Trust infrastructure

Audience trust is a product feature.

Seamline helps creators build a direct thread with their audience. That only works if visitors know what they are joining, who will email them, and where their data will not go.

Boundary promise

Creator content can power AI. Subscriber identity cannot.

This is enforced as a product design rule, not a marketing footnote.

Core principles

Principle

Creator-owned relationship

Subscribers join a specific creator, not a generic Seamline marketing list. The list belongs to the creator — not to us.

Principle

No subscriber PII in AI

Lead emails, names, and subscriber-identifying data stay out of model prompts. Only creator-authored project descriptions go to Claude.

Principle

Clear unsubscribe expectation

Capture surfaces and email flows must keep exit paths visible and honest. No buried opt-outs, no dark-pattern re-subscriptions.

Principle

No dark-pattern capture

Seamline optimizes for trust and clarity — not pressure mechanics, fake urgency, or hidden consent. We build trust infrastructure.

Data boundaries

Exactly what goes where.

Used for creator intelligence

  • Project descriptions
  • Creator-approved voice settings
  • Aggregate capture counts
  • Aggregate source quality
  • Creator feedback on generated copy

Never sent to AI

  • Lead email addresses
  • Lead names
  • Raw subscriber identity
  • Private payment data
  • Unapproved subscriber preference text

Used only after explicit setup

  • Email dispatch via verified sender domain
  • Stripe billing events
  • Custom-domain routing
  • Durable preference storage

Executable guardrails

Trust promises should fail closed.

Prompt boundary scanner

Build checks block subscriber identifiers, raw lead rows, and unsafe policy metadata from artificial intelligence (AI) prompt surfaces.

scripts/check-privacy-boundaries.mjs

Server-side tier gates

Quota and plan claims are checked in API routes from server-owned records. Client-side tier claims are never trusted.

lib/tiers.ts + authenticated API routes

Activation proof receipts

First-thread milestones write aggregate proof receipts without storing subscriber identity in the public progress ledger.

activation_proof_ledger

Live proof rollup

Current evidence is public, redacted, and founder-gated.

The rollup is generated from local proof artifacts only. It never includes subscriber personally identifiable information, secrets, or live billing actions.

Rollup status

6/7

needs-attention

Generated Jun 29, 2026

First-thread proof

pass

Sequence dispatch proof

pass

Webhook replay proof

pass

Remote production proof

pass

Local DB proof

blocked

Release gate evidence

founder-gated

Doctor snapshot

pass

Founder approval is still required before public launch. Founder approval remains the only accepted public-launch unblock; do not fabricate or infer approval.

Subscriber promise

What a visitor should understand before joining.

They are joining a creator-specific relationship, not a platform newsletter.

The creator controls the message and the list relationship; Seamline supplies infrastructure and measurement.

Preference signals are optional, consented, and aggregate-first — they help the creator improve the thread without turning the subscriber into a data product.