Data Trust
How do you build a database of relationships without becoming the thing you despise?
The Pattern
Every contact is a thing. Every thing has states. The privacy constraint doesn't limit the state machine — it shapes it into something better. The trust ladder from the progress page is the skeleton. This page fills in the muscle.
The Trust Score
Trust isn't binary. It accumulates from signals, each weighted by how hard they are to fake.
Signals That Build
| Signal | Weight | Justification |
|---|---|---|
| Registry verification | Low | Public record — anyone can check |
| Opt-in consent | Medium | Active choice to engage |
| Identity verification | High | Cost and effort to confirm |
| Completed transaction | High | Money exchanged — real commitment |
| Referral that converts | Very High | Staking reputation on someone else |
| Commitments kept over time | Highest | Only time can produce this |
Signals That Erode
| Signal | Weight | Justification |
|---|---|---|
| Email bounce | Low | Could be technical |
| Unsubscribe | Medium | Active withdrawal of attention |
| Fraud flag | Critical | Immediate freeze |
| Broken promise | High | Debit entry in the ledger |
| Referred contact who damages | Very High | Network quality proven poor |
Score Thresholds
| Range | Status | What It Unlocks |
|---|---|---|
| 0-20 | Public record only | View in directory |
| 21-40 | Enriched | Outreach eligible |
| 41-60 | Engaged | Personalized communication |
| 61-80 | Trusted | Collaboration and referral access |
| 81-100 | Credible | Full network access, commission tiers |
The score is a derivative of behavior over time. Gaming it requires sustained genuine contribution — which is the point.
The Legal Frame
Universal principles. Not jurisdiction-specific statutes — the patterns underneath them.
| Principle | What It Means | Why It's Good Architecture |
|---|---|---|
| Data minimization | Only collect what you need | Forces quality over volume |
| Purpose limitation | One purpose per consent | Forces clear thinking about why |
| Right to erasure | Delete on request | Forces earned presence |
| Consent ladder | Permission before extraction | Forces trust before data |
| Legitimate interest | Public records are fair game | Gives you a starting point without asking |
| Data portability | People own their data | Forces you to be worth staying with |
The privacy law isn't a compliance burden. It's the specification for a trust system. Every principle maps to an architectural constraint that makes the system better, not worse.
Master Data
The telco pattern: one master record, many organizational views.
| Layer | What It Holds | Who Owns It |
|---|---|---|
| Master record | Identity, verification status, trust score | The platform |
| Org-specific record | Relationship state, deal history, permissions | Each organization |
| Consent record | What was agreed, when, for what purpose | The individual |
How It Works
The master doesn't own the relationship — it owns the identity. Organization A verifies a contact. Organization B trusts that verification (copy-link model). Neither duplicates the identity. Both maintain their own relationship state.
This is the common reference data pattern. Verified once, linked many times. The master delegates, never duplicates.
The Referral Engine
Privacy-preserving referral design:
| Mechanism | How It Works | Why It Matters |
|---|---|---|
| Unique referral links | Track clicks, not contacts | You never see who didn't convert |
| Referrer-driven sharing | They send invites, not you | You never touch non-opted-in data |
| Hash matching | Pseudonymized conversion tracking | Privacy preserved through the funnel |
| Conversion rewards | Commission on conversion, not invitation | Anti-spam by design |
| Tiered credibility | High-trust referrers earn more | Quality referrals compound |
The whole world could be your sales team — if you earn it. The referrer stakes their reputation on each introduction. The platform rewards the stake when it converts. Spam is structurally impossible because the referrer bears the social cost of bad introductions.
The DePIN Bridge
How attestations make trust portable:
| Whareroa | Trust System | Function |
|---|---|---|
| Commissioning signoff | Verified credential | Proof of identity, portable between organizations |
| Maintenance log | On-chain relationship history | Ongoing proof of trust earned |
| PLC logic | Smart contract | Access rules enforced by trust level |
| Site store | Credential registry | Where verified identities are accounted for |
The PLC parallel: commissioning signoff is an on-chain attestation. When Organization A signs off on a contact's identity, that attestation travels. Organization B can trust it without re-verifying. The verification cost is paid once. The trust is used many times.
Context
- Progress — The state machine that tracks everything
- Credibility — Trust as the metric for agency
- DePIN — Infrastructure on verifiable rails
- Goodwill — Generosity without expectation that compounds into trust
- Persuasion — Earning the right to be heard
Questions
How do you measure whether someone deserves your data — and whether you deserve theirs?
- At what trust level does a contact become more valuable than the cost of maintaining their record?
- If the referrer sends the invite, who owns the relationship — the referrer, the platform, or the prospect?
- What breaks first when you scale trust scoring across organizations — the data model or the incentives?
- The legal frame says "delete on request" — what happens to the trust score when someone exercises that right and comes back?