Privacy-preserving matching · Input contract

Relevance without behavioral profiles is mechanically possible at the protocol layer.

"Privacy-preserving" is a claim that has been stretched until it means almost nothing. On the protocol layer it can mean something specific: the inputs to relevance are restricted to public, request-bound signals — context hints from the moment, sponsor declarations, and content provenance. The user is separated from the match by construction, not by promise.

See the FCS spec See the editorial firewall

What "privacy-preserving" means here, defined mechanically

A privacy claim is only as strong as the architecture that enforces it. "Privacy-preserving matching" on this protocol means three things, each verifiable by reading the input contract:

No user identifier participates in the match. No user ID, no device ID, no session cookie, no fingerprint hash. The match function does not take such a value as an argument.
No cross-site state is fetched at match time. The match does not call out to a profile store, an identity graph, or a data-management platform. It reads only the current request, the sponsor's published manifest, and content provenance headers.
No persistent state about the requester is written by the match. The match does not produce a profile entry, a cohort assignment, or a re-targeting signal as a side effect.

These three are the contract. If any of them fails, "privacy-preserving" is a marketing word, not an architectural property.

What is mechanically excluded

The protocol excludes a specific list of inputs from the matching function, not as a recommendation but as a definition. The matching function is forbidden from reading:

Any user identifier (cookie, device, account, hashed email, IP-derived).
Any IP-derived geo-bucket or coarse-location signal.
Any history of prior requests from the same agent or surface beyond the current conversation moment.
Any external profile, cohort, or audience-segment lookup.
Any third-party tracking pixel data or attribution chain.

If a system labels itself "contextual" but draws on any of these, it is doing behavioral matching with a contextual layer on top — not privacy-preserving matching as the protocol defines it.

How matching happens without those inputs

The full relevance mechanism is described on the sister page within contextual-ads.ai: see /trust-safe-relevance. The short version: the match function takes three public inputs (context hints describing the moment, sponsor declarations, content provenance) and returns a relevance score that is reproducible from those inputs alone.

This page is not a re-explanation of the relevance function. This page is the privacy contract that says what the relevance function is not allowed to take as input.

What is in vs out of the request

In the request (allowed)	Out of the request (excluded)
Context hints describing the current conversation moment	Any cookie, device ID, account ID, or fingerprint
Sponsor manifests at `/.well-known/agent-ad.json`	Any external profile store or identity graph
Content provenance headers (FCS) on the surrounding content	Any prior-request history beyond the current moment
Sponsor category and placement constraints	Any third-party attribution chain

"In the request" means: visible to the match function at decision time, derived from artifacts that exist independently of the requester. "Out of the request" means: not visible to the match function, by protocol definition.

Implementations may define the context window, but it must remain request-bound and non-identifying.

How this differs from "consent-based" and "no-tracking" claims

Two common claims sound adjacent but mean different things:

"Consent-based" advertising assumes a user identifier exists and asks permission to use it. The architecture still includes the identifier — it just gates access. If consent is granted, behavioral matching proceeds as normal.
"No-tracking" advertising is often a marketing claim that the display uses no trackers, while the match still draws on a profile maintained elsewhere.

Privacy-preserving matching on this protocol is neither of those. The identifier is not part of the match function's input set at all. The match function has no user identifier input to authorize.

The difference is architectural, not editorial.

Where this fits relative to OpenAI Ads

OpenAI Ads computes placement against conversation intent using context hints, landing-page content, and ad copy. Their product makes a strong, observable separation between the ad selection process and any user-account identifier on their platform; the ad-policies and product docs describe this as a buyer-side property of their system.

Privacy-preserving matching as a protocol generalizes that property: it specifies an input contract that other agent runtimes, ad systems, and verification tools can implement independently — without needing to share OpenAI's stack or trust OpenAI's policy enforcement.

OpenAI Ads can operate while honoring this contract. Agent runtimes that want a portable, verifiable privacy contract benefit from the protocol-level definition.

What this is not

Not a consent flow. There is no identifier to consent to.
Not a "cookieless" rebrand. The contract is at the match-function input layer, not at the display layer.
Not a guarantee about every implementer's deployment — the protocol defines the contract; implementations must follow it. Verification is the sister-page's job.
Not a regulated-product claim. "Privacy-preserving" here is a mechanical property of the matching function, not a compliance label for any specific regulation.
Not a partnership with any model provider or ad platform.

The governance counterpart — ads don't touch the answer agent-ads.org/editorial-firewall — Ad placement does not enter answer generation. Here is the separation contract →