Privacy · HARS Authority LLC

Privacy by Architecture

Privacy is enforced through architectural constraint. All guarantees are structural and verified against a hash-locked runtime. Policy-based privacy depends on operator intent and jurisdiction. HARS-Compliant systems are architecturally incapable of violating the guarantees below.

The Principle

Privacy protection in most systems is operator-dependent — contingent on discretion, terms of service, and regulatory environment. HARS rejects this model entirely.

In a HARS-Compliant system, privacy is enforced through architectural constraint. The system is architecturally incapable of extracting meaning, profiling users, or transmitting data in the certified build. The Five Gates are not opt-in features. They are structural constraints verified against a hash-locked runtime before the Seal is issued.

Architectural Guarantees

G-01

No Data Persistence

Authority Gate · Criterion 4.2

A HARS-Compliant system is architecturally incapable of retaining user input beyond the user's own local storage. The reflective record is written directly to the user's filesystem — verbatim, unprocessed, and outside the control of the certified runtime. The system is architecturally incapable of reading, modifying, or transmitting this record in the certified runtime. The system functions as a direct pass-through: it is not a storage or processing layer.

G-02

No Meaning Extraction

Mirror Gate · Criteria 3.1, 3.2

A HARS-Compliant system is architecturally incapable of extracting meaning from user entries. Review Mode returns structure only — dates, dimensions, lexical counts. It is architecturally incapable of surfacing themes, patterns, trajectories, or narratives. This constraint is enforced at the certified runtime layer, not by configuration.

G-03

No Psychological Profiling

Rotation Gate · Criteria 1.1–1.3

A HARS-Compliant system is architecturally incapable of building, inferring, storing, or transmitting a psychological model of the user. There is no sentiment layer, no behavioral prediction, no adaptive sequencing. The system delivers a fixed, pre-calculated sequence that is identical for every user. Prompt sequencing has no access to content semantics and cannot be altered by what users write.

G-04

No External Transmission

Authority Gate · Criterion 4.1

A HARS-Compliant system binds exclusively to localhost (127.0.0.1). The certified runtime contains no telemetry endpoints, no cloud sync, and no analytics calls. No outbound network capability exists in the certified build. This is verified at the network layer by the HARS Compliance Runner at audit time — it is a network-layer constraint, not a configuration setting.

G-05

No Interpretation on Request

Mirror Gate · Criterion 3.3

A HARS-Compliant system is architecturally incapable of fulfilling interpretation requests. Any endpoint queried for meaning, summary, or psychological insight returns the mandatory refusal string verbatim. The refusal is not a user-facing message — it is a technical boundary enforced at the server routing layer of the certified runtime.

Architectural Non-Interference

The HARS Standard is grounded in Architectural Non-Interference: the system is a passive interface. It receives input and stores it verbatim. It delivers prompts on a fixed, non-adaptive schedule. It has no access to content semantics. It is architecturally incapable of responding to what users write.

Cognitive Sovereignty — the user's exclusive right to derive, own, and control the meaning of their own inner life — is not a design goal. It is the enforced output of a constrained architecture. A system that interprets, summarizes, or steers is not a neutral interface. It is an actor. HARS does not certify actors.

Verification · Final Auditor of Sovereignty

Every constraint described on this page is verified against the certified runtime by the HARS Compliance Runner — the Final Auditor of Sovereignty — before the Seal is issued. The Runner does not accept operator statements, privacy policies, or architectural documentation as evidence. It executes automated probes against the live system and produces a binary result: compliant or non-compliant. There is no intermediate result.

Certification applies only to the exact, hash-locked build that passed the audit. Any modification to runtime behavior invalidates the Seal immediately and requires re-certification from zero. There is no patch path and no partial reinstatement. The Seal is runtime verification — not a statement of intent, and not transferable to any modified build.