Skip to content
Hallelujah Hills Hallelujah Hills

Privacy & Data

What we collect, what we don't, and where it stays.

The summary: on-device where possible, opt-in where consent matters, scene-aware over identity-dependent, hardware-enforced privacy where software promises are not enough, transparent by default. The full posture is twelve principles below, all enforceable by audit. The Golden Rule applies to bytes.

The twelve principles

  1. Love of neighbor includes protection of their data.

    Every product begins with: what happens to the data this collects, and does that match what the neighbor would consent to if asked clearly? If the honest answer is 'they would not consent,' the design is wrong. The Golden Rule applies to bytes.

  2. On-device computation is the default.

    When a product can run on hardware in the home, it does. Data stays where it was generated. Cloud computation is a choice that requires an affirmative reason.

  3. The data path is the message.

    Where privacy matters most (Greeter, Watchman, anything that sees or hears visitors), raw sensor data physically cannot reach the network. Edge silicon does the perception; only a sanitized outcome is available to downstream systems. A circuit, not a software promise.

  4. Identity is opt-in at three layers.

    Any product that recognizes individuals requires household opt-in (default off), added-person opt-in by the household, and added-person's own consent. We apply all three even where no law currently requires them.

  5. Scene awareness does not require identity.

    Most of what the Greeter and Watchman need to know — a person with a package, someone lingering, a group of children — does not require knowing who. Scene-level perception is the main event; identity is a small optional convenience layer.

  6. Nothing coerces the listener.

    Any product that speaks to a visitor has a graceful opt-out — a skip, a 'just delivering' path, a short primary message with optional expansion only if invited. Forcing people to listen is not witness.

  7. Excellence of craft is a form of worship.

    Hardware looks beautiful. Voices are recorded by humans with real skill. Visual design is tasteful. Speakers do not crackle. Wood is real wood. Sloppy execution of a sacred thing reads as not taking it seriously.

  8. Transparency is a default.

    Every product ships with a public page that plainly describes: sensors, computation, storage and duration, network behavior, off-switches, and where applicable the FPGA bitstream hash and firmware version. Written for humans.

  9. The community is the first and most honest test.

    Every product is deployed in Hallelujah Hills itself before shipping to anyone else. If residents, kids, or visitors find it invasive, annoying, or off-tone, it does not leave the community.

  10. AI generates, humans steward.

    Generative products carry a pastor-reviewed system prompt, a library of golden examples, a weekly human review queue of generated output, and an explicit refusal set. AI does the volume; humans carry the responsibility.

  11. When generative would risk crossing a line, we use retrieval.

    The Prophet reads only Scripture itself, verbatim. We are willing to ship less capable products in exchange for products that cannot misrepresent God.

  12. Custom silicon is a tool, not a bragging right.

    We use FPGAs and custom edge hardware where they actually solve a design problem (hardware-enforced data paths, low-power always-on sensing). We do not use them because they sound impressive.

The architecture

Almost every product in the catalog follows the same data path. The arrows go in one direction. Raw sensor data does not leave the home.

The edge perception layer is where raw data becomes a sanitized representation. The generation or retrieval step turns that into the output. The sanitized telemetry, when it exists, is text only — never images, audio, or biometrics — and feeds the human review loop and the product improvement process.

What we will not do

  • We will not build products whose business model depends on data retention.
  • We will not build products that require the visitor to listen.
  • We will not build surveillance dressed as hospitality.
  • We will not let generative AI speak on God's behalf without the retrieval anchor.
  • We will not ship anything whose privacy story we are unwilling to put on a sign at the community entrance.

What we welcome

  • Third-party audits of the privacy posture.
  • Published bitstream hashes and firmware versions.
  • Open-sourcing components that do not compromise the products' economics.
  • Guest pastors and theologians reviewing AI output.
  • Critics who point out when we are falling short of the posture.

Data requests & contact

To request a copy of any data we hold about you, to ask a question about how a specific product works, to request deletion of your data, or to ask anything else about our privacy posture:

privacy@hallelujah-hills.us

We aim to respond within five business days. If you are reporting a security issue, please use the same address with the subject line beginning [security]; we will triage immediately.

Cookies and the website itself

This website (hallelujah-hills.us) tries to collect as little as possible:

  • No third-party advertising trackers.
  • No third-party analytics that send personally-identifying data off our servers.
  • A single first-party cookie may be used to remember session preferences (font choice, reading mode, dismissed notices). It contains no identifying information and expires when the browser session ends.
  • Authenticated portal and admin areas use first-party session cookies that are httpOnly and secure; these end when you log out or 30 days after creation.

Hosting is on Cloudflare. Logs at the edge are retained for short windows for abuse prevention and operational debugging, then discarded.