Pocket Socrates: Privacy

Identity firewall · PII detection · encrypted storage · anonymous analytics · right to erasure

Full Architecture →

Sign-in and billing are handled by external providers. Neither has access to your conversations or your Mind Map. An AWS-hosted service sits between them and Pocket Socrates, converting your account identity into a random pseudonym before anything reaches the app. Your credentials and your content never share the same system.

External Services — not part of the Pocket Socrates platform
Auth provider
Clerk
Handles sign-in, sessions, and MFA. Pocket Socrates receives a session token, passes it to the Bridge, and receives back only a pseudonym. The Clerk identity is never written to our database.
JWT · userId · session only
Billing provider
Stripe
Manages subscriptions and payments. Stripe's customer ID exists in an isolated mapping table with no path to the application layer. No billing data flows into your reflection data.
customerId · subscription tier only
AWS Lambda · Isolated AWS account
Bridge: Identity Resolution Service
On first sign-in, the Bridge generates a cryptographically random UUID as your pseudoId. It is not derived or computed from any external identifier — it is looked up, never calculated. The three-way mapping (pseudoId ↔ Clerk userId ↔ Stripe customerId) is written to DynamoDB and never leaves the Bridge. Only the pseudoId is returned to the app.
crypto.randomUUID() · AWS us-east-1
AWS DynamoDB · KMS encrypted at rest
Three-Way Identity Mapping Table
Stores the pseudoId ↔ Clerk ↔ Stripe mapping. Accessible only to the Bridge Lambda — no IAM path from the application layer. Encrypted at rest via AWS KMS. On account deletion, the entry is nulled, severing both links permanently.
AES-256 · CMK · isolated account
pseudoId only crosses into the app layer. No real identity passes this boundary.

Every message is scanned before it reaches Soc. When personally identifying information is detected, the app pauses and gives you control over what gets stored. A second silent pass runs before any artifact is written to the database.

Real-time scan · every message
Pocket Soc: PII Detection Layer
Pocket Socrates scans each message before it reaches Soc's context window. Detects: person names, locations, dates, phone numbers, email addresses, medical information, religious and political identifiers, government IDs. Returns structured output with flagged excerpts and entity types.
structured JSON output · claude-haiku-4-5
In-app · User-facing
Context Card
When PII is flagged, an inline privacy card appears in the conversation before anything is saved. You write the abstraction in your own words. "My sister" instead of her name. "A difficult relationship" instead of specifics. What you write is what enters your Mind Map — not the raw detail. Soc suggests an alternative if requested.
user-authored first · Soc-suggested fallback
Pre-write · Silent · All artifact surfaces
Pocket Soc sanitizeForWrite: Secondary Scan
A second pass fires silently before every write to Records, Roots, Echoes, and Context Documents. Catches any PII that survived conversational abstraction. Auto-abstracts without surfacing a Context Card — this is a backend guard, not a user interaction.
sanitizeForWrite · piiGateway.ts

Everything written to our database is AES-256-GCM encrypted at the field level and keyed only to your pseudonym. The application has no column that links your content to who you are.

Convex DB · pseudoId-keyed only
threads · messages
Conversation history, encrypted at the field level. Solo Thread messages are not persisted to storage at all.
AES-256-GCM field-level
Convex DB · pseudoId-keyed only
records · roots · echoes
Completed Thread outputs and persistent memory artifacts. PII-free guaranteed: both the real-time scan and the silent backend pass are enforced before any write.
AES-256-GCM field-level
Convex DB · pseudoId-keyed only
abstractions · piiAbstractionLog
User-authored abstractions from Context Cards, encrypted at field level. The audit log records entity type and resolution — never the raw PII itself.
AES-256-GCM field-level

A scheduled pipeline runs entirely outside the application layer. Its input is your encrypted pseudonymous Convex data. Its output is a PostgreSQL analytics store with no individual-level identifiability. This data is used to improve Pocket Socrates, such as when users submit feedback on Soc's responses.

ETL trigger · scheduled
Fetch & Decrypt
Authenticated batch export from Convex. AES-256-GCM decrypted inside the pipeline. Plaintext never leaves the pipeline boundary.
Microsoft Presidio · NLP
Presidio Scrub
Detects and replaces remaining PII entities with type labels: <PERSON>, <LOCATION>, <DATE>. A second independent scrub pass on top of the in-app detection.
Salt re-anonymization · monthly rotation
anonId Generation
Every ID is re-anonymized: SHA-256(salt + pseudoId). Salt rotates monthly — monthly datasets cannot be cross-joined. Analytics and app databases cannot be linked even if both were compromised simultaneously.
Content reduction · structural only
Data Minimization
Thread rows store structural metadata only. Message rows store word count, Presidio-cleaned text, and entity types found. No excerpts. No identifying context.
PostgreSQL · analytics store
Anonymized Output
No real identity. No pseudoId. No raw content. All IDs are salted one-way hashes. User feedback passes through the same pipeline — never reviewed using raw data.
no identity · no pseudoId · anonId only

Request deletion from Account Settings at any time. You can also export everything you have built as a complete JSON file whenever you want it.

Trigger
Deletion Request
Initiated from Account Settings. Deletion timestamp written. Account access immediately suspended.
Grace period
30-Day Hold
Data intact but inaccessible. Cancel at any time to restore full access. Deletion timestamp is reset to null.
Convex cron · daily
processPendingDeletions
Identifies accounts past the 30-day threshold. Executes cascading wipe. Calls Bridge to null the DynamoDB mapping entry.
threads · messagesfull delete
records · roots · echoesfull delete
contexts · xpEventsfull delete
abstractions · piiLogfull delete
Bridge mapping entrynulled · KMS
users rowtombstoned

Pocket Socrates · Privacy · 2026

Full Architecture → Home Pricing How It Works