What happens if I miss a check-in?
Beacon sends you a daily check-in at the time you chose, asking for a single tap or click to confirm "here I am." If you miss one, a second check-in arrives 24 hours later. If that one is missed too, the message you wrote is delivered to your recipient 12 hours after the second — about a day and a half from the first missed check-in. We chose those windows so a busy day, a flat phone, or a weekend off-grid does not trigger delivery. If you want a tighter window, Rapid Response mode shortens the cycle to about 12 hours total. You can pause your Beacon from the dashboard at any time without affecting the message itself, and you can edit your check-in time, your contact channel, or your delivery mode whenever you need to.
Who can be my recipient?
Your recipient is one person you choose. They can be a friend, a family member, a partner, a colleague — anyone you want to leave a single message for. They do not need to sign up for anything, install an app, or share an account with you. We send them the message through the contact channel you set for them: an email address, a phone number for SMS, or both. When the moment comes, they receive a notification with a link to a viewer page on milkweed.foundation. They confirm a one-time code we sent to the same channel — that step proves they are the person you trusted with that contact method — and the message opens in their browser. By default the recipient is kept out of the system until delivery, but the recipient form has a "Let them know they're listed" option that, when on, sends a brief one-time note at setup so they know to expect a message from milkweed.foundation. Either way, they're never asked to maintain anything, agree to anything, or share an account with you.
Is my message private? Can you read it?
Yes — privacy is the design center of Beacon. Your message is encrypted in transit (TLS 1.3) and at rest (AES-256 in Cloudflare R2). Nobody at the foundation can read what you wrote during normal operations: there is no admin search, no message browsing, no analytics that touches the body. The browser-facing surface is hardened with a strict Content-Security-Policy, HSTS, and a restrictive Permissions-Policy. Access at delivery time is gated by a one-time code sent to the recipient's contact channel — not by an account we can impersonate. For users with elevated privacy needs — domestic violence advocacy, journalism, immigration support, dissent — we maintain a warrant canary on the Security page (re-signed on a published schedule) and a written subpoena protocol so any government compulsion leaves a paper trail. If those signals ever change, you will see it before delivery. Privileged data access by foundation staff (admin actions like force-transitioning a stuck check-in) is audit-logged. Message content is held in our infrastructure rather than end-to-end encrypted between you and your recipient — that is a tradeoff Beacon makes deliberately, because the recipient never has an account or app to manage. The canary, the subpoena protocol, and the audit log are how we keep that tradeoff accountable. The full trust posture lives on the Security page.
What is Rapid Response mode and when should I use it?
Rapid Response is a faster delivery cycle for situations where the standard 36-hour window is too long. The first check-in arrives at the time you chose, the second is sent 6 hours later, and the message is delivered 6 hours after that — about 12 hours from the first missed check-in. People use Rapid Response in two situations we hear about repeatedly: short, high-risk windows (a difficult medical procedure, a solo trip into remote terrain, a period of unusual exposure) and time-sensitive messages where a day-and-a-half delay would defeat the purpose. Rapid Response requires a phone number on file because SMS is the only channel fast enough for that rhythm. You can switch between Standard and Rapid Response from the dashboard. Switching is reversible, and the message you wrote does not change — only the delivery cycle does. Most Beacons do not need it. The ones that do, need it specifically.
Can I change or delete my message after I save it?
Yes, you can change or delete your message at any time — it is not locked once you save it. Edit the message text from the dashboard whenever you want; the next delivery uses whatever you saved most recently. Change your recipient, your delivery channel, or your check-in cadence the same way. If you decide you do not want a Beacon at all, deactivate it from the dashboard and the message is not sent under any future condition. We do not lock messages because we think the kind of writing Beacon carries is rarely finished on the first attempt — relationships shift, the right thing to say changes, people heal. The point is to have one prepared message held safely, not to commit you to words you wrote a year ago and would no longer choose. Save once, revise as often as the relationship asks for it.
What happens to my Beacon if I cancel my subscription?
Your Beacon pauses. We do not deliver your message because your billing lapsed — that would be the wrong outcome for everyone. When a subscription ends, the daily check-ins stop and the message you wrote stays where it is, in our system, encrypted, undelivered. If you reactivate within a reasonable window, your Beacon resumes from where it left off. If you let it stay paused indefinitely, no delivery happens. You retain the right to come back and turn it on again, edit your message, or delete everything. If you want to delete your account entirely, that path lives in your dashboard and removes both the message and your record with us. If billing failed because of a card change or a missed payment and you want to keep your Beacon active, write to the foundation — we are a small team and would rather hear from you than let a delivery happen because of a billing mistake.