Data architecture

Four kinds of data. Four homes. One commitment.

The platform holds different data on different terms. This page is the public summary of who can read what — without the tech-stack names. For the engineering detail, the canonical source is the design portal.

Four ownership categories

Where your data lives is an architecture decision, not a settings toggle.

Each kind of data has a home that fits its character — strict where consistency matters, eventual where collaboration matters, sovereign where dignity matters, open where the continent benefits.

  • Personal

    Who you are. What you bought. Who you messaged.

    What it holds
    Identity, authentication, wallet balances, transaction records, billing, subscription state.
    Where it lives
    Platform-owned, in specific open regions per an open-data policy.
    Rules
    Strict consistency — two conflicting versions of a balance are never acceptable. Locked behind row-level access controls. Encrypted at rest. No advertiser can buy this. No engineer can browse it.
    Who can read it
    Only you, by default. The platform holds it on your behalf — never to monetise it.

  • Community

    What people make together.

    What it holds
    Articles, novels, listings, weather observations, event details, AI conversation histories, creator content, posts in shared spaces.
    Where it lives
    Platform-owned, replicated to your device for offline use and to your sovereign pod where you want a copy.
    Rules
    Eventual consistency — a few seconds of propagation delay is acceptable. Visible per the rules of the community feature it belongs to: Circles, Nhimbe gatherings, marketplace listings, news feeds.
    Who can read it
    Whoever the community feature lets in. Open by default for public commons; private by default for closed circles.

  • Personal-sovereign

    What the platform learns about you. Yours, never ours.

    What it holds
    Preferences, engagement history, your Digital Twin’s memory, the AI’s context about you, learned interests.
    Where it lives
    In your sovereign pod on the Nyuchi Honeycomb decentralised network (Foundation-governed, Nyuchi-operated, beyond Web3, post-quantum ready) — cryptographically bound to your identity, accessible only with your keys.
    Rules
    You hold the keys. We have no copy. No platform, no government, no corporation can read this without you handing them the key — and you can revoke it.
    Who can read it
    Only you, by default. You decide who else, for how long, and for what.

  • Platform-open

    A commons for the continent.

    What it holds
    Aggregate, anonymised insights: regional weather patterns, foot-traffic trends, anonymised economic activity, usage patterns.
    Where it lives
    Open by design — queryable, documented, public.
    Rules
    No personal identifiers ever enter this layer. The privacy filter strips them upstream — the open commons is structurally incapable of leaking personal information because personal information never reaches it.
    Who can read it
    Everyone. Researchers, journalists, governments, NGOs, builders. The licence is open, the schema is documented, the API is public.

Why this shape

Different data deserves different rules.

A wallet balance and a poem behave differently. A balance has to be exact at every read; a poem can take a few seconds to propagate. Treating them as the same kind of object — putting them in one database with one set of guarantees — either over-protects the poem or under-protects the balance.

And the things you tell the platform about yourself — what you read, who you spend time with, what your Digital Twin remembers — are not the platform's to hold. Those live in a sovereign store under your keys. We do not have a copy. Not because we promise not to look, but because we architecturally cannot.

Aggregate insights — what the weather is doing in a region, how trade is flowing — those are the continent's. We anonymise them upstream and publish them as a commons, because keeping them as a corporate moat would be a smaller future than the one we want to build.

The law is the floor. Dignity is the architecture.

POPIA in South Africa, the Zimbabwe Data Protection Act, and GDPR in Europe set the legal floor for the platform-held layers — what we must do for personal data we hold on your behalf. The four homes above go further: they describe the shape of the architecture itself, including the layer the law cannot reach because the platform never sees it.

For the technical detail — the specific stores, the replication protocol, the privacy filter, the open-commons schema — the canonical source is the design portal. This page is the public commitment; the design portal is the engineering record.

See security & operations Open the design portal