Private delivery evidence, governed use.

Operational evidence only

Operational delivery events such as arrival, contact attempts, failed access, completion status, package context, tenant metadata, and approved action outcomes.

• DropScore should not require driver-worn cameras for the core product.
• Customer, driver, address, and tenant identifiers should be scoped, hashed, minimized, or redacted wherever possible.
• LLM assistance must use governed evidence packets, not raw operational records.

No raw cross-tenant pooling

Raw customer details, driver details, exact coordinates, arbitrary free text, tenant secrets, private notes, photos, and tenant-identifying data are not appropriate for cross-tenant learning.

Cross-tenant learning is off by default and should require explicit tenant opt-in with privacy-preserving scopes such as aggregated features or redacted examples.

Reviewable retention and access

Production deployments should include tenant-specific retention, deletion/export workflows, access logs, managed secrets, and reviewable audit history for prompt, approval, publishing, and integration events.

LLM evidence packets

LLMs should receive only redacted, source-cited evidence packets and approved prompts. They should not read raw delivery stores or make automated employment, safety, or customer-impact decisions.