The app is literally
the ticket in.
The host-curated IRL beta: Barbara runs real group shoots, vets everyone in person, and the app's only job at first is to be the ticket — event registration, an ultra-fast profile, and two notifications. Nobody is matched with a stranger; nobody is sent to a stranger's private address. That single fact is what licenses the dramatically thinner first build.
The model
What Barbara is actually running
Barbara generates the demand IRL — her network plus community mining — and the app captures and services it. The shoots happen because Barbara makes them happen; the app makes them repeatable and instrumented. This is the concierge launch the plan always prescribed, pulled earlier and stripped to its essence.
What the beta is not
- Not the open marketplace.No swipe matching, no stranger pairing, no "go meet this person at this private address."
- Not the native app. A mobile-first web prototype — native is gated behind the retention test.
- Not monetized. Free — never monetize before density.
The profile
Sign-up, stupid fast
Barbara's bar: location only. No verification, no ratings, no labels for the beta. The target is well under a minute — not the canon's 30.
- Location
The one required field — coarse metro, confirms SF-area. No precise address stored.
In the beta - Sign in
Apple / Google / email (reuse paiv + BuddyUp auth).
In the beta - Name / display
Lightweight — first name or handle.
In the beta - Photos
Optional Instagram connect → 4 recent posts embedded. Manual upload is the fallback; never a hard blocker.
In the beta - Role label
Not required — everyone is a participant. (Soft optional tag captured silently, shown nowhere.)
Captured, hidden - Verification / ID / age
None at signup. Barbara confirms 18+ in person. Returns when signup goes self-serve.
Returns later - Ratings / reputation
None. No thumbs, no ledger surface, no 'verified' badge in the beta UI.
Returns later
Optional "connect Instagram" → 4 most recent posts, embedded
If a user connects Instagram, their 4 most recent posts auto-populate the profile, rendered in place — looks great instantly, zero re-upload. But Barbara's rule is precise: no handle, no link-out. All communication stays inside Snupix — "we protect the relationship." Snupix never becomes free lead-gen that leaks the connection back to IG DMs.
- No IG handle rendered anywhere — not on the profile, not on the participant list.
- No tappable link-out to any IG profile or post.
- All participant-to-participant comms happen inside Snupix.
- Enforced in code + design review — a product guardrail, not a setting.
ToS / API caveat — verify before build
The clean ways to display Instagram media changed. The legacy oEmbed endpoint was migrated under Meta's Graph API and now generally needs App Review + a token; public unauthenticated embedding is restricted.
Pulling "this user's 4 most recent posts" is a different capability from embedding one public post — it needs the user to authorize their own media. Meta is also deprecating Basic Display. Verify current availability, the migration timeline, and whether suppressing the handle + permalink conflicts with any attribution requirement. This is the #1 thing to verify.
Do not assume oEmbed "just works" — it doesn't anymore. The beta does not depend on IG embedding to function: the ticket + notifications do the work.
The notifications
Exactly two signals
Notifications stay minimal for the prototype — just two. No match alerts, no chat pings, no delivery nudges, no 'shoots near you.' Those are open-phase features. Full messaging is layered later once usage is observed; the 'comms stay in Snupix' rule already holds today.
Confirm
48 hours before the shoot
Your shoot is coming up at [location] on [date / time] — please confirm.
A single-step, one-sided cut of F-015's 72h Reconfirmation — Barbara is the fixed host, so no mutual machinery yet.
On my way
Day of, ahead of the shoot
Heading to your shoot at [location] — let everyone know.
The attendance check-in — a beta-minimal precursor to F-018.
The gate
40–50 people, then measure retention
After 40–50 distinct people have participated, measure whether they come back on their own. The cheapest possible artifact has to prove people want to return before any expensive native build.
Trigger
≥40–50 distinct people across at least one shoot each — roughly 8–10 shoots, ~4–5 weeks at the 2/week cadence (late Jul → late Aug / early Sep 2026).
The retention question
Primary signal = % who register for a second shootthrough the app. Counter-metric: people who open the app but don't re-participate — engagement without the outcome. The outcome is repeat real-world participation, not app-opens.
What it unlocks
PASS → build the native app — and the full trust floor starts landing. Same milestone.
FAIL → diagnose + fix in the cheap web prototype. Do not build native.
The rollout
SF → LA → organic
Hyper-local, focused beats scattered. Barbara's '6 months SF' is a calendar expression; the canon's expansion trigger is a retention gate. If SF hasn't proven retention by month 6, the gate wins over the calendar.
- 01
SF only
Months 0–6 · from late Jul 2026
All shoots, recruitment, and spend concentrated in SF. Liquidity is local — densify one cluster before scattering.
- 02
Then LA
If traction
Re-run the beta motion in LA as a fresh cold-start only after SF clears its retention gate and stays healthy. Never two cold-starts at once.
- 03
Then organic
Well past the beta
Beyond LA, expansion goes organic — presumes the open marketplace + launch kit exist by then.
Landing-page geo fix still required: the live page showcases NYC / Miami / Brooklyn — correct it to SF as part of the beta launch surface.
The crucial section
Safety, phased
Trust & safety is existential. The full floor — ID/age, CSAM/NCMEC, NSFW, durable bans, moderation SLAs, in-person safety kit — is launch-blocking. The beta runs with no verification. These are reconciled not by dropping safety, but by phasing it to the risk surface that actually exists in each phase. The beta has a different, much smaller risk surface — the open-marketplace floor returns, launch-blocking, before the risk surface grows.
The bright line
The minimal-safety beta is valid for, and only for, host-curated, in-person-vetted, group shoots at host-chosen locations where Snupix never programmatically connects two users or reveals a private location. The moment the product does any of — (a) match users programmatically, (b) reveal a private/non-host location, (c) enable a self-serve shoot, (d) enable 1:1 stranger shoots — the open-marketplace trust floor becomes launch-blocking before that capability ships. Non-negotiable.
No stranger matching
The app does not pair A with B. No swipe, no algorithmic match.
No private-location reveal
Shoots are at Barbara-chosen locations, in a group of 5+. Nobody is sent to anyone's home.
A human vouches in person
Barbara curates and meets everyone — the concierge vetting the canon already prescribes.
Group + public, not 1:1 + private
The lowest-risk configuration the product will ever have.
The trust floor, phased
What's in the beta vs. what must return — and at what trigger.
In-person vetting by Barbara (concierge)
Returns: Stays. The human vouch is what enables the thin beta.
ToS / Privacy / Community Guidelines + 18+ representation
F-034Returns: In from day one. CSAE + anti-escort clauses go from lightweight → complete before open.
Basic report path + monitored contact
F-031 / F-038Returns: In from day one. Formal SLAs land before open.
Anti-hookup / anti-'hot-or-not' positioning
F-035Returns: Binds every surface from the first screenshot — especially a bright/fun palette.
18+ gate (real facial age estimation)
F-028Returns: Full age estimation before ANY self-serve signup.
NSFW classification + no-nudity policy
F-030Returns: Automated NSFW classification before open-marketplace upload.
CSAM detection + NCMEC reporting
F-029Returns: Federal duty the instant Snupix HOSTS or CACHES a user image (see §7.4).
Document ID verification → badge
F-033Returns: Before any stranger-matched or self-serve in-person shoot.
Location-hidden-until-approval
F-014Returns: Before any user-set / private-location shoot.
72h mutual Reconfirmation + reliability ledger
F-015 / F-103Returns: Before self-serve shoots — no human to chase no-shows.
In-person safety kit (bring-a-friend, emergency contact, safety note)
F-205 / F-110 / F-111Returns: Before any 1:1 / private-location / self-serve shoot.
Durable bans (device / identity)
F-032Returns: Before self-serve signup — durable bans need ID (F-033).
Moderation SLA + runbook
F-038Returns: Formal SLAs (24h safety / immediate CSAM) before open.
The one place "minimal safety" can bite inside the beta — hosted images
The beta's biggest legal decision is hidden in the profile: does it ever host or cache a user image? If no(embed-only via the user's own authorized public IG render), the CSAM/hosting duty is at its narrowest. If yes (caching, manual upload, or storing the IG pull), the federal CSAM-reporting duty attaches the moment an image is stored — so a PhotoDNA hash-match baseline + quarantine-and-preserve + an NCMEC route must be in before the first stored image. The cheapest safe beta avoids hosting images at all.
For context: the open-marketplace trust floor is 14 Trust & Safety features at V1 — all returning launch-blocking at the bright line, which is the same milestone as the native-app build.
Still open
Beta open questions for Ian + Barbara
Each is a genuine decision the beta surfaces, with a defensible recommendation — but the calls are Ian + Barbara's. These fold into DECISIONS.md.
Does the beta HOST / cache user images, or embed-only?
Rec: embed-only via the user's own authorized IG render, no caching, for the first shoots — it keeps the CSAM/hosting duty at its narrowest. Settle this first; it changes the legal floor.
Verify the Instagram embedding path BEFORE building.
Rec: time-box a half-day spike on Basic Display API availability / migration + attribution + caching terms. If blocked, ship manual-photo-optional for the first shoots.
The exact retention threshold + metric.
Rec: define with Barbara before the gate; primary = '% who register for a 2nd shoot via the app,' e.g. ≥30–40%.
Calendar-vs-gate for SF → LA.
Rec: keep '6 months' as the aspiration but let the retention gate win — don't move to LA on a date if SF hasn't proven repeat participation.
Brand permanence: does bright/fun replace the editorial-darkroom direction?
Rec: adopt bright/fun as the brand of record for the consumer surface; retire the darkroom unless a clear reason returns it. (Anti-hot-or-not still binds.)
What is 'the ticket,' exactly — is it a true gate?
Rec: make registering-through-the-app the genuine gate, with a manual fallback so no one is turned away at a real event for an app glitch.
Minimal ToS / Privacy / 18+ for the beta — who drafts, by when?
Rec: lightweight now (lawyer-reviewed), complete before the open line. Engage counsel early.
The honest one-liner:Barbara's beta is the canon's concierge phase, pulled forward and built thin — it doesn't contradict the strategy, it sequences the cheap proof-of-retention before the expensive marketplace-and-safety build, and it draws a hard line at exactly the point where the expensive build becomes mandatory.