OwnYou — how it works

1. What OwnYou does

OwnYou is an attribution protocol. Your wallet — a Manifest V3 browser extension — runs on your device and disclosed a small set of consented audience claims to publisher pages running the OwnYou Publisher SDK. When an advertiser running the OwnYou Advertiser SDK targets you and the bid wins, your wallet generates a per-(campaign, rotation) HD-derived payout address, posts an encrypted delivery payload directly to that advertiser, and watches the on-chain escrow contract for settlement. When settlement happens, testnet USDC arrives at your wallet — visible on BaseScan and in the wallet dashboard at app.ownyou.app.

OwnYou the protocol operates no centralised service on the data or payment path. There is no api.ownyou.app. Every protocol step runs direct: wallet ↔ publisher, wallet ↔ DSP, wallet ↔ advertiser, wallet ↔ Base Sepolia public RPC.

2. Anonymity & PII — what your wallet shares and what it strips

Slice 1 is the install-time consent flow. At first PWA visit your wallet asks once what it will share — and what it strips. You see the same summary in Settings → Disclosure (read-only in Slice 1; editable preferences land in a later release).

What your wallet shares

• Interests — IAB Audience Taxonomy 1.1 segments that classify above your wallet's confidence threshold (Travel, Technology & Computing, Food, Hobbies & Interests, Pets, Education, Health, etc.).
• Purchase Intent — IAB Audience Taxonomy 1.1 segments indicating buying interest (travel-booking, electronics-shopping, etc.).
• Demographics — coarse buckets: age range, gender, marital status, employment status. Not exact age, not exact location.
• Household profile — number of adults, number of children, property type. Not addresses.

What your wallet strips before anything leaves your device

• Your name.
• Your email address.
• Your wallet seed and any seed-derived address the advertiser does not need (advertisers see only the per-(campaign, rotation) HD-derived payout address).
• URL paths beyond the originating publisher's domain.
• Cross-campaign linkage. The selective-disclosure proof's pseudonym is bound to the publisher's origin only — different campaigns and different publishers cannot correlate your activity through this surface.

3. Rotation & per-campaign HD-derived payout addresses

Each campaign you deliver against sees a fresh per-epoch payout address derived from your wallet seed using HD-derivation (BIP-32-style). The advertiser sees a per-campaign identity, not a wallet identity. Settlement is batched per epoch — one on-chain release per (campaign, rotation), never per impression — so settlement gas is bounded the way traditional ad-tech invoices in aggregate.

Slice 1 starts with rotation counter 0 only; post-payment rotation to counter 1 lands in Slice 2. Either way, the principle is the same: the advertiser learns about a per-campaign recipient, not about you.

4. The IP-address caveat

Your network IP address is visible to the advertiser at the HTTP layer when the wallet POSTs your ad delivery. The OwnYou protocol cannot strip this — it is a property of how the internet works. If IP-level anonymity matters to you, use Tor / VPN / Apple Private Relay. The wallet emits no IP-related signal beyond what your browser would emit when loading any web page.

This is why OwnYou's anonymity promise is honest about its boundary. The protocol can make your audience disclosures cryptographically unlinkable across campaigns; it cannot make the underlying TCP connection from your browser to the advertiser's server invisible. Tor, a reputable VPN, or Apple Private Relay solve the IP-layer problem at the network layer where it belongs — the wallet does not add a second one.

5. What advertisers receive

When an advertiser bids on you and wins, your wallet builds a DisclosureGrant — a cryptographic object carrying only the audience claims you consented to share at install time — and a delivery payload with an ElGamal-encrypted tracking ID (only the specific advertiser can decrypt; OwnYou cannot) and a DLEQ proof binding the disclosure to the recipient address. The DisclosureGrant tells the advertiser:

• Which IAB Audience Taxonomy 1.1 segments you classified into (with confidence levels) — the slice you consented to share.
• Which demographic buckets you fall into — coarse, not exact.
• A campaign-bound pseudonym that proves you're the same recipient as the previous delivery in this epoch — but is unlinkable to other campaigns and other publishers.
• A per-(campaign, rotation) HD-derived payout address — the destination for settlement.

The DisclosureGrant does not carry your name, email, wallet seed, browsing history, URL paths, or any cross-campaign correlation tag. The cryptographic shape is published as a JSON schema in @ownyou/metadata-interop; if you want to read the wire format, the protocol design doc is linked below.

6. Why testnet earnings (for now)

Slice 1 is the foundation tracer bullet — the first publicly-accessible run of the OwnYou protocol end-to-end with real cryptographic primitives, real on-chain settlement, real pilot users. We picked Base Sepolia (Coinbase's testnet, chainId 84532) because it has stable RPCs, public-faucet ETH, and BaseScan source verification — the same chain we'll ship mainnet on after the security audit. Earnings are testnet USDC, faucetted from a mock-USDC contract we deployed alongside the escrow.

Mainnet (chainId 8453) is a later-slice deliverable after a security audit on the escrow contract. The shape of the wallet, the cryptographic primitives, and the on-chain settlement path are the production shape now; only the chain ID changes.

7. Read the source

• GitHub source repository — the full Slice 1 implementation lives here.
• Architecture & requirements docs — the protocol's normative specification.
• Architecture Decision Records (ADRs) — the decisions that shaped Slice 1.
• Slice 1 design doc — the implementation reference.
• OwnYou privacy policy — what data leaves your device, and what stays local.