How Praxis captures, redacts, and stores recordings.

What gets recorded

Each session captures RGB video and — on capable devices — synchronized LiDAR depth. We also record a small metadata file with the session id, the environment code, and the modes that were active. No microphone audio. No GPS. No contacts, photos, or device identifiers beyond an anonymous session handle.

Faces and license plates are redacted

Every frame written to disk passes through an on-device face detector and is pixelated before recording. A second pass runs after upload using EgoBlur, an open-source set of detectors trained on egocentric footage. The second pass catches profile views, partial faces, and motion-blurred faces the on-device pass misses, and adds license plates — which the on-device pass does not cover. The redacted video is what any human reviewer or customer sees; the original is never served on the read path once the second pass completes.

What we never collect

We do not store the name, email, address, phone number, or any other identifier of the person whose space is being recorded. The consent QR code is a bearer token — it grants permission, it does not identify anyone. We do not store voice. We do not store location. We do not log model names, file paths, or pipeline internals into any exported data.

Two consent records, kept separate

Every recording is gated by two independent consents. The operator consents at account creation as part of their employment with our customer. The space-owner consents per environment by scanning a QR code and reviewing the consent text on cepta.ai before clicking through. Neither record exposes the other; revoking one does not reveal anything about the other.

Revocation cascades

When a space-owner revokes consent, we immediately delete every recording associated with that environment from our storage and mark every session row in the database as deleted. There is no admin override that can un-revoke. The audit log preserves the fact that a deletion happened, not the deleted contents.

Where recordings live

Captured sessions are stored in Cloudflare R2 under a customer-specific prefix. Database rows are kept in Postgres with one tenant per database in production deployments. Customer data never sits next to another customer's data on the read path.

What we don't yet redact

We are direct about this. Today's redaction covers faces and license plates. It does not yet cover documents, screens, or paperwork that may appear in a scene. We treat the operator's body, hands, and clothing as the captured signal — those are the point of the recording. Document and screen masking is a tracked piece of follow-up work; we will update this page when it ships.

What we never share

Customer recordings are not sold, rented, syndicated, or shared with any third party. Recordings are not used to train any model outside the customer's own deployment. We do not aggregate across customers.