XYRIS vision

Hero Section
features
pricing
every tag
Extraction of Meta data
Landing Page

Inspiration

A news report stopped us cold: a man was robbed and shot after posting a photo of cash on social media. Someone saw it, found him, and acted. One photo. One moment of sharing. A life-altering consequence.

That story stuck. Because we all post photos — of our food, our wins, our people — without ever thinking about what those images silently carry. GPS coordinates embedded in the file. The exact device you used. The timestamp that places you somewhere at a specific time. A street sign in the background. A license plate in the reflection. We don't think about any of it. And that invisibility is exactly the danger.

Xyris was built because no one should lose their safety to a photo they meant to share in joy.

What it does

Xyris scans a photo for everything it quietly reveals — before you post it.

Drop in an image and Aegis (free, forever) instantly reads all hidden EXIF metadata: GPS coordinates, camera model, timestamps, software signatures. It surfaces each finding with a plain-language severity label, then strips it all out client-side using a canvas redraw. Your cleaned image downloads directly to your device. Nothing is uploaded. Nothing is stored.

Eclipse goes further. After stripping metadata, it sends the pixel data to an AI vision model that scans the image for visible risks — street signs, license plates, faces, recognizable landmarks. Findings come back as red bounding boxes overlaid on your image. Click any box to blur or redact it. Download the fully cleaned copy. Every scan is saved to your history.

Two tiers. One core rule: the sensitive half never leaves your device.

How we built it

The frontend is static HTML with a canvas-based processing pipeline — all metadata extraction and stripping happens in the browser before any data moves anywhere. For the AI scan tier, a metadata-stripped base64 payload goes to an Express + TypeScript backend on Render, which calls Claude Opus via OpenRouter and returns bounding box coordinates with risk labels.

Auth, user profiles, and scan history live in Supabase with Postgres and row-level security. Credits are managed through atomic Postgres functions to prevent race conditions. Payments run through Stripe Checkout with webhook-verified credit provisioning. The whole thing deploys across Vercel (frontend), Render (API), and Supabase — with API keys never touching the client.

Challenges we ran into

The hardest problem was automating the detection of vulnerable visual data in photos. Getting the AI to reliably identify genuinely sensitive content — not just flag everything — required careful prompt engineering and iterative tuning of how we described risk to the model. Translating vague model findings into precise, clickable bounding boxes on a canvas added another layer of complexity. Finetuning the balance between sensitivity and noise was an ongoing process throughout the build.

Accomplishments that we're proud of

Shipping a full-stack product — frontend, backend, auth, payments, AI pipeline — in hackathon time, and having it actually work. The free tier delivers real, meaningful privacy protection with zero server involvement. The AI redaction tier genuinely detects and blurs sensitive visual content. The click-to-redact interaction feels polished. We built something we'd actually use, and that we'd trust to handle a photo we cared about.

What we learned

More than expected. We went deep on the EXIF metadata rabbit hole — the sheer volume of hidden data a single JPEG carries is genuinely alarming. We learned what it takes to build a full pay-per-use AI product end to end: credits, webhooks, idempotency, atomic balance math. We learned how vision models actually perceive and describe images — and where they're confident versus where they guess. And we learned how to ship fast without cutting corners that matter.

What's next for Xyris Vision

The hackathon was proof of concept. The real version is a proper SaaS — cleaner onboarding, tiered plans, and full mobile support so people can scan images directly from their phones before posting to Instagram, X, or anywhere else. The threat Xyris addresses happens on mobile, in the moment, right before you hit share. That's where it needs to live.