Privacy Policy

This policy describes what data Reality Registry collects, why we collect it, and what control you have over it. We've tried to write it in plain language. If anything is unclear, email info@realityregistry.com.

In short

• We collect the minimum data needed to authenticate you, register your photos and videos, and verify them later.
• We do not show advertising, run third-party analytics, or sell data to anyone.
• Your photos and videos are stored on our servers so the verification pages keep working; you can request deletion.
• One important caveat: the cryptographic proof of each registration is written to a public blockchain (Polygon). That record is permanent and cannot be deleted, even after account deletion. Only the cryptographic fingerprint is on chain, never your photo or video itself.

Who we are

Reality Registry is operated by an independent developer based in the United States. For privacy questions, contact info@realityregistry.com.

What data we collect

From you, directly

• Account information. When you sign in, we receive an email address and a stable user identifier from Google Sign-In or from the email-and-password sign-in flow.
• Photos and videos you choose to register. The app uploads media you explicitly capture, along with capture metadata (timestamp, optional location if you've granted permission, optional description).
• Location (optional). If you grant location permission, we read your device's approximate or precise location at capture time and embed it in the registration record.

Generated by your device

• A device-specific signing key. When you first register media, the app generates a hardware-backed cryptographic key on your phone (Android StrongBox or Trusted Execution Environment). This key signs uploads so the server can verify they came from your device. The private key never leaves your phone; only its public counterpart and the resulting signatures are sent to us.
• A Firebase Installation ID. A pseudonymous identifier used by Google's Firebase services to deliver authentication and crash diagnostics.

Generated by our service

• Cryptographic hashes and watermarks derived from your media. We compute SHA-256 hashes, dHash perceptual fingerprints, and invisible TrustMark watermarks. These are stored alongside your registration.
• Blockchain transaction records. For each registration, a Merkle root is written to the Polygon public blockchain. This record is permanent and publicly readable.
• Subscription state (if you purchase Pro). Tier, billing status, and renewal information from RevenueCat (our subscription management provider).

How we use it

• Authenticate you so you can access your captures.
• Embed cryptographic proof into the photos and videos you capture.
• Write the Merkle root for each registration to the Polygon blockchain.
• Serve the verification pages at realityregistry.com so recipients of your media can confirm its authenticity.
• Manage your subscription tier and enforce quota limits.
• Diagnose crashes and operational issues with the service.

We do not use your data for advertising, profile building, content recommendation, or any kind of behavioral analytics.

Who we share with

We share data with a small number of service providers who help us operate Reality Registry. These providers act on our instructions and are subject to their own privacy commitments.

• Google / Firebase (United States) — authentication, cloud messaging, and infrastructure underlying Google Sign-In.
• RevenueCat (United States) — subscription state management for Pro tier (if you subscribe).
• Google Play Billing (United States) — payment processing for in-app purchases.
• Amazon Web Services (United States) — hosting infrastructure for the verification web service and registration backend.
• Polygon Network (public blockchain, operated by an open network of validators worldwide) — the cryptographic Merkle roots for your registrations are written to this public ledger. The blockchain is by design permanent, public, and not controlled by any single party.

We do not sell or rent your personal data. We do not share data with advertising or marketing networks.

The blockchain caveat

Reality Registry's product is fundamentally about anchoring photos and videos to a public, tamper-resistant timeline. Each registration writes a Merkle root and lookup key to the Polygon blockchain. These records:

• Are permanent. The blockchain is operated by an open network; no party (including us) can delete an entry.
• Are publicly readable. Anyone can browse Polygon's public block explorer and see that a registration happened at a specific time, though without our verification service they cannot tell what media it corresponds to.
• Contain only cryptographic fingerprints, never your actual photo, video, location, or identity. The fingerprints alone cannot be reversed into the original media.

When you delete your Reality Registry account, we remove the linkage between your identity and these on-chain records, so they can no longer be tied back to you through our service. The records themselves remain on the blockchain.

How long we keep it

• Account data (email, signing key, subscription state) — kept while your account is active. Deleted within 30 days of an account deletion request.
• Photos and videos you registered — kept indefinitely while your account is active so the verification pages continue to work for recipients of your media. Deleted within 30 days of an account deletion request, except where you have published a verification link that we are obligated to keep accessible.
• Crash and diagnostic logs — kept for 90 days, then automatically deleted.
• Blockchain records — permanent (see above).

Your rights

Regardless of where you live, you can:

• Request a copy of the data we hold about you.
• Correct inaccurate information.
• Delete your account and the data associated with it. See the account deletion page for the exact process.
• Object to any specific use of your data and withdraw consent at any time.

To exercise any of these rights, email info@realityregistry.com from the address associated with your account. We will respond within 30 days.

If you are located in the European Economic Area, United Kingdom, or California, you have additional rights under GDPR, UK GDPR, and CCPA respectively. We honor these rights for all users regardless of where they live.

Security

All communication between the app and our servers uses TLS 1.2 or higher. Photos and videos are stored on encrypted storage. Authentication is handled by Firebase, which holds industry-standard certifications including ISO 27001, SOC 2, and SOC 3. We minimize the staff with access to user data, and access is logged.

Despite best efforts, no system is perfectly secure. If you become aware of a security issue, please report it to info@realityregistry.com.

Children

Reality Registry is not directed to children under 18 and is not intended for use by them. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact us and we will delete the data.

International users

Reality Registry is operated from the United States, and our service providers are also located in the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the United States. By using the service you consent to this transfer.

Changes to this policy

We may update this policy as the product evolves or as the law changes. When we make material changes, we will notify signed-in users in the app and update the effective date at the top of this page. We will not retroactively reduce the privacy protections you had when you signed up without your explicit consent.

Contact

For any privacy question, complaint, or data request, email info@realityregistry.com.