Prox OS Internal Docs
ProductAppsVisitor

Visitor App Privacy Model

Visitor App should communicate liveliness without collecting or exposing

Visitor App should communicate liveliness without collecting or exposing invasive analytics. Its default posture is anonymous, broad, and short-lived.

Early Stage Shows

  • Guest avatar.
  • Broad region such as Europe, North America, or Unknown region.
  • Current app or last viewed public app.
  • Generic event such as viewed Launcher Hub.
  • Relative time such as 2 minutes ago.
  • Broad referrer category such as direct, docs, social, or search.
  • Privacy mode and retention policy labels.

Early Stage Does Not Show

  • Raw IP.
  • Exact city.
  • Exact address.
  • Device fingerprint.
  • Browser fingerprint.
  • Precise location.
  • Sensitive personal data.
  • Private app state.
  • Hidden source data.

Identity Model

Anonymous Visitor

Anonymous visitor is the default for public OS Home, public docs, and public app previews. It should stay broad and non-identifying.

Known User

Known user is a future signed-in or explicitly identified person. Display name, avatar, profile link, last active app, and permission level require privacy settings and consent.

Trusted Collaborator

Trusted collaborator is an explicitly authorized role for shared rooms, dashboards, co-browsing, game testing, or collaboration sessions. It requires scoped permission and a clear exit path.

Future Live Runtime

Visitor App should eventually consume:

  • VisitorSession;
  • PresenceState;
  • ActivityEvent;
  • PrivacyMode;
  • RetentionPolicy.

Those types belong in the future @prox-os/live-runtime proposal. They are not implemented as a runtime package yet.

On this page