HumanProof · Privacy

Counts, never contents.

HumanProof exists to produce evidence a worker chooses to share — not surveillance an employer imposes. That only works if the privacy posture is verifiable, so this page is specific.

The desktop agent

The agent reads exactly three signals: when input last happened (a timestamp — on Windows via GetLastInputInfo, on macOS via CGEventSource counters), which app is frontmost (the executable or bundle name only), and how long you have been idle. The APIs it uses do not expose key identity, window titles, URLs, or screen pixels — the agent could not read your keystrokes even if it wanted to. No hooks, no event taps, no permission prompts.

Never captured: keystrokes, clipboard, window titles, URLs, screenshots, file names, message contents.
Kept on your machine: raw 10-second activity pulses, in a local SQLite file, deleted after 90 days. They never sync.
Pause is absolute: pausing stops all polling and recording instantly, no questions, no “pause is logged” asterisk. Unpairing deletes the device token.

Everything that ever leaves your machine

Two requests exist. Pairing sends your device's name (e.g. “DESKTOP-7F2K”) so you can recognize it in your account. Sync sends one summary per day — this exact shape, nothing more:

{
  "date": "2026-06-11",
  "totals": { "typingMs": 9600000, "readingMs": 7800000, "idleMs": 1200000 },
  "blocks": [
    { "start": 32400000, "end": 36000000, "state": "typing", "topApp": "Code" },
    { "start": 36000000, "end": 37800000, "state": "reading", "topApp": "Firefox" }
  ],
  "apps": [{ "app": "Code", "ms": 9600000 }]
}

Times are milliseconds since your local midnight. “Reading” is work — that is the point.

The public self-test

The 15-minute self-test is different by design: it records your typing activity in its editor — keystrokes, pastes, timing — because the receipt replays exactly how your text came to exist. You are told before you start, it only applies inside that editor, and the resulting receipt is unlisted until you share or claim it. Nothing else on your machine is touched.

What the server stores (the no-logs part)

The platform stores only what receipts display: day summaries, self-test receipts, accounts, workspaces, device names. Raw activity never reaches the server, so it cannot be analyzed, sold, leaked, or subpoenaed — you cannot lose what you never had. Receipts and timesheets are unlisted; only people with a link can see them, and only you decide who gets one.

To delete your account and everything attached to it, email dan@ochoa.pro — deletion is manual today and confirmed within 48 hours.