Measure swarm · Behavioral-signal-customer-graph agent · Build pillar · Published June 6, 2026
How to build behavioral signal ingestion plus customer graph for DTC subscription operators
A DTC subscription operator running 5-15 brands and 200,000 active subscribers ingests behavioral signals across web + email + SMS + call + walk-in + loyalty + subscription billing. Each platform sees a fragment of the customer. Behavioral signals can become sensitive when correlated. This guide walks the 4-skill bundle (Ingest + Normalize + Stitch + Audit) on the behavioral-signal-customer-graph agent end-to-end inside the hard wall of state -comprehensive-privacy + GDPR Article 9 special-category + WA MHMDA + Texas SCOPE + FTC v X-Mode + FTC v Mobilewalla + Massachusetts AG v Copley Advertising precedent.
The 4-skill bundle on the behavioral-signal-customer-graph agent
Ingest
Pull behavioral signals from per-vendor APIs: web (Heap + Mixpanel + Amplitude + PostHog + Segment + RudderStack + Snowplow + mParticle) + email (Klaviyo + Iterable + Braze + Customer.io + Mailchimp + Listrak) + SMS (sibling #515 SMS substrate + Attentive + Postscript) + call (CallRail + Invoca + DialogTech + CallTrackingMetrics + Phonexa) + walk-in via POS (Toast + Square + Clover + Lightspeed + Aloha) + loyalty (Punchh + Thanx + Paytronix + LevelUp + Como) + subscription billing (Recharge + Bold + Loop + Skio + OrderGroove + Smartrr + Stay AI). Per -vendor data-processing addendum operator-counsel review is gating before any vendor enters substrate. Per-vendor consent posture verification. Apple App Tracking Transparency ATT (since iOS 14.5) consent state for iOS-app SDK signals. Google Play User Data Policy compliance for Android-app SDK signals. Per -event HMAC-SHA-256 or OAuth signature verification. Sensitive-scope detection at ingest tags events intersecting 9-categorical sensitive scope.
Normalize
Canonicalize per-vendor event schemas to portfolio canonical event schema (event name + property keys + UTC timestamp + USD-cents currency canonicalization + device fingerprint hashed at ingest + session stitching). Strip PII at Ingest; cleartext PII never persists past the Ingest boundary. Hash identifiers via SHA-256 + Argon2. Per-vendor event-shape normalization preserves cross-vendor analytic comparability while honoring per-vendor data processing addendum constraints. Emit normalized event to customer-graph substrate.
Stitch
Thread normalized event onto per-customer node via identity-resolution substrate from sibling #521 cross -touchpoint identity resolution. Deterministic match on hashed email + hashed phone + loyalty ID + customer ID. Probabilistic match DISABLED for sensitive-scope events. Sensitive-scope-tagged events route to a SEPARATE substrate where downstream consumers cannot correlate with non-sensitive behavioral profile. Per-pattern detection at Stitch: per-customer behavioral profile accumulating above operator-counsel-defined density of sensitive-adjacent events triggers per-customer profile minimization rule.
Audit
Per-event canonical record (event ID + per-vendor pointer + per-vendor DPA snapshot + Apple ATT consent state + Google Play User Data Policy posture + Ingest sensitive-scope tag + Normalize transformation snapshot + Stitch decision + per-customer node pointer + sensitive-scope handling evidence + per -vendor LLM zero-retention verification when LLM -assisted classification used). WORM storage. Per -event record retains for CCPA right-to-know + CPRA enforcement + state-AG enforcement + GDPR Article 33/34 breach notification preparation + GDPR Article 35 DPIA evidence + FTC v X-Mode + FTC v Mobilewalla consent-decree compliance preparation + Massachusetts AG v Copley Advertising precedent defense + EU supervisory authority + audit committee + external counsel review.
The real ecosystem this sits above
Behavioral signal vendors (with DPA gating)
Heap, Mixpanel, Amplitude, PostHog, Segment, RudderStack, Snowplow, mParticle, Twilio Engage, Lytics, Tealium web behavioral. Klaviyo, Iterable, Braze, Customer.io, Mailchimp, Listrak email. Attentive, Postscript, EZ Texting, SimpleTexting, TextMagic SMS. CallRail, Invoca, DialogTech, CallTrackingMetrics, Phonexa call. Toast, Square, Clover, Lightspeed, Aloha POS walk-in. Punchh, Thanx, Paytronix, LevelUp, Como loyalty. Recharge, Bold, Loop, Skio, OrderGroove, Smartrr, Stay AI subscription billing. Pendo, FullStory, Hotjar, Heap session -replay (operator-counsel review on session-replay masking + PII redaction).
Identity + customer graph
Adobe Real-Time CDP, Treasure Data, Tealium, Salesforce Customer 360, mParticle, Twilio Engage, BlueConic, ActionIQ, Lytics CDP. LiveRamp RampID, The Trade Desk UID2, Throtle, Tapad identity. Sibling #521 cross-touchpoint identity resolution provides Stitch substrate. Sibling #525 foot-traffic integration provides sensitive-scope geofence registry.
Cryptography + policy + WORM
SHA-256 + Argon2 + bcrypt + scrypt hashing identifiers at Ingest. Google Privacy Sandbox PIR + Microsoft EdgeDL + libsodium + OpenMined PySyft secure-multi -party-computation. Apple + Google + Microsoft differential privacy. Private-set-intersection for cross-vendor match without cleartext exchange. OPA Rego + AWS Cedar + Casbin + Cerbos + Oso + Styra DAS + Permit.io policy-as-code for sensitive-scope routing + per-vendor consent-state gating. AWS S3 Object Lock + Azure Blob immutable + Google Cloud Storage Bucket Lock + Wasabi compliance WORM for Audit.
The 5-anchor compliance overlay
Anchor 1 — CCPA + CPRA + state-comprehensive-privacy + WA MHMDA + Texas SCOPE + COPPA (operationally distinctive)
CCPA + CPRA + 17-state-comprehensive-privacy (Virginia VCDPA + Colorado CPA + Connecticut CTDPA + Utah UCPA + Texas TDPSA + Oregon OCPA + Montana MCDPA + Tennessee TIPA + Iowa Act + Indiana ICDPA + Delaware DPDPA + New Jersey NJDPA + New Hampshire NHPA + Kentucky KCDPA + Maryland MODPA + Minnesota CDPA + Rhode Island DTPPA) + Washington My Health My Data Act 2024 (HIPAA-adjacent with private right of action) + Texas SCOPE Act 2024 when minors-scope + COPPA 15 USC 6501 when minors-scope. Operationally distinctive frame: behavioral signals look low-risk individually and become high-risk in correlation; sensitive-scope detection runs at Ingest with operator-counsel -defined POI registry + sensitive-pattern detection at Stitch + sensitive-scope-tagged events route to separate substrate where probabilistic correlation is disabled.
Anchor 2 — GDPR Article 5 + 6 + 9 + 25 + 32 + 33 + 34 + 35 + Recital 47
GDPR Article 5 data minimization + Article 6 legal basis (legitimate interest with documented LIA per Recital 47) + Article 9 special-category data processing (behavioral signal correlation INTERSECTING special-category requires Article 9(2) basis) + Article 25 privacy by design + Article 32 security + Article 33 + 34 breach notification + Article 35 DPIA MANDATORY for high-risk processing including large-scale behavioral profiling.
Anchor 3 — FTC v X-Mode + FTC v Mobilewalla + Massachusetts AG v Copley Advertising location-data precedent (transferred to behavioral signal correlation)
FTC v X-Mode Social and Outlogic (January 9, 2024 consent decree). FTC v Mobilewalla (December 3, 2024 consent decree). Massachusetts AG v Copley Advertising (April 2017 settlement). These precedents apply directly to behavioral signal correlation: a per-customer behavioral profile that accumulates page views + walk-in events + loyalty events at sensitive-scope POIs becomes a profile that can intersect sensitive categories; the substrate must filter sensitive-scope events out of downstream probabilistic correlation.
Anchor 4 — Per-vertical + per-platform consent (HIPAA + Apple ATT + Google Play User Data + per-vendor DPA)
HIPAA 45 CFR 164.514 de-identification when healthcare -adjacent scope reached + Business Associate Agreement consideration. Apple App Tracking Transparency ATT (since iOS 14.5, April 2021) for iOS app SDK collecting behavioral signal; ATT-denied state disables tracking-based behavioral targeting at the substrate. Google Play User Data Policy for Android app SDK. Per-vendor data-processing addendum operator -counsel review is GATING before any vendor enters substrate. Per-vendor SOC 2 evidence retained.
Anchor 5 — Cryptographic primitives + NIST AI RMF + ISO 42001 + ISO 27001 + SOC 2
SHA-256 + Argon2 + bcrypt + scrypt for hashing identifiers at Ingest. Secure-multi-party-computation (Google Privacy Sandbox PIR + Microsoft EdgeDL + libsodium + OpenMined PySyft). Differential privacy (Apple + Google + Microsoft references) for aggregate reporting. Private-set-intersection for cross-vendor match without cleartext exchange. NIST AI RMF Govern + Map + Measure + Manage. ISO 42001 AI Management System. ISO 27001 Information Security. SOC 2 Type II CC2 + CC6 + CC7 + CC8. Per-vendor LLM zero-retention when LLM-assisted signal classification used.
The 6-workstream pre-engagement-baseline reporting cycle
Completions does not commit to numeric signal-ingestion -volume or graph-coverage targets before engagement scope is documented. The Q6 pre-engagement-baseline reporting cycle covers the six workstreams that ship in every engagement.
- Ingest coverage. Per-vendor data -processing addendum operator-counsel review status + per-vendor consent posture verification + Apple ATT + Google Play User Data Policy consent state freshness + per-event HMAC/OAuth signature verification + sensitive -scope detection coverage at ingest.
- Normalize quality. Per-vendor event -shape canonicalization + portfolio canonical event schema versioning + PII strip at ingest + identifier hash discipline + session-stitching correctness + cross-vendor analytic comparability.
- Stitch quality. Per-event identity -resolution handoff to sibling #521 + deterministic match preferred over probabilistic + probabilistic disabled for sensitive-scope + per-pattern detection at Stitch + per-customer profile minimization rule freshness.
- Audit quality. Per-event canonical record completeness + WORM storage posture + per-vendor DPA snapshot retention + per-vendor consent posture snapshot retention.
- Compliance posture. CCPA + CPRA + state-comprehensive-privacy + WA MHMDA + Texas SCOPE + COPPA + GDPR Article 5 + 6 + 9 + 25 + 32 + 33 + 34 + 35 + Recital 47 + FTC v X-Mode + FTC v Mobilewalla + Massachusetts AG v Copley Advertising precedent review + HIPAA when healthcare-adjacent + Apple ATT + Google Play User Data Policy + per-vendor DPA + per-vendor SOC 2 + cryptographic primitives + NIST AI RMF + ISO 42001 + ISO 27001 + SOC 2 Type II + per-vendor LLM zero-retention freshness.
- Audit-trail completeness. Per-Ingest + per-Normalize + per-Stitch + per-Audit canonical record retention in versioned-history substrate readable by CCPA right-to-know + state-AG enforcement + GDPR breach notification + FTC consent-decree compliance review + HIPAA OCR when applicable + EU supervisory authority + audit committee + external counsel review.
Frequently asked questions
What problem does behavioral signal ingestion + customer graph solve for a DTC subscription operator?
A DTC subscription operator running 5-15 brands and 200,000 active subscribers receives behavioral signals across web (Heap + Mixpanel + Amplitude + PostHog + Segment + RudderStack + Snowplow + mParticle), email (Klaviyo + Iterable + Braze + Customer.io + Mailchimp), SMS (Attentive + Postscript + EZ Texting + SimpleTexting), call (CallRail + Invoca + DialogTech + CallTrackingMetrics + Phonexa), walk-in via POS (Toast + Square + Clover + Lightspeed + Aloha), loyalty (Punchh + Thanx + Paytronix + LevelUp + Como), and subscription billing (Recharge + Bold + Loop + Skio + OrderGroove + Smartrr + Stay AI). Each platform sees a fragment of the customer. Sibling #521 cross-touchpoint identity resolution stitches identity across touchpoints; this skill ships the substrate that ingests the behavioral signals, normalizes them, threads them onto the identity graph from #521, and produces a queryable customer graph the AI-agent swarm can consume. Exposure is sharp: behavioral signals can become sensitive when correlated; a single page view is not protected, but a pattern of page views to medical or financial or political pages intersects GDPR Article 9 special-category, Washington My Health My Data Act, and the FTC v X-Mode / FTC v Mobilewalla / Massachusetts AG v Copley Advertising precedent on location-data tied to sensitive scope.
What is the 4-skill bundle and what does each skill do?
Ingest pulls behavioral signals from per-vendor APIs (web + email + SMS + call + walk-in via POS + loyalty + subscription billing) under per-vendor data-processing addendum operator-counsel review + per-vendor consent posture verification + Apple App Tracking Transparency consent state for iOS-app SDK signals + Google Play User Data Policy compliance for Android-app SDK signals. Per-event HMAC-SHA-256 or OAuth signature verification. Sensitive-scope detection at ingest tags events that intersect healthcare + reproductive-health + religious + addiction-services + child-care + criminal-justice + military-base + immigration scope (transferring from sibling #525 foot-traffic integration substrate). Normalize canonicalizes per-vendor event schemas to a portfolio canonical event schema (event name + property keys + UTC timestamp + USD-cents currency + device fingerprint hashed + session-stitching), strips PII at ingest, hashes identifiers via SHA-256 + Argon2, and emits the normalized event to the customer-graph substrate. Stitch threads the normalized event onto the per-customer node via the identity-resolution substrate from sibling #521 (deterministic match on hashed email + hashed phone + loyalty ID + customer ID; probabilistic match disabled for sensitive-scope events). Sensitive-scope-tagged events route to a separate substrate where downstream consumers cannot correlate with non-sensitive behavioral profile. Audit retains per-event canonical record + per-Stitch decision in WORM for CCPA right-to-know + GDPR Article 33/34 breach notification preparation + FTC enforcement + per-state privacy DSAR overlay + audit committee.
Why is behavioral-signal sensitive-scope detection + per-vendor consent verification the operationally distinctive anchor for this skill?
Behavioral signals look low-risk individually and become high-risk in correlation. A single pageview on a clinic site is not PHI; a pattern of 12 pageviews on oncology pages over 6 weeks correlated with an address near a cancer treatment center is a special-category profile under GDPR Article 9. A single product-detail-page view of a mental-health subscription is not Washington My Health My Data Act data; the same view combined with an SMS sent to a recovery hotline crossing the operator substrate is. FTC v X-Mode Social and Outlogic (January 2024) and FTC v Mobilewalla (December 2024) consent decrees established that location data tied to sensitive scope creates regulatory exposure; the same precedent transfers to behavioral signal correlation when the operator combines web + walk-in via POS + foot-traffic via sibling #525. Operationally distinctive frame: sensitive-scope detection runs at Ingest with operator-counsel-defined POI registry + sensitive-pattern detection at Stitch + sensitive-scope-tagged events route to a separate substrate where probabilistic correlation is disabled. Per-vendor data-processing addendum operator-counsel review is gating before any vendor enters the substrate, and Apple ATT + Google Play User Data Policy consent states are queried at every Ingest.
What real regulatory and standards-body hooks does the compliance overlay anchor on?
Anchor 1 is CCPA + CPRA + state-comprehensive-privacy (Virginia VCDPA + Colorado CPA + Connecticut CTDPA + Utah UCPA + Texas TDPSA + Oregon OCPA + Montana MCDPA + Tennessee TIPA + Iowa Act + Indiana ICDPA + Delaware DPDPA + New Jersey NJDPA + New Hampshire NHPA + Kentucky KCDPA + Maryland MODPA + Minnesota CDPA + Rhode Island DTPPA) + Washington My Health My Data Act 2024 (HIPAA-adjacent with private right of action) + Texas SCOPE Act 2024 when minors-scope + COPPA 15 USC 6501 when minors-scope. Anchor 2 is GDPR Article 5 data minimization + Article 6 legal basis (legitimate interest with documented LIA per Recital 47) + Article 9 special-category data processing (behavioral signal correlation intersecting special-category) + Article 25 privacy by design + Article 32 security + Article 33 + 34 breach notification + Article 35 DPIA (mandatory for high-risk processing including large-scale behavioral profiling). Anchor 3 is FTC enforcement precedent on location and identity data: FTC v X-Mode Social and Outlogic (January 9, 2024 consent decree over location data shared without proper consent), FTC v Mobilewalla (December 3, 2024 consent decree over location data sold by data broker), Massachusetts AG v Copley Advertising (April 2017 settlement over geofenced advertising at abortion clinics). Anchor 4 is per-vertical + per-platform consent: HIPAA 45 CFR 164.514 de-identification standard when healthcare-adjacent scope reached + Apple App Tracking Transparency ATT (since iOS 14.5, April 2021) when iOS app SDK collects behavioral signal + Google Play User Data Policy when Android app SDK collects behavioral signal + per-vendor data-processing addendum operator-counsel review + per-vendor SOC 2 evidence. Anchor 5 is cryptographic primitives + standards: SHA-256 + Argon2 + bcrypt + scrypt for hashing identifiers at Ingest + secure-multi-party-computation + private-set-intersection for cross-vendor match without cleartext exchange + NIST AI RMF + ISO 42001 + ISO 27001 + SOC 2 Type II CC2 + CC6 + CC7 + CC8 + per-vendor LLM zero-retention when LLM-assisted signal classification used.
How does Stitch prevent the customer graph from becoming a special-category profile by accident?
Stitch enforces three guards. First, sensitive-scope tagging from Ingest travels with every event; events tagged sensitive route to a separate substrate where probabilistic correlation is disabled and downstream consumers cannot combine sensitive events with the non-sensitive behavioral profile. Second, per-pattern detection runs at Stitch time: a per-customer behavioral profile that accumulates above operator-counsel-defined density of sensitive-adjacent events (e.g., 10+ pageviews on health-related content within a 30-day window) triggers a flag and the per-customer profile minimization rule applies (Resolve retains only identifiers required for the operator-counsel-approved use case; sensitive-adjacent attributes outside that scope are not retained). Third, DSAR overlay tagging propagates across the substrate so a per-customer access request returns the sensitive-scope handling evidence within the statutory response window. The audit trail documents the sensitive-scope decision at every Stitch event for GDPR Article 9 + WA MHMDA + FTC enforcement defense.
What does Completions ship and how does an engagement start?
Completions ships the behavioral-signal-customer-graph agent + 4-skill bundle (Ingest + Normalize + Stitch + Audit) + 5-anchor compliance overlay (CCPA + CPRA + state-comprehensive-privacy + WA MHMDA + Texas SCOPE + COPPA + GDPR Article 5 + 6 + 9 special-category + 25 + 32 + 33 + 34 + 35 DPIA + Recital 47 + FTC v X-Mode + FTC v Mobilewalla + Massachusetts AG v Copley Advertising + HIPAA when healthcare-adjacent + Apple ATT + Google Play User Data Policy + per-vendor data-processing addendum + per-vendor SOC 2 evidence + cryptographic primitives + NIST AI RMF + ISO 42001 + ISO 27001 + SOC 2 Type II + per-vendor LLM zero-retention) + the Q6 6-workstream pre-engagement-baseline reporting cycle. Tier 1 AI Readiness Assessment (2-3 weeks) audits the current behavioral signal ingestion posture against per-vendor data-processing addendum status, sensitive-scope detection coverage, Apple ATT + Google Play consent state, and DSAR overlay readiness. Tier 3 Fractional CMO with AI Swarm (6-month minimum, 1-2 days/wk embedded) runs the behavioral-signal-customer-graph agent on the operator analytics + CDP + identity-resolution stack on an ongoing basis.
Engage Completions on the behavioral-signal-customer-graph agent
Tier 1 AI Readiness Assessment (2-3 weeks) audits the current behavioral signal ingestion posture against per -vendor data-processing addendum status, sensitive-scope detection coverage, Apple ATT + Google Play consent state, and DSAR overlay readiness. Tier 3 Fractional CMO with AI Swarm (6-month minimum, 1-2 days/wk embedded) runs the behavioral-signal-customer-graph agent on the operator analytics + CDP + identity-resolution stack on an ongoing basis.