Prox OS Internal Docs
TrustPrivacy

Visitor Log Privacy Model

Visitor Log is a privacy-first presence and activity model for public OS

Visitor Log is a privacy-first presence and activity model for public OS surfaces. It is not invasive analytics, device fingerprinting, or a user surveillance system.

The early implementation uses bundled mock data only. It does not record real visits, raw IP addresses, exact locations, device fingerprints, browser fingerprints, or sensitive personal data.

Identity Models

Anonymous Visitor

Anonymous visitor is the default type for public OS Home, public docs, and public app previews.

Early UI may show:

  • guest avatar;
  • broad region such as Europe, North America, or Unknown region;
  • current app or last viewed app;
  • generic event such as viewed Launcher Hub;
  • relative time such as 2 minutes ago;
  • broad referrer category such as direct, docs, social, or search.

Early UI must not show:

  • raw IP;
  • exact city;
  • exact address;
  • device fingerprint;
  • browser fingerprint;
  • precise location;
  • sensitive personal data.

Known User

Known user is a future signed-in user or explicitly identified community member. It may show display name, avatar, profile link, last active app, and permission level only when account privacy settings allow it.

Known user identity must be consent-aware, reversible, and governed by user settings.

Trusted Collaborator

Trusted collaborator is an explicitly authorized collaborator. This identity is for shared rooms, shared dashboards, app testing, co-browsing, and future collaboration workflows.

It may show collaborator role, room permissions, shared app access, co-browsing state, and collaboration activity. It must not expose unshared sources, private rooms, or unapproved audit detail.

Trusted collaborator state requires explicit permissions and a clear exit path.

Retention Policy

Visitor Log should default to short retention and aggregation. Early UI should make this policy visible even before real data exists.

Future retention controls should define:

  • how long anonymous events remain visible;
  • when events aggregate into counts;
  • what the owner can export;
  • what visitors can opt out of;
  • how known identity is removed or downgraded;
  • which trusted collaboration events become audit records.

Relationship To Live Center

Live Center is the App Hub incubator for the broader live runtime. Visitor App is the user-facing privacy-first dashboard for OS Home presence and visitor activity. Both should eventually consume @prox-os/live-runtime primitives, but neither currently uses a real backend.

Roadmap

Early

  • Mock visitors.
  • Mock presence.
  • Mock activity feed.
  • Visitor App privacy-first redesign.
  • No real tracking.
  • No realtime backend.
  • No raw identifiers.

Mid

  • Real anonymous presence for selected public surfaces.
  • Documented retention policy.
  • Safe activity event model.
  • OS Home online count.
  • Visitor opt-out direction.

Later

  • Consent-aware known user identity.
  • Trusted collaborator rooms.
  • Shared object permissions.
  • Audit trail for authorized collaboration.
  • Export and deletion workflows.

On this page