Problem: Fleet-wide analytics already aggregates anonymized signals from every registered self-host instance into shared statistics — intentional and not a current leak, but the ingest path already accepts every instance's data into one shared table, and this deserves a fresh privacy review before it ever needs to carry more customer-identifiable detail in a hosted model.
Area: ORB / Privacy
Proposal: Review the current anonymization approach and document explicitly what would and wouldn't be safe to add to this pipeline under a hosted, per-customer model.
Deliverables:
- A written privacy review with a clear yes/no per category of potential future data.
AMS Cloud Readiness cross-reference (added 2026-07-12)
See also #5219 in the new AMS Cloud Readiness milestone (#28) — the AMS-side parallel to this exact problem, already citing this issue as precedent. Keep both sides in sync if either design changes.
Problem: Fleet-wide analytics already aggregates anonymized signals from every registered self-host instance into shared statistics — intentional and not a current leak, but the ingest path already accepts every instance's data into one shared table, and this deserves a fresh privacy review before it ever needs to carry more customer-identifiable detail in a hosted model.
Area: ORB / Privacy
Proposal: Review the current anonymization approach and document explicitly what would and wouldn't be safe to add to this pipeline under a hosted, per-customer model.
Deliverables:
AMS Cloud Readiness cross-reference (added 2026-07-12)
See also #5219 in the new AMS Cloud Readiness milestone (#28) — the AMS-side parallel to this exact problem, already citing this issue as precedent. Keep both sides in sync if either design changes.