a conversation.

CIPA considerations

The platform floor is designed to align with CIPA requirements for filtering technology used in libraries that receive E-rate funding. We recommend consulting your local legal counsel to confirm compliance in your jurisdiction.

We are happy to participate in those conversations. Reach out to include us.

When something gets blocked

✅ Patron sees a friendly, non-punitive message routing them to a librarian
✅ Admin dashboard shows aggregate blocked counts by category
🚫 No individual blocked queries are visible to staff
🚫 No individual blocked queries are visible to PLAID3 admins

💨

Ephemeral sessions

No conversation history is stored anywhere. When a patron closes the tab, the session is gone — not archived, not recoverable, not accessible by staff or by PLAID3.

🔑

Access code handling

Codes are validated and forgotten. The system checks whether a code is valid, returns the result, and that's it. No card numbers, no PINs, no personal identifiers are retained.

📊

Dashboard data

Admin analytics show aggregate statistics only — session counts, topic categories, moderation event counts. No individual session logs are visible to anyone, inside or outside the library.

👤

No patron accounts

No email address. No signup. No patron profile. Patrons are not identifiable in any system because we never collect identifying information in the first place.

✗
No surveillance of individual sessions. We have no mechanism to watch or replay a specific patron's conversation — by design.
✗
No logging of specific queries. The system processes queries in real time. Nothing is written to a query log.
✗
No access to conversation content — by anyone, ever. Not by library staff. Not by PLAID3 employees. Not by our AI providers (subject to their API terms).
✗
No sale or sharing of usage data. Aggregate analytics belong to the library and are not shared with third parties for any purpose.

Infrastructure

How it's built

Encryption in transit: All communication between patron devices, the platform, and our AI providers uses TLS.
Encryption at rest: Stored data (access codes, aggregate analytics, library configuration) is encrypted at rest.
Hosting: Infrastructure details available on request for security review.
Retention: Aggregate analytics are retained while a library account is active. Access codes are purged on expiration or deactivation.

Compliance

Frameworks & principles

COPPA: No data is collected from any user, including those under 13, so there is nothing to comply with — and nothing to breach.
ALA privacy principles: The platform design reflects the American Library Association's privacy principles: collect minimally, retain briefly, protect rigorously.
CIPA: The moderation floor is designed to align with CIPA filtering requirements. Confirm applicability with local counsel.
Third-party audits: We will share audit and certification details as they become available.

Three layers of protection — always on