Architectural Premise
Agent Hita follows a notification-to-self and alert-to-guardian model. The person being protected is always the first to know when something may be wrong. Guardians receive only exception-based alerts when a genuine threat is detected.
| Data Flow |
Destination |
Content |
| Notifications |
Local device only |
Contextual safety warnings shown to the user themselves |
| Alerts |
Guardian email (if configured) |
Triggered only on detected threat — minimal metadata, no transcripts |
| Everything else |
Stays on device |
Full analysis, patterns, reasoning — never leaves the device |
This architecture means the primary audience is the person being protected, not the watcher. Agent Hita is closer to a smoke detector than a security camera.
Identity and Account Model
Agent Hita does not require users to create an account, sign in, or provide any personal information. There are no usernames, passwords, or personal profiles — on the device or on our servers.
When the app is first installed, it generates a random anonymous device identifier. This ID is not linked to any personal identity and cannot be used to identify who the user is. It serves two purposes only:
- Routing guardian alerts: when a threat is detected and a guardian has been configured, the anonymous device ID is used to route the alert email to the correct recipient.
- Remote configuration: the ID allows Agent Hita to receive updated risk thresholds, harm phrase lists, and help resource URLs without requiring an app update.
The guardian's email address is the only piece of personal data that ever reaches our servers — held server-side solely to relay alert emails, never stored on the device after setup, and never used for any other purpose. No message content, contact names, conversation history, or user identity data is ever transmitted.
This design preserves the core privacy promise: we are architecturally unable to build a profile of any user, because we never ask them who they are.
Core Consent Principles
Four principles guide how Agent Hita handles consent across all deployment scenarios.
Consent is ongoing
Consent is not a one-time checkbox. It should be renewable, visible, and revocable within appropriate bounds for each user category.
Awareness scales with maturity
All monitored parties should have appropriate awareness. Even when full control is not granted, visibility increases with age and capability.
Resist coerced consent
The system must account for scenarios where someone is pressured to install, maintain, or disable monitoring against their true wishes.
Third parties have interests
People messaging a monitored user did not consent to analysis. The system must minimize what is captured about them.
User Categories and Consent Tiers
Agent Hita defines three user categories, each with distinct consent requirements, visibility levels, and risk thresholds.
Category A: Self-Protecting Adults
Adults who install Agent Hita for themselves, such as someone exiting an abusive relationship or an adult concerned about scams.
| Installation consent |
Full informed consent with plain-language explanation |
| Configuration control |
Complete — user controls all detection categories, thresholds, and disclosure tiers |
| Guardian/alert recipient |
Self-selected trusted contact, or none |
| Revocation |
Immediate and complete at any time |
| Visibility |
Full access to all flags, reasoning, and logs |
| Risk thresholds |
Standard adult thresholds — configurable by the user |
Category B: Adolescents
Minors with developing autonomy where parental oversight is legally appropriate but should not be absolute.
| Installation consent |
Parent/guardian installs; adolescent is informed — not secret surveillance |
| Visibility |
Adolescent knows monitoring is active and has increasing visibility into flags as they mature |
| Configuration control |
Parent sets initially; adolescent gains input rights over time |
| Revocation |
Transitions to Category A (self-control) when the user reaches adulthood |
| Coercion safeguard |
Escalation path to external resource if adolescent reports coercive use |
| Risk thresholds |
Lower than adult thresholds — the same message carries higher risk for a younger person |
Category C: Children
Young children where parental responsibility is primary but age-appropriate awareness should still exist.
| Installation consent |
Parent/guardian only |
| Child awareness |
Age-appropriate explanation: "This app helps keep you safe from mean or tricky people online." |
| Visibility |
Child knows Agent Hita exists; does not see flags or details |
| Configuration |
Parent-controlled |
| Risk thresholds |
Lowest thresholds — highest sensitivity to potential harm |
| Transition |
Automatic shift to Category B with explicit onboarding conversation as the child matures |
Third-Party Communicator Protections
People messaging a monitored user did not consent to Agent Hita. The system minimizes exposure to their communications.
- No identity logging: Contact names are anonymized using a one-way cryptographic hash before any storage or transmission — plaintext contact identity is never stored or sent.
- No content export for non-flagged messages: Only messages meeting a harm threshold are eligible for any external disclosure.
- Aggregate over attribute: Report "3 contacts show escalating pressure patterns" rather than identifying specific individuals.
- Flagged content minimization: Even in Tier 3, only the minimum necessary metadata is exported — never full transcripts.
Guardian Alert Specification
Guardian alerts are exception-based notifications sent only when a genuine threat is detected. They follow the minimum necessary disclosure principle.
Alerts Include
- Harm category (e.g., "potential sextortion pattern detected")
- Severity level
- App name where it occurred
- Recommended action and reporting resources
Alerts Never Include
- Message content
- Contact name or number
- Conversation history
- Screenshots
- Precise timestamps
Example Guardian Alert Email
Category: Sexual manipulation / image solicitation
Severity: High
App: WhatsApp
What this means: Agent Hita detected a conversation pattern consistent with someone attempting to solicit private images through pressure or manipulation.
Recommended action: Have a calm, non-accusatory conversation with your child. Focus on their safety, not punishment. If you believe a crime has occurred, report it to the NCMEC CyberTipline.
No message content is included in this alert. Your child has also received a private notification on their device.
Anti-Coercion Design Patterns
These safeguards prevent Agent Hita from becoming a tool of abuse, whether by controlling partners, abusive family members, or anyone misusing the guardian role.
1
Installation Transparency
The monitored person is always informed that Agent Hita is active on their device. Monitoring is never secret.
2
Safe Exit Pathway
If the monitored user searches for terms like "am I being monitored," "domestic abuse help," or "how to remove monitoring," Agent Hita suppresses all analysis, surfaces crisis resources and helplines privately on the device, and does not alert or notify the guardian. No record of the query is kept.
3
Periodic Autonomy Prompts
Every 90 days, the monitored user receives a private prompt confirming they still consent to monitoring. Their response is never shared with the guardian or transmitted anywhere.
4
User-First Notification
The monitored user always receives a private on-device notification before or at the same time as any guardian alert — never after. The person being protected always knows first.
Consent Ceremony Specification
The moment of installation matters. Agent Hita avoids click-through consent in favor of meaningful understanding.
Step 1: Guardian Configuration
- Guardian provides email for alerts
- Selects threat categories (all on by default)
- Sets alert threshold (recommended: high-severity only to minimize false alarms)
- Acknowledges: "I will only receive alerts when a threat is detected. I will not see message contents."
Step 2: User Onboarding (Required, Not Skippable)
Age-appropriate screen shown to the monitored user:
Agent Hita is now active on your device
What it does: Watches for dangerous patterns like threats, manipulation, or people trying to trick you.
What you'll see: If something seems unsafe, you'll get a private notification explaining why.
What your parent sees: They only get an email if something serious is detected — like someone threatening you or trying to manipulate you into something harmful. They don't see your messages.
Step 3: Confirmation Receipt
Both parties have acknowledged understanding. Timestamp stored locally as record of consent.
User Notification Behavior
Local notifications empower the user to recognize and respond to potentially harmful situations in real time.
- Cannot be disabled: Safety notifications are a core feature, not a preference. Users may mute sound or vibration for social privacy, but cannot turn off warnings entirely.
- User sees more than guardian: The monitored user always knows which conversation triggered a flag — they should understand more, not less, than the guardian.
- Contextual and educational: Notifications explain why a pattern is concerning, helping the user build judgment over time.
Escalation Paths
Monitored users who feel Agent Hita is being used unfairly or coercively have recourse.
- In-app link to external resources — child helplines, domestic abuse hotlines, crisis support
- Safe search passthrough: queries about monitoring or abuse surface help resources locally without triggering any alert
Open Questions
The following questions require further specification as Agent Hita moves toward deployment.
- Legal guardianship verification: How do we confirm someone is actually a legal guardian versus a controlling partner claiming to be one?
- Cross-border complexity: Age of majority, privacy laws, and parental rights vary globally. Should Agent Hita implement locale-aware consent flows?
- Consent to specific harm categories: Should users be able to say "monitor for sextortion but not financial scams"? More control means more complexity.
Conclusion
Agent Hita is built on the premise that safety and dignity can coexist. The consent model described here ensures that protection does not require surveillance, that awareness scales with maturity, that coercion is actively resisted, and that the person being protected is always empowered — never just watched.
By keeping analysis local, limiting guardian alerts to genuine threats, excluding message content from external disclosure, and building anti-coercion safeguards into the architecture, Agent Hita offers a new model for digital safety: one where people are protected without losing control over their own lives.