Discourse Privacy Features

Platform Guides
1

Discourse Privacy – Base Features and Where They Live

We run Discourse with strict privacy defaults. This page lists every privacy‑relevant control, its exact location, who can change it, our default, what it does, and why it exists.

image
image1024×1024 43.3 KB

1. User controls

1.1 Two‑Factor Authentication (2FA)

Path: PreferencesAccountTwo‑Factor Authentication.
Who: User.
Default: Off.
Does: Adds a 2FA code at login.
Why: Prevents password‑only compromises.

1.2 Download your data

Path: PreferencesActivityDownload All.
Who: User.
Default: Enabled.
Does: Sends a ZIP of your posts, PMs, likes, etc.
Why: Portability and self‑audit.

1.3 Delete my account (self‑serve if small)

Path: PreferencesAccountDelete my account (only shows below admin limits).
Who: User if eligible; staff otherwise.
Default: Hidden for large / old accounts.
Does: Requests deletion. Staff may anonymize posts instead of removing them.
Why: Let users leave without breaking threads.

1.4 Anonymous mode (scoped to set categories)

Path: Avatar menuEnter Anonymous Mode.
Who: User toggles; admin scopes.
Default: Only in specific categories.
Does: Uses an anonymous handle for posts and likes there.
Why: Share sensitive content without exposing your main identity.

1.5 Private messages (PMs)

Path: AvatarMessagesNew Message.
Who: Users create; staff can review for moderation.
Default: Enabled.
Does: Creates topics visible only to invited users and staff.
Why: Private conversations on‑platform with internal moderation if > needed.

2. Visibility & interaction (Admin configured)

2.1 Category and group permissions

Path: AdminCategoriesEditSecurity.
Who: Admin.
Default: Private / paid areas are group‑locked; public ones are open.
Does: Hides categories entirely from non‑members.
Why: Compartmentalize sensitive or commercial spaces.

2.2 Login wall and approvals

Path: AdminSettingslogin required , must approve users , optional invite only .
Who: Admin.
Default: Login required; manual approval on; invites only on.
Does: Guests cannot participate content; new users are vetted via application and payment.
Why: Maintain high quality and protect gated features.

2.3 Email / profile directory exposure

Path: AdminSettingsenable user directory , allow users to see profile stats .
Who: Admin.
Default: Directory hidden publicly; emails never public.
Does: Limits scraping and casual identity linkage.
Why: Reduce passive data leakage.

3. Export, delete, anonymize (data‑exit levers)

  1. Self‑export – User downloads a ZIP; nothing is removed server‑side.
  2. Self‑delete – User triggers if eligible; staff handles otherwise. Eligibility is dynamic and depending on several factors like account age and amount of posts. If not eligible, user accounts can be deleted via admin requests.
  3. Staff anonymize – Admin scrubs username and email; posts remain.
  4. Staff hard delete – Admin erases account and content when policy or law requires.
  5. Timed purges – IP logs, email logs, and deleted uploads auto‑purge after N days.

4. Data retention & cleanup (staff only)

4.1 HTTPS / TLS

Path: Reverse proxy / container (Let’s Encrypt).
Default: On.
Does: Encrypts traffic in transit.
Why: Prevent sniffing and MITM.

4.2 IP & email log retention

Path: AdminSettingsdelete user ip addresses after days , delete email logs after days .
Default: Auto‑purge after configured days.
Does: Deletes old identifiers.
Why: Limit long‑term metadata storage.

4.3 Deleted upload purge

Path: AdminSettingspurge deleted uploads grace period days .
Default: Purge after grace period.
Does: Permanently removes orphaned files.
Why: Don’t leave stray PII on disk.

4.4 PM moderation access

Path: Moderator / Admin tools (flags, review queue, direct links).
Default: Staff access allowed for moderation and safety.
Does: PMs are private from other users, not from staff.
Why: Enforce rules and handle abuse internally.

5. AI data path (Discourse AI plugin)

5.1 LLM provider & outbound data

Path: AdminPluginsDiscourse AILarge Language Model (LLM) settings.
Who: Admin.
Default: A provider is selected; PII redaction is enabled.
Does: Sends prompts/snippets to the chosen provider. The provider then applies its own privacy terms and retention rules.
Why: Control which third party receives data and ensure obvious identifiers are stripped before transmission.

5.2 AI bot PMs

Path: PM interface; bot user enabled in Discourse AI Bot settings.
Default: On.
Does: You can private‑message the AI bots. Staff moderators can review under standard PM rules.
Why: Private assistance plus internal QA and safety review.

5.3 CORES (private AI categories)

Path: Category called CORES.
Default: Mix of private and public cores, each with its own rate limits and workflows.
Does: By default the threads are visible to you, the AI agent(s), and limited admins. Threads are not publicly accessible unless stated.
Why: Keep AI‑assisted work private and bounded.

5.2 Node categories (Console / CLI agents)

Path: Dedicated node categories and UI.
Default: Private and pseudo‑anonymous.
Does: Admins can audit for debugging but cannot easily tie a session to a user without context.
Why: Allow deep agent sessions with minimal identity exposure.

AI Model Offerings and Limitations
About the Guides category