Privacy
Architecture, not promises.
FatigueIQ does not rely on policies or admin toggles to protect member data. Privacy is enforced in the database. Leadership cannot access individual health data because the system rejects the query before it executes.
Three commitments.
Architecture over policy
Policies can be amended. Admin toggles can be flipped. Database-level enforcement cannot be bypassed with a button click. We chose the harder path because it’s the only one that earns trust.
Separated surfaces
The responder view and ops dashboard are not the same query with different filters. They are architecturally separate data surfaces. The ops surface physically cannot return individual health rows.
Consent as product feature
Participation is voluntary. Members see exactly what is shared and what isn’t. Consent is timestamped. Withdrawal deletes data within 30 days. No ambiguity.
Who sees what.
This is not a permissions table an admin can edit. It is enforced by row-level security in the database. Changing these boundaries requires deploying new code.
| Data Type | Member | Wellness Lead | Dept Admin |
|---|---|---|---|
| Own FRI score and trend | |||
| Own HRV and heart rate data | |||
| Own sleep logs and metrics | |||
| Own check-in responses | |||
| Own raw wearable data | |||
| Aggregate FRI by shift/station | |||
| Coverage % (participation) | |||
| Alert queue (sustained concern) | |||
| Crew-level trend reports | |||
| Any individual’s health data |
Last row is intentional. No role has direct access to another member's health data through the application.
How it's enforced.
Row-Level Security
Every table has RLS policies restricting row access by user. A dept_admin querying daily_readings gets zero rows — the policy rejects the query before it executes. PostgreSQL-native enforcement, not application-level filtering.
Separated Data Surfaces
The responder view and ops dashboard query different tables with different RLS policies. Architecturally separate, not filtered versions of the same view.
SECURITY DEFINER Functions
Aggregate views use PostgreSQL functions that compute averages internally. The function reads individual rows but returns only aggregate output. The caller never touches raw data.
Append-Only Audit Trail
Every leadership data access is logged to an immutable audit table. Cannot be updated or deleted — only appended. Tamper-resistant by design.
Consent is real.
During onboarding, members see exactly what data is collected, what leadership can and cannot see, and what withdrawal looks like. No ambiguity. No buried clauses.
What data is collected?
HRV, heart rate, sleep metrics from your wearable. Restedness, energy, and alertness from daily check-ins.
Can I see what leadership sees?
Leadership sees nothing about you individually. Only aggregate crew-level data. Your data is visible only to you.
Can I withdraw?
Yes. Any time. Disconnect your device and your data is deleted within 30 days. No questions.
Is this mandatory?
No. Voluntary enrollment only. Departments invite, members choose.
Built to survive union scrutiny.
Privacy enforcement through database-level security is something a union can verify, not just something a vendor promises.