Privacy by design

Privacy by Design (PbD) is the engineering philosophy that privacy protections should be engineered into a system from the start — not added as an afterthought or enabled optionally. Codified by the Ontario Information and Privacy Commissioner in the 1990s, then picked up by the International Standards Organization (ISO/IEC 29100, 29134), and ultimately enshrined in GDPR Article 25 as "data protection by design and by default."

The seven PbD principles include: proactive not reactive, privacy as the default setting, privacy embedded into design, full functionality (not a zero-sum trade-off), end-to-end security, visibility and transparency, respect for user privacy.

LearnCoin's GDPR-aware schema (pseudonymous on-chain, PII off-chain, tenant-scoped RLS) is the PbD architectural pattern. Privacy isn't a toggle tenants can turn off; it's the only way the system operates. The default setting is the privacy-preserving setting.