A verified, anonymous civic platform for elected representatives and the people they represent.

What we're building

Voteum is a civic platform that connects elected representatives with their voters. Reps publish every legislative vote with a plain-language summary, run polls and idea boxes inside their community, and see how aligned they are with their actual supporters. Voters verify their identity once, configure a personal AI guide, and express opinions anonymously on the decisions that affect them.

The platform is governed by an independent non-profit foundation, not a private company. The voting cryptography, the alignment scoring, and the default AI guide prompt are open source. Privacy is structural, not a policy promise: the rep never sees who's in her community, and no part of Voteum holds both a voter's identity and her opinions.

The problem

Modern democracy has an information problem on both sides.

Most representatives know little about what the voters want, how a decision will affect their lives. They rely on polls (generic, infrequent), donors (biased), activists (loudest), social media (bots), and election results (binary, retrospective). Between elections, the link between elected and electors is weak. Representatives govern mostly on instinct and become vulnerable to challengers who claim to listen better.

Most engaged voters don't know what their representatives are doing. They have between four and forty elected officials affecting their daily lives across district, city, parliament, and EU levels. They won't read legislation, can't track votes, and find traditional polling generic and patronising. Their day-to-day influence is close to zero; information from news outlets is one-way.

Voteum closes both gaps with one product. Reps get a structured, anonymous signal from their real, verified supporters. Voters get a credible, private channel into the decisions affecting them. AI takes over the reading and explaining; the platform handles the verification, the privacy, and the aggregation.

How it works

Voteum is a two-sided product with three surfaces:

• Public web (voteum.org). Landing page, the EU-wide directory of elected representatives, the public wishlist of reps not yet on the platform, and a public preview page for every published decision summary.
• Representative web dashboard. Reps register decisions (real legislative votes), generate AI summaries, run polls and idea boxes, configure community eligibility rules, and see aggregate signal from their community.
• Voter mobile app (iOS, Android). Voters verify identity once, browse and join representative communities, configure a personal AI guide, and express anonymous positions on decisions, polls, and ideas.

Three engagement types

Decisions are jurisdiction-wide: a voter only needs to belong to one community to express positions on every legislative item in her area. Polls and idea boxes stay community-private.

Bottom-up rep onboarding

Voteum doesn't depend on cold outreach to representatives. Voters can browse the public directory of every elected official in their jurisdiction, upvote ones they want to see active, and add reps not yet listed. When a rep crosses an upvote threshold, Voteum sends her a warm invitation citing the social proof: "X verified voters in your district have publicly asked for you to be here." This converts cold outreach into warm endorsement, makes representative absence visible, and starts the network effect on the voter side rather than the harder-to-acquire representative side.

What Voteum is not

• Not a campaign CRM. NationBuilder occupies that category.
• Not a referendum tool. Binary aggregation reproduces polarisation; deliberation does not.
• Not a blockchain platform. Cryptography is plumbing, not the value proposition.
• Not a tool for direct democracy on rights questions. Minority rights are not subject to majority vote.
• Not an editorial AI. The guide explains, it never recommends positions.
• Not a tool for representatives who want plausible deniability about their votes.

The privacy guarantee

The defining property of Voteum is structural separation between identity and expression.

The rep is guaranteed that everyone in her community is real, unique, and in-jurisdiction. The voter is guaranteed that her identity is never visible to the rep — and that no single Voteum component holds both her identity and her opinions. Even an administrator cannot answer "how did this voter vote on that decision?" because the database simply does not contain the link.

Verification at MVP — Didit, with EUDIW later

When a voter onboards, Didit verifies her ID document and liveness on her phone. Voteum's identity service receives only a derived payload over a secure webhook: a one-way hash of the document number, residence country code, an age-over-18 boolean, and (where applicable) eligibility flags for sub-national jurisdictions. The raw KYC artefacts — document image, name, exact date of birth, document number — are held by Didit per a contractual 24-hour deletion policy and are never on Voteum's infrastructure.

The European Digital Identity Wallet (EUDIW, eIDAS 2.0) is the future and is even better aligned with Voteum's privacy posture: selective disclosure, unlinkability across relying parties, recognised under EU law. Voteum integrates EUDIW in Phase 2/3 once Member State coverage justifies it. The identity service is built behind a KycProvider interface so EUDIW slots in without changes elsewhere.

Anonymous credentials

The identity service issues an anonymous credential to the voter's device — a cryptographic token (BBS+ signatures or equivalent) proving she is a real, unique, eligible voter without revealing who she is. When the voter later joins a community or expresses a position, she presents this credential. The expression service verifies it cryptographically and records her position against the credential — never against an identity.

Identity and expression run on separate infrastructure: separate databases, separate hosting tenancies, separate operators, no shared keys. Even a successful breach of one service does not yield voter privacy.

One person, one credential — even across two phones

If a voter installs Voteum on a second device and tries to KYC again with the same document, Didit produces the same one-way hash. The identity service detects the duplicate and revokes the first credential before issuing the second. At any moment a voter has exactly one valid credential.

The hash is computed by Didit using a Voteum-provided secret salt with HMAC-SHA-256, so a database breach reveals 256-bit random-looking strings that are infeasible to reverse to the original document number. The collision probability is roughly one in 10³⁸ — a comfortable margin against the entire human population.

Anonymous, but unforgeable, with no double-voting

When the voter casts a vote on a decision, her device produces two artefacts:

• A zero-knowledge proof that her credential is valid — verifiable by anyone, without revealing which credential it is.
• A nullifier — a one-time stamp derived from her credential's secret key and the decision ID.

The same voter on the same decision always produces the same nullifier; the same voter on different decisions produces unlinkable nullifiers; nobody but the voter can produce her nullifier. The expression service rejects any nullifier already seen for that decision. Double-voting is mathematically impossible without breaking the credential.

Re-verification

Anonymous credentials expire after 12 months. Voters renew by re-completing the KYC flow. This keeps the identity layer current and prevents inactive accounts from retaining platform privileges indefinitely.

People and roles

A voter can belong to many communities at once — district, city, national, EU. Joining a community requires verified residence in the rep's jurisdiction. Where the rep requires extra eligibility (residence at a specific address, property ownership, business ownership), the voter supplies an additional document; the document is checked and discarded post-verification.

Engagements

Decisions

A decision corresponds to a real legislative vote a rep is casting — a council motion, a parliamentary bill, an EP plenary vote. Voteum monitors official agendas via legislative APIs and surfaces upcoming items on each rep's dashboard. The rep can register her vote, attach the source text and any appendices, and the AI summariser generates a plain-language summary grounded in the source with citations preserved. The rep can edit the summary before publishing; she cannot block its publication. Voters in the jurisdiction can express their position before the chamber vote (advisory) or after (retrospective alignment signal). Aggregates roll up into the rep's alignment score over time.

Polls

A poll is a question the rep initiates for her community alone. Used for testing positions, gauging sentiment, asking about non-binding topics. Voting windows default to 72 hours. To prevent attention fatigue, each rep is limited to four polls per month plus one critical pinned poll outside the limit.

Idea boxes

An idea box is open submissions from a rep's community. Voters propose ideas anonymously; other voters upvote them. The rep sees ranked ideas and can promote a top one into a poll or a registered decision. This is how community-originated proposals enter the formal flow — the inverse of the rep-initiated poll.

The AI surfaces

Two AI surfaces are central to the product. The platform default is Anthropic Claude.

Governance

Voteum is governed by an independent non-profit foundation, structurally separate from the operating company that builds and sells the product. The foundation owns the voting cryptography, the alignment-scoring spec, the default AI guide and summariser prompts, and the editorial standard. The operating company licences these from the foundation under terms that let the foundation revoke the licence if the operating company materially violates the platform's constitutional principles.

This separation addresses the failure mode of Italy's Rousseau (the platform that powered the Five Star Movement before the relationship broke down in 2022): when a single private actor controls critical political infrastructure, that infrastructure becomes hostage to the actor's business interests. The foundation model is also used by Mozilla, Wikimedia, and Signal.

Legal entities

The two entities are independent: the foundation domicile is fixed; the operating-company domicile can change without re-papering the foundation.

Foundation board

Operational decisions are made by two-thirds majority. Constitutional decisions — voting cryptography, the anonymisation guarantee, the editorial standard for the default AI guide — require unanimity. All board votes are public.

Open source and audit

The voting protocol, alignment scoring, and default AI prompts are open source under a permissive licence. External security audits run annually and are published in full. Anyone can run their own instance of the core protocol; the foundation does not enforce monopoly.

Business model

Voteum is a subscription business. No advertising. No sale of individual user data — ever.

Principles

• Representatives pay. They are the institutional users who derive direct professional value from the platform: a structured supporter signal, alignment scoring over time, and public credibility with their voters. The subscription scales with the office — from local councillor to MEP.
• Voters participate free. The platform's legitimacy depends on broad, inclusive voter access. Charging voters at the door would compromise the democratic premise and stall the network effect on the side that is hardest to acquire.
• A voter paying tier comes later. Once the free product is mature, an optional paid tier opens advanced AI configuration, side-by-side rep comparisons, and richer personalisation. The free tier always retains full access to communities, decisions, polls, idea boxes, and the default AI guide.
• The AI guide may use a token. Voters can plug in their own LLM (BYO-LLM) at any time and pay their provider directly. For voters who prefer the platform default, a usage-metered token may meter inference credits — the token is a settlement instrument for AI usage, not a speculative asset and not the core business model.
• No advertising. No individual-data sale. Cross-community aggregates — never individual records — may later be licensed to media, NGOs, and academic researchers under foundation-approved use cases.

Foundation funding

The royalty funds annual cryptographic audits, the editorial board, EUDIW integration work, and the foundation's ongoing operations. Compensation for foundation-funded roles is capped to keep the foundation low-profit by design. Income above the cap is reinvested in open-source development, security audits, and infrastructure for voter and representative seat elections.

Security and risk

Cryptographic foundations

• Anonymous credentials issued via BBS+ signatures (or equivalent). Mature academic and industrial cryptography.
• End-to-end verifiable voting in the Helios / Belenios protocol family. Cryptographic receipts for voters.
• Tamper-evident audit log backed by a Merkle tree, in the style of Certificate Transparency. Public and verifiable. No blockchain required.
• Split storage. Identity and expression run on separate infrastructure with no shared keys. Compromise of one does not yield voter privacy.

Sybil resistance

One credential per natural person. Document-hash duplicate detection prevents two-account-from-same-passport attacks. Twelve-month re-verification prevents stale or transferred accounts from accumulating. Where digital identity infrastructure is weak, an optional peer-verification layer can be enabled per jurisdiction.

GDPR

Lawful basis: explicit consent — freely given, specific, informed, withdrawable. Data minimisation: identity data is held only by Didit (deleted within 24 hours per the processor agreement); Voteum holds the document hash and eligibility flags. Voter expression data is anonymous; cannot be linked back to identity even by the platform. Article 30 records of processing maintained. DPIA per jurisdiction. Appointed DPO. 72-hour breach notification protocol.

AI-specific risks

Operational risks

Open audit posture

Architecture documents, protocol specs, open-source code, and external audit reports are published. The foundation maintains a responsible disclosure process and a bug bounty programme.

Roadmap

Team

Founders

Advisors

The two founders form the initial foundation board (founder seats). Advisors support the founders and the operating company on their respective domains. The remaining foundation board seats — civil society, technical, voter, and representative — fill through the charter procedure as the platform launches.

Hiring priorities (next 12 months)

Senior backend engineer with cryptography experience. Mobile engineer (iOS and Android, React Native). Front-end engineer for the representative dashboard. Customer success and onboarding specialist (Hungarian and German speaking). Editorial lead for the default AI guide system prompt and content standards.

Closing

Voteum exists because the alternatives don't. Campaign CRMs help politicians get elected; nothing helps them stay accountable after. Civic-tech consultation platforms serve municipalities; nothing gives an individual representative a verified, anonymised supporter signal. Crypto-native governance tools serve crypto-native communities; they do not address the EU democratic deficit.

The product is narrow and grounded. It serves elected representatives who want to be measurably accountable to their actual voters, and engaged citizens who want a credible, private channel into the decisions affecting them. The architecture is engineered around the privacy guarantee that makes both sides willing to participate: anonymous to the representative, verified to the system. The governance model places critical political infrastructure in an independent foundation rather than a private company. Cryptography lives in the engineering layer where it earns its place; it is no longer the marketing.

The pilot starts in Hungary, where the founding team has language, network, and access. Vienna is the first paid pilot beyond the home market. Western EU expansion follows traction, not the other way around. The financial model is straightforward: subscription revenue from representatives, freemium for voters, capped foundation compensation, and conventional equity for early investors with returns from operating-company performance.

We invite representatives, voters, civil society organisations, foundations, technical contributors, and aligned investors to engage with the project. Critique is welcome and expected. The model is open source. The foundation is structurally independent. The platform belongs to the people who use it.