We can't identify you. That's the point.

Nightingale is built on a zero-knowledge identity model. After you verify, we permanently destroy every piece of evidence linking your account to your real identity. Even if compelled by a court order, we cannot produce data that identifies who contributed any specific entry.

Privacy principles

No personal information collected

Accounts require only a username and password. No email address, phone number, or name is stored in our authentication system.

Verification evidence destroyed

Hospital emails, nursing license numbers, and NPI numbers are used once to confirm you are a healthcare worker, then permanently deleted. We do not retain them.

No password recovery

There is no "forgot password" flow. This is intentional: password recovery requires linking your account to an external identity (email, phone). We refuse to do this.

Schema-level separation

Your public contributions (compensation data, profile) live in a separate database schema from the temporary verification data. There are no foreign keys between them — by design.

No PII in the public schema

The public database schema — the one that stores facility data and compensation entries — contains zero personally identifiable information. Ever. This is enforced as a hard constraint.

K-anonymity threshold

When enough verified workers contribute data for a given facility and role, we aggregate responses rather than exposing individual entries. This protects contributors from reverse-engineering.

What we collect and retain

Account data

Kept: Username (your chosen handle — nothing real)
Kept: Hashed password (bcrypt — we cannot read your password)
Never stored: Email address, real name, phone number

Verification data (temporary)

Temporary: Hospital email address (deleted immediately after code verification)
Temporary: Nursing license number (deleted after license lookup confirms status)
Temporary: NPI number (deleted after NPPES lookup confirms nursing taxonomy)
Kept: Verification result only: “verified as RN via license” (no identifying information)

Compensation contributions

Kept: Role, specialty, hourly rate, shift differentials, benefits
Kept: Self-declared facility (you choose this — it is not derived from verification)
Never stored: Your name, employer confirmation, or any PII in connection with contributions

Audit logs (immutable)

Kept: Verification events (method used, outcome, timestamp)
Never stored: The verification artifact itself (license number, email, NPI) in audit records

Law enforcement requests

If Nightingale receives a valid legal demand to identify a user, we will comply with our legal obligations — but our system is designed so that compliance produces nothing useful. The data we would hand over is: a username (which you chose), a hashed password (unreadable), and a verification result (e.g., “verified as RN via license”).

We have no email addresses, no names, no nursing license numbers, no NPI numbers on file. Verification artifacts are destroyed before we could ever be compelled to produce them. This is not a policy decision — it is a technical architecture decision.

Questions about our privacy practices? Contact us or read our Trust & Security page.