Visitor Log Privacy Model
Visitor Log is a privacy-first presence and activity model for public OS
Visitor Log is a privacy-first presence and activity model for public OS surfaces. It is not invasive analytics, device fingerprinting, or a user surveillance system.
The early implementation uses bundled mock data only. It does not record real visits, raw IP addresses, exact locations, device fingerprints, browser fingerprints, or sensitive personal data.
Identity Models
Anonymous Visitor
Anonymous visitor is the default type for public OS Home, public docs, and public app previews.
Early UI may show:
- guest avatar;
- broad region such as
Europe,North America, orUnknown region; - current app or last viewed app;
- generic event such as
viewed Launcher Hub; - relative time such as
2 minutes ago; - broad referrer category such as
direct,docs,social, orsearch.
Early UI must not show:
- raw IP;
- exact city;
- exact address;
- device fingerprint;
- browser fingerprint;
- precise location;
- sensitive personal data.
Known User
Known user is a future signed-in user or explicitly identified community member. It may show display name, avatar, profile link, last active app, and permission level only when account privacy settings allow it.
Known user identity must be consent-aware, reversible, and governed by user settings.
Trusted Collaborator
Trusted collaborator is an explicitly authorized collaborator. This identity is for shared rooms, shared dashboards, app testing, co-browsing, and future collaboration workflows.
It may show collaborator role, room permissions, shared app access, co-browsing state, and collaboration activity. It must not expose unshared sources, private rooms, or unapproved audit detail.
Trusted collaborator state requires explicit permissions and a clear exit path.
Retention Policy
Visitor Log should default to short retention and aggregation. Early UI should make this policy visible even before real data exists.
Future retention controls should define:
- how long anonymous events remain visible;
- when events aggregate into counts;
- what the owner can export;
- what visitors can opt out of;
- how known identity is removed or downgraded;
- which trusted collaboration events become audit records.
Relationship To Live Center
Live Center is the App Hub incubator for the broader live runtime. Visitor App
is the user-facing privacy-first dashboard for OS Home presence and visitor
activity. Both should eventually consume @prox-os/live-runtime primitives, but
neither currently uses a real backend.
Roadmap
Early
- Mock visitors.
- Mock presence.
- Mock activity feed.
- Visitor App privacy-first redesign.
- No real tracking.
- No realtime backend.
- No raw identifiers.
Mid
- Real anonymous presence for selected public surfaces.
- Documented retention policy.
- Safe activity event model.
- OS Home online count.
- Visitor opt-out direction.
Later
- Consent-aware known user identity.
- Trusted collaborator rooms.
- Shared object permissions.
- Audit trail for authorized collaboration.
- Export and deletion workflows.