Receipts now have a public backup nobody can edit, not even us

Your assistant sent a follow-up email last Tuesday. A year from now, the recipient says it did not say what you remember. Where is the proof, and who controls it?

Here is what was already true, and what changed this week.

What was already true

Every action your assistant takes produces a small record, like an itemized receipt. That receipt has been doing three jobs for a while.

One. The receipt carries a stamp only we can make. Anyone can check that the stamp is ours. If someone tries to fake a receipt, the stamp does not match.

Two. Every five receipts, we take a fingerprint of all five and post it on a public chain. The fingerprint cannot be quietly changed. If we ever tried to delete a receipt or reorder them, the public fingerprint and the actual records would no longer line up. The lie would show.

Three. The stamp we use is tied to a public name (operatoruplift) on that chain. You can look up the public name and see which stamp it points to. If we ever change stamps, the chain shows the change.

What was missing

The receipt itself lived only in our database. The public fingerprint catches deletions and reorderings, but it does not catch a single edit made between two fingerprint posts. In theory we could edit one receipt in the gap, restamp it, and the stamp would still look fine. That was the loophole.

What changed this week

Every receipt now also lives on a public backup network. The same record exists in two places: the convenient copy in our database, and a permanent copy anyone can fetch without an account. The public copy shows up on your security page as a small clickable link next to each receipt. If we edited our copy, the two would no longer match. That closes the loophole.

What this means in practice

Three things, in order of how often they matter.

It survives us. If we shut down tomorrow, your receipts do not vanish. The public copy lives on a network with many operators. You can show a third party what your assistant did for you without going through us.

Disputes get easier. If a client, a vendor, or your bookkeeper asks "did this happen?", you hand over the public link. They open it without an account. Either it matches the story you told them or it does not.

The next yes feels safer. You are more willing to let the assistant send an email when you know there is a record afterward that nobody can quietly change. The stack underneath, stamp + chain fingerprint + public name + public copy, is there so the next tap feels safe.

Why we waited

A couple weeks ago we said the public copy was not in scope yet. The honest reason was that we wanted to ship it well or not at all. A half-wired public copy would be worse than none. It works now because the full round trip works: you tap, the action runs, the receipt is stamped, the public copy lands, the link appears on your page. If any step breaks, the link stays hidden until it works. We do not claim it is there when it is not.

A footnote on the demo voice

The narration in our latest product video was made with an AI voice service you can also reach through us. We mention it because we have a rule that anything in our marketing that looks like a feature should be a real one we use ourselves. The voice is one example. The receipts are the bigger one.