Privacy architecture

Your data belongs to you.

OHPAH is architecturally designed so individual records never reach department leadership or insurance. You own your record. Leadership sees aggregate data only. This is not a policy. It is how the system is built.

The guarantees

Four boundaries that don’t move.

  • Your records never reach leadership.

    No supervisor, chief, or officer can open your individual record. Leadership only ever receives department-level aggregates — never a name, never a number tied to you.

  • Your records never reach insurance.

    Your Fire Exposure Score, Sleep Debt Index, biometrics, and call history are not shared with insurers. Your record is yours to bring forward if and when you choose to.

  • Leadership sees aggregate data only.

    Department views are limited to grouped trends held to a minimum cohort size, so no individual can be reverse-engineered out of an aggregate.

  • You own your record.

    It follows the firefighter, not the department. You can carry it across stations and across a career — because it was always yours.

Why it holds

Architecture, not policy.

A privacy policy is a promise — and a promise can be rewritten. OHPAH does not ask you to trust a promise. Individual records live behind a boundary that leadership and insurance systems simply cannot reach into; the only thing that ever crosses it is an aggregate.

That means the guarantee doesn’t depend on who is running the department, what a future policy says, or whether anyone remembers to keep their word. The data can’t flow where it isn’t built to flow. Restraint is the design.