Public Digital Domain Home
Privacy Policy

Privacy through contract,
not obscurity.

Public Digital Domain is operated by Coldbridge LLC (California), the data controller. PDD collects browsing data through the Envoy browser extension, which you install and control, and only after you consent. Your consent is the legal basis for that collection, and you can withdraw it at any time. Your data is stored on our servers so it persists across devices and sessions. Nothing is shared with any organisation unless you explicitly offer it for sale through a signed contract. Collection, storage, and sharing are three separate actions, each under your control.

Your identity in PDD is anchored to an Ed25519 cryptographic key pair. Your private key is generated in your browser and is used to sign actions. Your account is protected by a password and, optionally, a cross-device passcode for signing in on other machines.

The server holds your public key, a one-way lookup hash derived from your email and a server-held salt, and your encrypted vault. We cannot reverse the hash. We cannot decrypt your vault without your password.

The PDD server stores your data. Specifically:

Browsing data: URLs, page titles, timestamps, and domain names captured by the Envoy browser extension. This includes the pages you visit while Envoy is active, your browsing history, and your most-visited sites. It is stored per-person in a browsing ledger on the server, for as long as your account exists. You can pause collection at any time, and it is destroyed when you delete your account.

What we do not capture. Envoy records where you go, not what you write. We do not store typed text, the contents of your searches, form entries, or anything you author. Search terms are stripped from addresses at the point of capture, so a query you type never reaches our servers. The record is a map of your activity, not a copy of your communications.

Folders and assignments: The folders you create and which browsing events you assign to them.

Contracts and settlements: Records of agreements between you and organisations, including pricing, scope, and delivery receipts.

Messages: System notices and messages sent between you and PDD inside the platform. Messaging is in-house only. There is no email, and PDD does not capture or store correspondence you have with anyone outside PDD.

Identity records: Your public key, email hash, encrypted vault, and device registrations.

All of this data is yours. You can view it at any time in The Hall, and download all of it at any time, including right before you delete. You can delete your account from Settings; what deletion removes, and the few records that must be kept, is set out under Your rights below.

Nothing leaves your account unless you explicitly choose to share it. When you offer a folder of browsing data for sale, the offer is visible to organisations. If an organisation purchases your offer, only the browsing events you assigned to that folder are delivered.

You see the exact data before it is sent. You control which events are in each folder. You set the price. You can cancel before delivery.

The organisation receives exactly what you approved. Nothing more.

Organisations receive only the data you approved. They are bound by the contract's declared limits: the stated purpose, retention period, and use constraints. Violating those terms creates an enforcement surface within PDD.

Organisations do not see your email, your real name, or any identifier beyond the contract's party reference. They cannot correlate your data across contracts unless you choose to engage with them again.

We use no cookies. No analytics. No tracking pixels. No third-party scripts that profile your behaviour. No advertising infrastructure of any kind.

PDD does not participate in the system it was built to replace.

This site is hosted on Railway. Like all hosting providers, Railway collects standard server log data including IP addresses and request metadata as part of normal infrastructure operation. This is outside our direct control and governed by Railway's Privacy Policy.

We do not access that data for profiling, targeting, or any commercial purpose. Domain services are provided by Cloudflare under their standard terms.

You have the right to see all data we hold about you, at any time, in The Hall.

You have the right to delete your account, from Settings. Deletion does not complete while you have an open contract: a pending contract, not yet delivered, can be cancelled; one already in motion settles first. Once every contract has cancelled or settled, deletion completes. When it completes, the server destroys your account and everything personal to it: your identity records, recovery data, messages and blocked-organisation list, folders and assignments, settings, and your browsing history. PDD has no interest in holding the browsing record of someone who has left. You cannot sign in afterward, and the account cannot be recovered.

You have the right to stop collection at any time. Pause it directly in Envoy, or disable or uninstall the extension entirely.

You have the right to withdraw from any contract before delivery. Cancellation is available at the preview stage. No data is transmitted and no obligation attaches.

A small set of records is kept after deletion, and we will say exactly what and why, because claiming to erase them would be false. Settlement records and the contracts they settled are kept as proof that an agreement existed and was honoured, for accounting, tax, dispute, and audit. When a sale clears, money moves: you are paid, the buyer pays, PDD takes its share, and that record has to survive. It does not contain your browsing data. The link between your account and your Stripe payout account is kept because Stripe carries its own legal retention obligations and the financial records must stay coherent. These kept records still carry your account and payout identifiers; they are not anonymised, and we will not describe them as if they were.

For rights requests under GDPR or CCPA, see Your Rights.

If you believe your data rights have been violated, you may file a complaint with the relevant authority:

United States: Federal Trade Commission (FTC) · California Attorney General (CCPA)

European Union: European Data Protection Board. Find your national data protection authority.

United Kingdom: Information Commissioner's Office (ICO)

You may also contact us directly at contact@publicdigitaldomain.org and we will respond.

If this policy changes in any material way, the update will be reflected here with a revised date. We will not introduce data collection practices without updating this page first.

Last updated: July 8, 2026. Contact: contact@publicdigitaldomain.org