Visitor App Privacy Model
Visitor App should communicate liveliness without collecting or exposing
Visitor App should communicate liveliness without collecting or exposing invasive analytics. Its default posture is anonymous, broad, and short-lived.
Early Stage Shows
- Guest avatar.
- Broad region such as
Europe,North America, orUnknown region. - Current app or last viewed public app.
- Generic event such as
viewed Launcher Hub. - Relative time such as
2 minutes ago. - Broad referrer category such as
direct,docs,social, orsearch. - Privacy mode and retention policy labels.
Early Stage Does Not Show
- Raw IP.
- Exact city.
- Exact address.
- Device fingerprint.
- Browser fingerprint.
- Precise location.
- Sensitive personal data.
- Private app state.
- Hidden source data.
Identity Model
Anonymous Visitor
Anonymous visitor is the default for public OS Home, public docs, and public app previews. It should stay broad and non-identifying.
Known User
Known user is a future signed-in or explicitly identified person. Display name, avatar, profile link, last active app, and permission level require privacy settings and consent.
Trusted Collaborator
Trusted collaborator is an explicitly authorized role for shared rooms, dashboards, co-browsing, game testing, or collaboration sessions. It requires scoped permission and a clear exit path.
Future Live Runtime
Visitor App should eventually consume:
VisitorSession;PresenceState;ActivityEvent;PrivacyMode;RetentionPolicy.
Those types belong in the future @prox-os/live-runtime proposal. They are not
implemented as a runtime package yet.