∞▷ Public Digital Domain Home
Privacy Policy

Privacy through contract,
not obscurity.

Public Digital Domain collects browsing data through the Envoy browser extension, which you install and control. Your data is stored on our servers so it persists across devices and sessions. Nothing is shared with any organisation unless you explicitly offer it for sale through a signed contract. Collection, storage, and sharing are three separate actions — each under your control.
Your identity

Your identity in PDD is anchored to an Ed25519 cryptographic key pair. Your private key is generated in your browser and is used to sign actions. Your account is protected by a password and, optionally, a cross-device passcode for signing in on other machines.

The server holds your public key, a one-way lookup hash derived from your email and a server-held salt, and your encrypted vault. We cannot reverse the hash. We cannot decrypt your vault without your password.

What the server stores

The PDD server stores your data. Specifically:

Browsing data: URLs, page titles, timestamps, and domain names captured by the Envoy browser extension. This includes the pages you visit while Envoy is active, your browsing history, and your most-visited sites. It is stored per-person in a browsing ledger on the server.

Folders and assignments: The folders you create and which browsing events you assign to them.

Contracts and settlements: Records of agreements between you and organisations, including pricing, scope, and delivery receipts.

Messages: System messages and any correspondence within the platform.

Identity records: Your public key, email hash, encrypted vault, and device registrations.

All of this data is yours. You can view it at any time in The Hall. You can export it. You can delete your entire account and all associated data permanently from Settings.

What moves when you share data

Nothing leaves your account unless you explicitly choose to share it. When you offer a folder of browsing data for sale, the offer is visible to organisations. If an organisation purchases your offer, only the browsing events you assigned to that folder are delivered.

You see the exact data before it is sent. You control which events are in each folder. You set the price. You can cancel before delivery.

The organisation receives exactly what you approved. Nothing more.

What organisations see

Organisations receive only the data you approved. They are bound by the contract's declared limits: the stated purpose, retention period, and use constraints. Violating those terms creates an enforcement surface within PDD.

Organisations do not see your email, your real name, or any identifier beyond the contract's party reference. They cannot correlate your data across contracts unless you choose to engage with them again.

Cookies and tracking

We use no cookies. No analytics. No tracking pixels. No third-party scripts that profile your behaviour. No advertising infrastructure of any kind.

PDD does not participate in the system it was built to replace.

Hosting

This site is hosted on Railway. Like all hosting providers, Railway collects standard server log data including IP addresses and request metadata as part of normal infrastructure operation. This is outside our direct control and governed by Railway's Privacy Policy.

We do not access that data for profiling, targeting, or any commercial purpose. Domain services are provided by Cloudflare under their standard terms.

Your rights

You have the right to see all data we hold about you, at any time, in The Hall.

You have the right to delete your account and all associated data. This is available in Settings and takes effect immediately. Deletion removes your browsing ledger, folders, assignments, messages, and identity records from the server permanently.

You have the right to stop collection at any time — pause it directly in Envoy, or disable or uninstall the extension entirely.

You have the right to withdraw from any contract before delivery. Cancellation is available at the preview stage. No data is transmitted and no obligation attaches.

Contract and settlement records are retained as part of the settlement ledger even after account deletion. They are the proof that an agreement existed and was honoured. They do not contain your browsing data.

For rights requests under GDPR or CCPA, see Your Rights.

Regulatory authorities

If you believe your data rights have been violated, you may file a complaint with the relevant authority:

United States: Federal Trade Commission (FTC) · California Attorney General (CCPA)

European Union: European Data Protection Board — find your national data protection authority.

United Kingdom: Information Commissioner's Office (ICO)

You may also contact us directly at noreply@publicdigitaldomain.org and we will respond.

Changes to this policy

If this policy changes in any material way, the update will be reflected here with a revised date. We will not introduce data collection practices without updating this page first.

Last updated: May 2026. Contact: noreply@publicdigitaldomain.org