Privacy

Olocus is a private proof layer for lived experience. The private record belongs to you and lives on your device. Olocus's relay only ever holds encrypted scoped-proof bytes that your device uploads for a verifier to pull. This page describes what those mechanisms mean in practice.

What stays on your device

Everything that makes up your private evidence graph is held locally by the Olocus app: the receipts you record (presence, continuity, participation), the keys that sign them, the witnesses you accept, and every disclosed-payload row a verifier might see. Olocus infrastructure does not require plaintext access to any of it.

What the relay holds

When you share a scoped proof, your device encrypts the proof bytes and uploads them under a random capability token. The relay stores:

• the encrypted bytes (a few hundred bytes to a few kilobytes);
• the random capability token (an opaque identifier — not derived from your record, the recipe, or the verifier);
• a view_policy tag (bearer or recipient_bound) so the verifier's bundle picks the correct decrypt path;
• timestamps for created_at, expires_at, and (after the first GET) first_viewed_at + a view count.

What the relay does not hold

• No IP retention. Cloudflare logs IPs at the edge for DDoS protection; the relay's own database has no IP column, and the Worker code never reads cf-connecting-ip for storage.
• No user identity. No email, no phone, no account, no device ID column in the relay's database.
• No verifier identity. Recipient-bound proofs encrypt the verifier's public key inside the encrypted payload — the relay sees only opaque bytes.
• No plaintext. Olocus infrastructure does not have the keys to decrypt a scoped proof. Only the verifier you addressed can.

Maps and location queries

The map you see inside the Olocus app is rendered by a self-hosted maps backend at maps.olocus.com — Cloudflare R2 holds the tiles, style, and glyphs; a Cloudflare Worker proxies every fetch. Forward geocoding and routing ride the same hostname in later milestones.

When you pan, search, or plan a route, the maps backend sees:

• the tile coordinates of the viewport currently rendered — the approximate area you are looking at, not the precise position of your device;
• a tenant-scoped bearer token that identifies the Olocus app bundle, not you;
• when geocoding ships, the place names and coordinates returned to your device — sent back to the device, not stored against you;
• when routing ships, the start, end, and waypoints of a requested route — used to compute the route, not stored against you.

Your raw GPS trace never reaches this infrastructure — it stays on the device. The honest-metadata invariants are the same as the relay's: no IP retention beyond DDoS-protection at the edge, no per-tenant logs, no surveillance-shape columns. The maps backend is bound to *.olocus.com; the Olocus client never calls Nominatim, MapTiler, Mapbox, Google, or any other public OSM-derivative service directly.

Where the data lives

The Olocus relay is provisioned on Cloudflare D1 with the strongest available EU data-residency setting. The maps backend's R2 buckets are pinned to the same EU region; the Vultr VPS that runs geocoding and routing in later milestones sits in the EU behind the same Worker proxy. The compute layer (Workers) runs at the edge nearest each request; durable state stays in the EU. Where compliance-sensitive routes require it, we evaluate Cloudflare Regional Services on a per-feature basis.

Telemetry

The relay records aggregate counters — total successful PUTs, GETs, DELETEs, and the number of expired-then-pruned rows. There are no per-token, per-user, or per-IP telemetry dimensions. We do not run third-party analytics on this site or in the app.

Your rights

• Stop future access. DELETE /proof/v1/<token> revokes a scoped proof on the relay. The relay returns an honest receipt — when it was revoked, whether the verifier had already viewed, and how many times. Bytes already fetched cannot be recalled; the UX names this plainly.
• Export. You can export your private record from the app as a canonical-CBOR file.
• Erasure. Reset your session from the app's privacy controls. Any uploaded scoped proofs persist until their expiry or until you DELETE them.

Cookies and trackers

This site sets no cookies. The app and verify bundles persist application state in your browser via IndexedDB and an encrypted SQLCipher-backed store; nothing is transmitted from those stores without an explicit action you took.

Contact

Privacy questions and data requests: Support. Source code review: github.com/svailsa/olocus.

What this page is not. This is a plain-language privacy summary, not a legal contract. A formal privacy notice lands before any production deploy that handles real user data. Until then, the relay deploys to staging only.