The privacy architecture described in the @NewtonProtocol documentation does not rely on a single encrypted storage model. Instead, it defines three separate categories of private information: Identity Data, Confidential Data, and Ephemeral Privacy Data. Although all three use HPKE encryption, each follows a different lifecycle because each serves a different role inside the authorization pipeline.

Identity Data is designed for information that belongs to the user over a long period of time. The documentation describes examples such as KYC credentials and identity attributes. Before leaving the user's device, this data is encrypted locally with HPKE, uploaded through the Gateway, and referenced through the Identity Registry. Only the reference is recorded by the protocol, while the encrypted content remains off-chain. During policy evaluation, operators retrieve and decrypt the data only when the policy explicitly requires it.

Confidential Data follows a completely different ownership model. Unlike Identity Data, it belongs to the organization providing the information rather than to the end user. The documentation describes provider-managed datasets such as sanctions lists, proprietary risk models, allowlists, and other confidential intelligence. These datasets are encrypted, published, versioned, and made available only to authorized Policy Clients. Instead of every application maintaining its own encrypted copy of the same dataset, multiple policies can reference the provider's managed data through the protocol.

The documentation introduces a third category because not every piece of information should become persistent. Ephemeral Privacy Data exists only for a single policy evaluation. Rather than being uploaded or registered, it is encrypted with HPKE and included directly inside the Task request through the reserved _newton.privacy namespace. During evaluation, operators decrypt the payload, make it available to the Rego policy, and use it only for that authorization decision. The protocol does not register it as persistent data.

These three privacy models solve three different engineering problems.

Identity Data stores information that remains associated with a user across many future transactions.

Confidential Data distributes provider-owned intelligence that may evolve through new dataset versions while remaining protected.

Ephemeral Privacy Data transports one-time execution context that is relevant only to the current Task.

Because these lifecycles are different, the documentation treats them as different protocol components instead of forcing every type of sensitive information into a single storage model.

The separation continues inside the policy engine itself. Identity information, provider-managed confidential datasets, and ephemeral payloads are exposed through different namespaces during Rego evaluation. A policy therefore knows not only the value it receives, but also the origin and lifecycle of that value. Long-lived identity records, provider-managed intelligence, and one-time execution context remain distinct throughout policy execution.

Another important detail is that persistence is no longer determined simply by whether information is encrypted. The protocol first classifies data according to ownership, expected lifetime, and reuse, then applies the appropriate privacy workflow. Identity information is expected to persist across many authorizations. Confidential datasets are expected to evolve through controlled versioning. Ephemeral data is expected to disappear from the workflow once the current authorization has been evaluated.

This is why the documentation defines three different privacy mechanisms instead of one universal encrypted storage layer. They are not different encryption systems. They are different lifecycle models built on the same cryptographic foundation.

Viewed this way, $NEWT is solving more than confidential storage. It defines how different classes of sensitive information move through the authorization pipeline without forcing permanent identity records, provider-owned datasets, and one-time execution inputs into the same architectural model.

Reading the documentation from this perspective reveals an important design principle that is easy to overlook. The protocol does not ask only "How should this data be encrypted?" It first asks "Who owns this data, how long should it exist, and should it ever be reused?" Only after those questions are answered does encryption become part of the solution. That separation of ownership, lifecycle, and privacy is one of the more subtle architectural decisions behind #Newt , yet it influences the design of the entire authorization pipeline.