Trust & Safety

Every claim is evidence-bound.

If GlueArrow says a song played, there is a detection behind it. If it says a user was verified, there is a ValueCard trail behind it. If it says a royalty was paid, there is a wallet transaction behind it.

The audit trail

Signal → detection → ledger → payout. Every step leaves a row.

Detection integrity

Fingerprint, timestamp, station — three signatures on every row.

Detection

Fingerprint + timestamp + licensed station.

A detection is only accepted into the ledger when three signatures line up: the audio fingerprint matches the reference, the timestamp comes from a trusted clock, and the station is on the licensed-and-deployed list. Anything else is quarantined for review.

Garbage rows quarantined in detections_archive — never in the payout math
CHECK + NOT NULL + trigger guards on the detections schema
ShadowCount compares reported vs detected for every station
Five-layer proof of play for every ad spot

Consent

The Being asks before it speaks.

Proactive messages only go out when a user has said yes — explicitly, in this context. Mute and unmute work in natural language. A fail-open gate stops the agent from sending anything we can't prove was invited.

Consent-gated voice

Invited once, mutable any time — the quiet mode is the default.

Regulator access

Read-only dashboard. Same ledger as the stations. Same ledger as the artist.

Regulator access

Verify without asking permission.

Regulators get a free, read-only view of the same ledger stations and artists see. No special exports, no negotiated access, no black-box audit. If a claim is on GlueArrow, the regulator can follow it to the row that produced it.

Honest numbers are the whole product.

Detection integrity, consent, and regulator access are not features bolted on — they are the shape of the platform.

Privacy Integrity report