We Should Never Need to Know
Who Someone Is

✓ What Is Stored

• →
  phoneHash

  SHA-256 of the E.164-normalized phone number
• →
  emailHash

  SHA-256 of the normalized email address
• →
  username

  Lowercase, trimmed plaintext + SHA-256 hash. Required for fuzzy matching.
• →
  violationCategory

  One of five enumerated categories (harassment, fake_profile, etc.)
• →
  severity + timestamps

  Severity level and when the report was submitted
• →
  platformId

  Which member platform submitted the report

✗ What Is Never Stored

• →
  phone number

  Raw phone numbers never transmitted to or stored by DBBL
• →
  email address

  Raw email addresses never transmitted to or stored by DBBL
• →
  real name

  Legal names, display names, and real names are never collected
• →
  additionalContext

  Freeform context submitted with reports is stored for human reviewers only — never returned via API
• →
  IP address

  No IP addresses or device identifiers collected from querying platforms' users

Phone Numbers

1. 1. Strip all non-digit characters
2. 2. If 10 digits, prepend +1 (US numbers)
3. 3. Ensure E.164 format: +[country][number]
4. 4. Apply SHA-256 to the normalized string

Email Addresses

1. 1. Lowercase the entire address
2. 2. For Gmail: remove dots from local part
3. 3. For Gmail: remove +tag suffixes
4. 4. Apply SHA-256 to the normalized string

Platforms start as provisional with a trust score of 0.5. Platforms that consistently submit accurate, confirmed reports move toward standard and trusted tiers.

Every report is weighted by the submitting platform's trust score. A report from a provisional platform (0.5) contributes half the weight of a report from a fully trusted platform (1.0).

Only confirmed violations should be submitted. The DBBL Protocol is not a report queue — it's a record of your platform's moderation decisions. Submit only what you have already acted on.