Security white paper
This page is for readers who want the detail behind the promise: safer identities for websites, private files on the user's computer, and clearer choices before clicking accept.
Executive summary
Most apps collect more than they need and store it somewhere the user cannot see. PokoPod takes a different route: keep sensitive information close to the user, reveal less to websites, and explain risks in language people can act on.
Stores profile details, masks, notes, files, site rules, agreement summaries, activity events, and vault state.
Detects legal links and sign-up or purchase moments, requests masked identities, and sends relevant context to the local bridge.
Connects the desktop app and extension over the local machine, keeping the Local Pod as the source of truth.
Uses receiver Pod IDs, transfer tickets, safety-code comparison, and encrypted background transfer for direct pod exchange.
PokoPod uses Community Solid Server as part of its local pod foundation. This fits the product’s broader direction: personal data should sit in a user-controlled pod rather than being absorbed into a central service database by default.
PokoPod focuses on reducing exposure from centralized data collection, hidden contractual terms, broad service-provider access, and casual leakage of private identity details. Local malware, compromised device accounts, weak operating-system security, and recovery-material mishandling remain important risks outside any app’s complete control.
PokoPod has been built with the help of AI tools, but the product direction, privacy model, security boundaries, and architectural decisions remain human-led. The founder remains the architect of the system: AI has assisted with implementation, drafting, iteration, and exploration, while the accountability for what PokoPod is meant to protect stays with Poko Labs.
This matters for security and trust. PokoPod should not be understood as an autonomous AI product making unsupervised decisions about user data. It is a deliberately designed privacy system that may use AI in bounded ways, with human judgement setting the product principles and data boundaries.
AI is also part of how PokoPod can stay relevant as the internet changes. Terms, tracking practices, subscription models, checkout patterns, and privacy risks evolve quickly, and PokoPod is intended to keep learning how to explain those risks in language users can act on.
The goal is not to restrict people from using the internet. The goal is to help them use it with more safety, context, and control: understanding what they are agreeing to, reducing unnecessary exposure, and choosing when their personal data should or should not be shared.
PokoPod is built on the Tauri framework, using a Rust-backed desktop architecture rather than a traditional Electron-style bundle. This choice supports a smaller, more controlled native surface for the desktop client and aligns with the product's device-first security goals.
Poko Labs intends to explore open-sourcing parts of the Poko Sentry logic later, so users, researchers, and partners can inspect how legal risks, agreement summaries, and warning signals are interpreted.
Install PokoPod only from trusted distribution channels, keep Windows, WebView2, browsers, and PokoPod updated, protect access to the local Windows account, and never share recovery phrases, private keys, master passwords, or local pod data.
