> ## Documentation Index
> Fetch the complete documentation index at: https://help.terriqon.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How Terriqon Protects Beneficiary Privacy in AI Reports

> Terriqon strips PII before AI processing. Learn what the pipeline removes, how redaction is logged, and your responsibilities as Data Controller.

Field programmes routinely collect data that touches on the lives of real people — names, locations, case histories, biometric identifiers. When that data is used to generate AI-powered programme reports, there is a real risk that personal details could be absorbed into model inputs, outputs, or logs. Terriqon addresses this directly: before any submission data is passed to AI processing, an automated PII stripping pipeline runs and removes personal identifiers. The AI only ever sees aggregated, sanitised metrics — never raw personal data. This page explains what the pipeline removes, how the redaction is recorded, and what you need to do on your end to make the system work correctly.

## What the Pipeline Removes

The pipeline applies four layers of removal in sequence:

1. **Sensitivity-tagged fields:** Any form field that your team has tagged with a sensitivity classification of `personally identifiable` or `restricted` is excluded from the AI processing payload entirely, regardless of the field type or its content at the time of submission.

2. **GPS coordinates and precise geolocation (always stripped):** All GPS coordinates and any other precise geolocation data are stripped unconditionally. This applies even if the field carrying location data is not tagged — geolocation is treated as inherently personal and is never passed to AI processing.

3. **Structural field types that carry personal identifiers:** The following field types are excluded by default, regardless of tagging, because they structurally carry personal data:
   * Free text / open-ended notes
   * Name fields
   * Phone number fields
   * Device and subscriber IDs
   * Case IDs and reference identifiers
   * File uploads (images, documents, audio)
   * Audio recordings
   * Signature fields

4. **Pattern-detected identifiers in structured fields:** The pipeline runs pattern-matching against structured field values to detect:

   * National identification numbers
   * Passport numbers
   * Bank account numbers
   * Payment card numbers

   Any field value matching a known pattern is excluded, even if the field itself is not tagged as sensitive.

## The Redaction Manifest

Every time the PII stripping pipeline runs against a batch of submissions, it records a **redaction manifest** — a structured log entry documenting which fields were excluded, the reason for each exclusion (sensitivity tag, field type, or pattern match), and the timestamp of the operation. The manifest is retained permanently in your organisation's audit log. You can use it to demonstrate to data protection authorities, programme auditors, or beneficiary representatives that personal data was not passed to AI processing.

## What the AI Sees

After the pipeline runs, the AI receives only aggregated, anonymised metrics derived from the sanitised data. For example:

> *"127 submissions recorded crop yield above threshold in Region X during the reporting period."*

The AI does not receive — and has no access to — raw submission records, individual names, GPS points, case identifiers, file contents, or any other personal data. AI-generated reports reflect programme-level patterns and outcomes, not individual-level records.

<Info>
  Even after PII stripping, every AI-generated report must be reviewed and approved by a named manager before it can be downloaded or shared. The AI output is never automatically published. See [Human Approval of AI Reports](/security/data-protection) for details.
</Info>

## Your Responsibilities

The PII stripping pipeline is a technical safeguard, but it depends on correct form configuration. As the organisation deploying Terriqon, you are the **Data Controller** for your field data; Terriqon acts as the **Data Processor** on your instructions. This means:

* **Tag sensitive fields before deployment.** Any field that will collect personally identifiable information must be tagged with the `personally identifiable` or `restricted` sensitivity classification in the Form Builder before the form is published to the field.
* **Do not place personal data in fields not designed to carry it.** For example, do not instruct field officers to record beneficiary names in a free-text "Notes" field that is not tagged as sensitive. Pattern detection is a safeguard for accidental data entry, not a catch-all for deliberate misuse of fields.
* **Review your form configuration before each deployment.** If you modify a form, re-check that all sensitive fields retain their sensitivity tags.
* **Understand that retroactive re-tagging has no effect on already-submitted data.** If a field was untagged at the time of submission, the data submitted through it was processed without the tag. Re-tagging the field going forward only affects future submissions.

<Warning>
  Always tag personally identifiable fields **before** deploying a form to the field. Retroactive re-tagging does not re-process already-submitted data.
</Warning>

<Tip>
  After form creation, use the **Form Preview** to review which fields are tagged as sensitive. Any untagged field that will contain personal data is a configuration risk — fix it before publishing.
</Tip>

## Limitations

Terriqon is transparent about what the pipeline can and cannot guarantee:

* **The pipeline is a significant safeguard, not a 100% guarantee.** It catches tagged fields, known structural types, and recognised patterns. It cannot catch creative misuse of fields, novel identifier formats, or personal data embedded in ways that do not match any pattern.
* **Low-confidence or anomalous data is routed to human review,** not auto-generated into a report. The system will not publish a report it is not confident in; a human must review and approve before anything is shareable.
* **AI Reports require human approval before use.** No AI-generated report can be downloaded or shared without a named manager explicitly approving it. Rejection requires a written reason, and the full approval and rejection trail is recorded permanently in the audit log.

Your organisation bears ultimate responsibility for ensuring that field data collection practices comply with applicable privacy law. Terriqon's pipeline reduces your risk; it does not transfer your legal obligations.
