Five steps. One sealed record.
Tenant Trace doesn't claim to prove the unit's condition was good or bad. It claims something narrower and more useful: that a specific report existed at a specific time, untouched since.
Walk the unit. Tap to capture.
Each photo is taken inside the app, not picked from the camera roll. Tenant Trace saves the camera's original photo file bytes and seals the exact file with a SHA-256 fingerprint. GPS and the capture time are recorded in the report's manifest, kept separate from the photo file so the photo bytes stay verbatim. Any later change to the photo or the manifest shows up as a digest mismatch. Voice notes get on-device transcription. Nothing leaves the phone at this stage.
Room by room, condition by condition.
The app lays out the unit by room: condition rating, photo count, optional voice transcript, optional LiDAR floor area. The structure matters because a court, mediator, or property manager reads top-to-bottom. The aggregate fingerprint is recomputed every time the structure changes — so we know exactly what was sealed.
Lock the record. Anchor the fingerprint.
Sealing builds a canonical, pipe-delimited manifest: trace metadata, every room, every photo SHA, every video SHA — in a fixed order. The manifest is hashed once. That hash, the trace ID, the seal time, the region, and the role are sent to the public registry. We do not send photos, names, addresses, or voice. The PDF prints the seal hash and a verify URL.
Apple-authenticated. Either way is recorded.
You send a one-time link. The recipient signs in with their Apple ID and either co-signs or declines with a reason. Their Apple-verified email, name, role, IP address, user-agent, and timestamp are recorded by the co-sign service. Decline is a real, terminal state — not silence. The PDF reflects whichever happened.
Two ways to verify. One is stronger.
Each PDF page prints a QR and link pointing at verify.tenanttrace.app. The link alone confirms a trace was sealed at a specific time and is registered — but anyone could reuse a valid link, so the QR is not by itself proof of the file in front of you. To confirm the PDF is the sealed one, compare the printed seal code on the cover against the code shown by the verifier. To confirm the underlying photos and metadata have not been altered, verify the .ttbundle: the verifier re-hashes the bundle contents and matches against the registry. If a single byte changed, the bundle verify fails.
A trace with the printed ID is registered, the registry's seal hash is anchored, and the seal timestamp is real. To confirm the PDF you are holding is the sealed one, the printed seal code on the cover must match the code shown by the verifier — a link alone is not proof.
WHAT BUNDLE (.TTBUNDLE) VERIFICATION PROVESThe actual photos and metadata in the bundle re-hash to the value anchored at seal. If any byte was modified after seal, the verify fails. This is the strongest check.
WHAT VERIFICATION DOESN'T PROVEThat the report's contents are factually accurate. That a court will accept it. That the other party agrees with what's in it (use co-sign for that).