Your story is not
our property.
What we keep, for how long, and how it disappears.
UMI exists so neighbours can help neighbours — not so anyone can build a file on the poor. The board runs on consent, not surveillance: you choose what to share, and what you share has an expiry date.
Sensitive personal details are stored encrypted, one key per record. When a record's time is up, we destroy its key — a practice called crypto-shred. A record without its key is permanent gibberish, to us and to anyone else, forever. Deletion here is not a promise to look away; it is a lock with no key left in the world.
The schedule
| What | Kept | Then |
|---|---|---|
| "On behalf of" names on fulfilled or expired requests | 12 months | crypto-shredded automatically |
| Casework notes (closed cases) | seven years | crypto-shredded automatically; a revoked consent freezes the case immediately |
| Contact details exchanged across communities | until fulfilled + 72 hours | crypto-shredded automatically, on both sides |
| Backups | 30 days | aged out — after that, a shred is absolute even against restores |
| The audit trail (who did what, never the content) | kept | contains no personal details by design; IP addresses are stored only as salted hashes |
If you ask us to erase you
Ask your coordinator, or write to us. Within 30 days your encrypted records are crypto-shredded and your account is deactivated. Once the last backup ages out, nothing anywhere can bring the content back.
What we never do
We do not sell data. We do not advertise. We do not profile. Contact details are revealed only to the person you agreed to be connected with, only after you both said yes — and every disclosure is recorded in the audit trail. The poor are not a market.