L
Layrs

Privacy Policy

Last updated: March 19, 2026

1. Our Privacy Commitment

Layrs is built on a fundamental principle: your raw creative data never leaves your machine. This policy explains what data we collect, what stays local, what we transmit, and how we protect everything.

2. Data That Stays on Your Device

The following data is captured and processed entirely on your local machine and is never transmitted to Layrs servers:

  • Screen recordings — The desktop agent captures your creative workflow visually. These recordings are used solely to generate cryptographic hashes and are never uploaded.
  • Keystroke entropy data — Timing patterns between keystrokes are measured to build a behavioral fingerprint. Individual keystrokes and their content are not recorded; only statistical timing distributions are captured.
  • Mouse movement patterns — Movement trajectories and interaction patterns contribute to your unique creator signature. Raw coordinate data remains local.

All raw capture data is processed through a dual-hash Merkle chain on your device. Once hashes are generated, the raw data can be purged according to your local retention preferences.

3. Data We Transmit & Store

The following data is sent from your device to Layrs servers:

  • Cryptographic hashes — SHA-256 and BLAKE3 hashes derived from your creative process, structured as a Merkle chain.
  • Digital signatures — Signatures generated by your device’s Secure Enclave (or software-based signing on devices without hardware security).
  • Session metadata — Timestamps, session duration, agent version, and platform identifiers. No screen content or input content is included.
  • Account information — Email address, display name, and authentication credentials you provide during registration.
  • Creator proof scores — Computed scores that reflect the strength and consistency of your verified creative process.

4. Secure Enclave & Hardware Security

On supported devices, Layrs uses the Secure Enclave (Apple) or equivalent hardware security module to generate and store signing keys. Private keys never leave the secure hardware; signing operations occur within the enclave itself. This means even if your system is compromised, the signing keys used for proof generation remain protected.

On devices without hardware security, Layrs uses software-based key management with encrypted key storage. We recommend using hardware-secured devices for the strongest proof guarantees.

5. Biometric & Behavioral Data

Keystroke entropy and mouse movement patterns may be considered behavioral biometric data under certain jurisdictions. We want to be explicit about how this data is handled:

  • Behavioral data is processed locally — it never leaves your device in raw form
  • Only statistical derivatives (hashes and entropy scores) are transmitted
  • You can delete all local behavioral data at any time through the desktop agent settings
  • Behavioral fingerprints are used solely for proof-of-creation verification, not identification or surveillance

6. Cookies & Local Storage

The Layrs web platform uses:

  • Authentication cookies — Session tokens to keep you signed in. These are strictly necessary and cannot be disabled.
  • Local storage — UI preferences and cached state for a smoother experience. No tracking data is stored.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not sell or share cookie data with advertisers.

7. Third-Party Services

Layrs relies on the following third-party services to operate:

  • Supabase — Database and authentication infrastructure. Account data and cryptographic verification metadata are stored in Supabase-managed PostgreSQL databases. Supabase’s privacy policy applies to their infrastructure handling.
  • Vercel — Web application hosting and edge delivery. Standard HTTP logs (IP address, user agent, request path) are collected by Vercel as part of their hosting services.

We carefully select infrastructure providers that align with our privacy-first approach. No raw creative data is ever shared with third-party services.

8. Verification API (VaaS) & Data Sharing

When third parties query the Verification API, they receive only proof scores and verification status — never raw data, behavioral patterns, or personal information beyond what the creator has made publicly visible on their profile.

Creators control the visibility of their proof scores and can restrict API access to their verification data at any time through their account settings.

9. Data Retention

Cryptographic hashes and verification metadata are retained indefinitely as part of the immutable proof chain — this is fundamental to how the verification system works. Account information is retained while your account is active and for a reasonable period after deletion for legal compliance.

Local data (screen recordings, behavioral captures) is managed entirely by you through the desktop agent. Layrs has no access to and no control over your local data retention.

10. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Export your verification data in a portable format
  • Object to or restrict certain processing activities

To exercise any of these rights, contact us at privacy@layrs.org. Note that cryptographic hashes anchored in the proof chain cannot be deleted as they are integral to the verification system’s integrity.

11. Children’s Privacy

Layrs is not intended for use by individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. We will notify you of material changes through the platform or via email. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact

Privacy questions or concerns? Reach us at privacy@layrs.org.