Transparency

Olocus is a small set of cryptographic primitives, a private store on your device, and a thin relay that only ever holds encrypted bytes the device chose to upload. This page names every mechanism behind the privacy claims on the front page. If a claim depends on a mechanism, the mechanism is named.

What the relay can see

When your device uploads a scoped proof, the relay observes:

• the random 32-character capability token you minted client-side;
• the encrypted CBOR bytes (the relay treats them as opaque — it has no key to decrypt);
• the view_policy tag (bearer or recipient_bound);
• the Content-Length (capped at 64 KiB);
• the requesting browser's TLS-level metadata (IP, user-agent, TLS fingerprint), processed for DDoS protection at the Cloudflare edge — never persisted to our own database.

What the relay cannot see

• your identity, your device ID, your account — none of these exist as columns in the relay schema;
• the verifier's identity (it's encrypted inside the recipient-bound payload, or absent for bearer proofs);
• the claim you are proving, the recipe used, the countries involved, the validity window, the disclosed-payload rows;
• the witnesses on your private graph (v1.1+ witness attestation lives off the relay's plaintext path).

What the maps backend can see

Olocus self-hosts the map stack at maps.olocus.com — Cloudflare R2 holds the map tiles, style document, and font glyphs; a Cloudflare Worker proxies every request. Forward geocoding and routing ride the same hostname on a Vultr VPS in later milestones. Every map view, place lookup, or route plan reveals to that infrastructure:

• the approximate viewport of any map currently rendered (the tile coordinates your device is fetching);
• a tenant-scoped bearer token that identifies the Olocus app bundle, not you (no per-user identifier, no account, no device ID);
• when geocoding ships, the place names and coordinates returned to your device — sent back to the device, not stored against you;
• when routing ships, the start, end, and any waypoints of a requested route — used to compute the route, not stored against you.

Olocus does not claim the maps backend sees nothing; it claims that what the backend sees is bounded, rate-limit-shaped, and not retained as a per-user history. The honest-metadata invariants on the relay (no IP retention, no per-tenant logs, no surveillance-shape columns) apply identically to the maps backend, enforced by the same CI gate.

What the maps backend cannot see

• your raw GPS trace — every position your device records stays on the device; only tile coordinates for the viewport you are looking at leave it;
• your identity, your account, the receipts on your private ledger, any proof you have composed or shared;
• the questions a verifier asked or the proofs you returned — the maps and proofs paths share no data;
• a per-user history of where you have looked, geocoded, or routed.

Single-404 invariant

When a verifier tries to fetch a proof that is missing — never existed, revoked, or expired — the relay returns one response: 404 proof_not_available. It deliberately does not distinguish the three reasons, because telling a verifier which one would leak metadata about your revocation behaviour. The verify bundle relies on this invariant and surfaces the honest absence message to the verifier.

Revocation semantics

Revoking a scoped proof stops future access; it does not undo sharing. Bytes the verifier already fetched cannot be recalled — they may have been rendered in-browser, screenshot, or stored locally. The UX uses honest verbs ("Stop future access", "Expire this proof now") — never "Delete disclosure" or "Take it back". The revocation receipt records when the relay refused further access and how many times the verifier had already viewed.

Where the data physically lives

• Compute (Workers): Cloudflare's edge, nearest each user. No durable state.
• Database (D1): provisioned in Cloudflare's EU jurisdiction with the strongest available data-residency setting.
• Maps storage (R2): map tiles, style, and glyphs live in Cloudflare R2 buckets pinned to EU (weur). Read-only, content-addressed, refreshed weekly from upstream OpenStreetMap data.
• Maps compute (VPS): when forward geocoding and routing land, Photon and Valhalla run on a Vultr VPS in the EU, behind the same Worker proxy. The VPS sees only Worker-proxied requests; no per-tenant logs.
• Logs: aggregate counters in Cloudflare Workers Logs at head_sampling_rate: 1.0 for both the relay and the maps proxy; no per-token, per-user, or per-IP dimensions.
• Backups: none in v1. Encrypted backup blobs land in v1.1+ under their own opt-in surface.

Three actors with bounded power

Olocus's design is built around three actors, each with limits the product enforces:

• User — owns the private record and chooses what leaves it.
• Witness — confirms bounded moments or claims without gaining access to the user's graph.
• Verifier — receives a scoped proof and decides whether it is sufficient for their purpose.

The verifier never sees the underlying record. The witness never sees the user's graph. The user never sees an Olocus-issued judgement on what's true — Olocus shows evidence, the verifier judges.

What Olocus does not have

• No verified badge. The verifier reads recipe, claim support, subject binding, view policy, validity, proof nonce, and signature as independent rows. There is no single aggregated indicator.
• No public profile, no follower graph, no contact-discovery surface.
• No backdoor. Olocus infrastructure cannot decrypt your scoped proofs even if compelled — the keys live on your device and the recipient's.
• No third-party analytics. This site sets no cookies and ships no JS.

Where the source code is

The full repository is at github.com/svailsa/olocus — Rust workspace + Cloudflare Workers relay + Playwright canonical-journey tests + this site. Architecture lives in docs/ARCHITECTURE.md; the v1 relay spec lives in workers/api/README.md.

Honest commitments only. Where a privacy or security claim depends on a mechanism, the mechanism is named. "Olocus never holds plaintext" is precise. "Olocus does not hold the graph in any form" would be inaccurate the moment a pro-tier user enables encrypted backup. Where the architecture maintains a deliberate exception (e.g., the v1.1+ entitlement service's subscription-id → master-public-key link), we name it as an exception, minimise it, and surface it in the user's transparency view inside the app.