What does Proof of Reality verify?

It verifies that a physical-world scan produced a public proof record with a verifyId, canonical bundleHash, verification level, public checks, and artifact hash commitments.

Do users have to expose private files or GPS?

No. Hash-only is the default. Capture time, location, retained files, nonce payloads, and app-key details are disclosed only when the proof owner selects those layers.

How does another product integrate?

Store verifyId for the user-facing proof and bundleHash for integrity. Call the public Verify API to show status, verification level, checks, and disclosed artifact hashes.

Is every proof on-chain today?

No. Current production verification is hash-first through the public Verify API. Daily hash-root anchoring is the next settlement layer.

LEGAL

Privacy Policy

Last updated: 2026-05-20

1. Who we are

Proof of Reality provides cryptographic proof that a physical-world scan happened at a specific time, with optional location, optional retained files, and future hash anchoring. Contact: support@realityproof.app

2. Data we collect

Depending on how you use the Service, we collect:

Proof session data — verify ID, owner token hash, disclosure level, bundle hash, artifact hashes, verification checks, status, disclosure level, and opt-in capture timing.
Scan artifacts — artifact hashes by default. 3D scene files, sensor sidecars, canonical proof bundles, and related metadata are uploaded to Cloudflare R2 only when you select file or bundle retention.
Location data — only when the iOS user grants location permission and selects a location disclosure/retention level.
Device and attestation data — app version, device model, operating system, and hardware signature material needed to verify a proof. App-key details are exposed publicly only when selected.
Contact form submissions — your contact method and message, forwarded to our notification channel so we can respond.
Analytics data — if you accept cookies, Google Analytics 4 collects aggregated usage data such as pages visited, session duration, approximate region, and device/browser type. IP anonymisation is enabled.
Request metadata — server logs and Cloudflare/Vercel request metadata used for abuse prevention, reliability, and security.

3. Public verification and disclosure

Public verification endpoints return only the disclosure tier selected for the proof:

Hashes only — verification status, bundle hash, level, and public check names. This is the default.
Time only — verification status, capture start/end time, hashes, and non-location checks.
Time + location — the time-only response plus the captured location when location was available.
Full proof — proof checks, artifact metadata, retained bundle/asset links, nonce details, and app-key detail needed for deeper third-party verification.

Marketplace and partner apps can call the public Verify API without authentication, so choose the disclosure level you are comfortable exposing.

4. How we use data

To create, store, verify, and later anchor proof records;
To serve public verification responses at the selected disclosure level;
To detect abuse, replay attempts, tampering, and service misuse;
To respond to support and partnership messages;
To understand site performance and usage when analytics consent is granted.

We do not sell or rent personal data and we do not use proof data for advertising.

5. Legal basis

For EEA/UK users, we process data under these legal bases:

Contract — operating proof creation, optional upload, and verification.
Legitimate interests — security, abuse prevention, service reliability, fraud resistance, and responding to contact requests.
Consent — optional location permission in the iOS app and analytics cookies on the website.

6. Third-party services

Cloudflare R2 and Cloudflare network services — opt-in artifact storage, asset delivery, and abuse protection.
Vercel — hosting and serverless execution for the website and APIs.
Postgres database provider — proof records, disclosure settings, and verification checks.
Hash anchoring networks — future public anchoring of proof hashes or daily roots.
SpaceComputer Orbitport — satellite-signed nonce and KMS co-signature services.
Apple App Attest — iOS app integrity attestation.
Google Analytics 4 — website analytics only after cookie consent.
Telegram or email tooling — contact form notifications and support follow-up.

7. Cookies

We use analytics cookies only after consent. The site stores a local consent preference so the banner does not reappear on every visit. See our Cookie Policy for details.

8. Retention

Hash proof records are retained while needed to operate public verification and user history. Files, bundle JSON, location, nonce payloads, and app-key details are retained only when selected. Contact messages are retained only as long as needed to respond. Analytics retention follows the Google Analytics property settings.

9. Your choices and rights

You can deny location permission, select a less revealing disclosure level, decline analytics cookies, and keep the default hash-only disclosure when you only need public hash verification. Under applicable privacy laws, you may request access, correction, deletion, restriction, or objection by contacting support@realityproof.app. Some records, especially blockchain records and public data already disclosed to third parties, may be impossible for us to delete.

10. Security

Proof data is protected with HTTPS, opt-in presigned upload URLs, hashed owner tokens, and secret redaction in logs. No internet service can be guaranteed perfectly secure, so please avoid scanning sensitive private spaces or objects unless you are comfortable with the selected disclosure level.

11. Children

The Service is not directed to children under 13, and we do not knowingly collect data from children.

12. Changes to this policy

We may update this policy as the Service changes. The date at the top reflects the most recent revision.