Trust starts with source separation: Sofia/Mark, Memory and Guardian stay on the user-owned support track; Wellness and Oracle read aggregate company models only after the 10+ anonymity floor; Recruitment stays an HR review record.
Privacy boundary
Private support stays inside the account.
The boundary is concrete: Sofia/Mark chats, saved Memory context, and Guardian routing stay in the person's account. Workplace tools use their own scoped records instead of reading the support thread.
01
Account-owned support
Sofia, Mark, Memory and Guardian stay with the person.
A private thread can remember chosen context without becoming a manager, reseller or ordinary admin view.
No employer chat access
Memory stays in the account
Guardian stays a safety route
02
Separate product surfaces
Workplace tools start from their own records.
Wellness, reports, exports and Executive Oracle can only use workplace-scoped data paths. They do not query Sofia/Mark chat text.
Scoped workplace records
No raw private text
No recruiting input from support
03
Human review boundary
People and Recruitment stay operational, not psychological.
People, Calendar and staged Recruitment can organize records for human review without turning private support into a profile or hiring signal.
No person-level wellness scoring
No raw private conversations in reports
No automated hiring decisions
Employers do not receive raw Sofia/Mark conversation text. No employer-facing raw Sofia/Mark conversations, memories, Guardian details, or person-level wellness scoring.
Wellness, reports and Oracle must use separate scoped workplace records, not private support content, and stay blocked when the privacy floor fails.
Non-owner raw access stays behind the documented, audited security-root break-glass path.
Trust pillars
Pillar
User-owned support track
Sofia/Mark conversations, Memory and Guardian context stay outside employer dashboards, Oracle, reports and Recruitment. Non-owner raw access follows the documented security-root break-glass path.
Pillar
10+ aggregate floor
Wellness Dashboard, Executive Oracle, reports and exports can answer company questions only after the 10+ anonymity floor passes; thin cohorts return no company view.
Pillar
Separated HR records
People and Calendar use operational workspace records. Recruitment/Leviathan can organize candidate evidence for HR review, but it cannot use private support or Wellness input.
Pillar
Policy-backed claims
Privacy, Data Safety, Cookie Policy, Terms and Safeguarding pages carry the formal wording. The trust page does not add audit, certification or guarantee claims.
Visible release checks
Visible release checks
This is a public boundary checklist, not a legal policy. Formal privacy, DPA, subprocessor and safety wording stays on the linked policy pages.
✓No employer, reseller or recruiter gets raw Sofia/Mark chats, Memory content or Guardian details.
✓No Wellness or Oracle company output appears below the 10+ anonymity floor.
✓No Recruitment/Leviathan workflow can use Wellness or private support data for hiring.
✓No public trust claim names an audit, certification, guarantee or customer traction without a current legal/security source.
Need formal policy wording?
Use Privacy Policy, Data Safety, Terms, Cookie Policy and Safeguarding for formal wording. Contact Synphoria for DPA or subprocessor scope.