0 · Why this scenario
Of the six segments in the PRD, female rideshare drivers are the beachhead: largest per-user risk exposure (cash, isolation, strangers), highest willingness to pay (proven $15–25/mo for dashcams), lowest CAC (driver Slack/FB groups), and the only segment that exercises every Mayday capability — long shifts, app in background, locked phone-on-mount, hands on wheel, eyes on the road.
Scenario snapshot
Who
Maria, 31 — 5-year Lyft vet, full-time, drives Thu–Sun 8pm–3am. Two kids at home with her partner. Mom in Colombia. Drives a 2019 Camry with a dashcam mount and a phone-on-vent mount.
What
11:42pm, I-285 West, Atlanta. Mid-ride, passenger (male, late 20s, picked up near a bar) leans forward, grabs her arm, demands she “take the next exit and forget the GPS.” Airbag-deployed energy. Rear-seat camera was already on (dashcam), but her phone Mayday app is sleeping on the mount.
Why it matters
Without Mayday, Maria’s options are: fight, comply, or one-hand reach for the phone to dial 911 — all while driving 65mph with a stranger inches behind her. With Mayday, she speaks two words and the system handles the rest.
1 · Use-case map
13 use cases spanning pre-event (UC-1 → UC-5), the event itself (UC-6 → UC-11), and post-event (UC-12 → UC-13). Each UC links to its requirements at the bottom.
| ID | Use case | Actor | Trigger | Outcome |
|---|---|---|---|---|
| UC-1 | Discover the app | Maria | Driver Slack/IG ad | Visits App Store |
| UC-2 | Install the app | Maria | Tap "Get" | App on phone, account created |
| UC-3 | Onboard & configure | Maria + Mayday | First launch | Voice trained, contacts set, social templates, drill run |
| UC-4 | Run first safety drill | Maria + Mayday | Drill button | Full simulation, no real dispatch |
| UC-5 | Begin a shift | Maria + Mayday | Background arm | Voice listener active, idle |
| UC-6 | Trigger Mayday | Maria | Voice "Mayday Mayday Mayday" | Silent emergency state |
| UC-7 | Capture evidence | Mayday | Auto on trigger | Front+back cam + audio to cloud |
| UC-8 | Broadcast to trusted contacts | Mayday + Twilio | Auto on trigger | SMS+push to 5 contacts w/ live link |
| UC-9 | AI voice call | Mayday AI + BPO | Auto on trigger | Human voice on Maria's phone <30s |
| UC-10 | 911 dispatch | BPO + RapidSOS | Operator decides | 911 w/ location + audio relay |
| UC-11 | Resolve the event | All | Safe-word OR scene stabilized | Recording sealed, contacts notified |
| UC-12 | Evidence handoff | Maria + Mayday + police | Investigator requests | Signed evidence package |
| UC-13 | Post-incident care | Maria + Mayday + partner orgs | Event closed | Counseling referral, claims, debrief |
2 · UC-1 — Discover the app
UC-1 · DISCOVER
Primary actor: Maria · Secondary: Lyft driver Slack #safety, IG ad
Scenario
Maria is reading her driver-only Slack when another driver posts a screenshot of a Mayday-trigger event with the caption: "Used this twice. Both times the operator talked the guy down before I even had to stop driving." She taps the link.
Main flow
1.
Maria sees the post; clicks the App Store badge.
2.
App Store preview shows: 30-second hero video of voice trigger → operator voice → police lights; 4.8★ rating; "Built for drivers" badge; trust signals (SOC 2, 30-day evidence retention, $1M liability insurance).
3.
Reads privacy one-pager: data lives in US, 30-day auto-delete, audio is end-to-end encrypted, never sold.
4.
Referral code from Slack post auto-applies:
DRIVER-SLACK → first month free, then $9.99/mo.5.
Taps Install → UC-2.
Outcome
App downloaded. Referral attribution logged with 30-day cookie.
3 · UC-2 — Install & account creation
UC-2 · INSTALL
Maria + Mayday auth backend
Main flow
1.
App auto-opens to Phone-number signup (no email/password — phone-first for drivers who switch phones often). SMS OTP verification.
2.
Account created in
users table; subscription_status='trialing'; trial end = install + 30d.3.
Device-attestation ping to Apple/Google;
device_id + push token stored.4.
Background crash-safe warmup: S3 presigned upload URLs generated, KMS data key wrapped per user.
Pre-conditions
- iOS 17+ / Android 14+ (per PRD §6.1); older OS shows graceful "update required" screen.
Post-conditions
- Account exists; trial active; encrypted local vault initialized.
- App routes to UC-3 Onboarding.
4 · UC-3 — Onboarding & configuration
UC-3 · ONBOARD
Maria + Mayday iOS app
Main flow (≈90 seconds, single-screen-per-step)
1.
Permissions — animated explainer before each prompt, in this exact order: (a) microphone — drives wake-word listener; (b) location — Always Allow — drives broadcast map + 911 dispatch (foreground-only is rejected with a one-tap path to Settings); (c) camera — dual-cam evidence; (d) microphone + media-recording — Android MediaProjection / iOS mic-indicator shown during capture; (e) motion & fitness — fall/impact detection; (f) notifications + critical alerts (iOS) — broadcast delivery. Each screen has a "Why we need this" panel with a 10-second explainer. App remains unarmed until all 6 are granted.
2.
Trigger phrase training — Maria records "Mayday Mayday Mayday" three times in different tones (normal, whispered, shouted). On-device Picovoice enrollment generates a personalized wake-word model (encrypted, never leaves device).
3.
Safe-word — default "all clear, false alarm", editable. Recorded once.
4.
Trusted contacts (3–10) — auto-suggest from phonebook filtered for "favorites" + recent calls; Maria picks her partner, her mom, two driver friends, and a 24/7 dispatcher (Lyft's "Critical Response Line" — pre-bundled for drivers).
5.
Social blast templates (optional, off by default) — three pre-authored templates: short, medium, location-heavy. Maria picks "Short" and edits:
"I'm not safe. Last seen: [auto]. Call Lyft Safety: 855-865-9553."6.
Profile for the operator — Maria's name, photo, vehicle (gray Camry, tag [redacted]), Lyft driver ID, medical notes (none), preferred language (English + Spanish).
7.
Drill — routes to UC-4; cannot skip.
Post-conditions
Account fully configured; encrypted vault holds wake-word model + voiceprint; contacts indexed; routes to drill.
5 · UC-4 — First safety drill
UC-4 · DRILL
Maria + Mayday app + (mock) operator console
Purpose
Build muscle memory and prove the loop works on Maria's actual device, network, and voice — without dispatching anyone. Required monthly thereafter (auto-prompt).
Main flow
1.
Big red START DRILL button. 3-second countdown.
2.
Maria says the trigger phrase. App confirms: "Drill mode engaged. Recording. Simulated contacts being notified."
3.
App simulates the full sequence: capture 5s of video (kept locally, not uploaded), broadcast SMS to contacts prefaced [DRILL], mock AI voice says "this is a Mayday drill — please disregard."
4.
Maria says safe-word. Drill ends. Screen shows: timing budget met? (✓ all under targets), what to improve (e.g. "Trigger detected in 0.9s — good").
5.
Drill result logged (timestamp, latency, false/true) to tune Maria's personal false-trigger threshold.
Outcome
Maria has used the loop end-to-end. Trust established. App badge turns from SETUP to ARMED.
6 · UC-5 — Begin a shift (background arm)
UC-5 · SHIFT ARM
Maria + Mayday daemon
Main flow
1.
Maria plugs phone into vent mount, opens Lyft driver app (Mayday continues running in background). At 8:00pm she taps the Mayday Live Activity — status flips to ARMED — Listening.
2.
iOS Live Activity / Android Foreground Service starts. Mic indicator dot appears in status bar (Apple-required, cannot be hidden).
3.
On-device wake-word detector runs continuously, draining ~2.5%/hr battery (per PRD §11). GPS at 30-sec interval, IMU at 50Hz, audio at 16kHz mono (no upload until trigger).
4.
Optional: Shift mode auto-disarms at shift end (Lyft API integration in V2) or after Maria says "Mayday off."
5.
Quiet hours respected: do-not-disturb-style filters (no vibration, no banner) so the mic indicator doesn't draw passenger attention.
Edge cases handled
- Low battery (<15%) — banner suggests plugging in but stays armed.
- Airplane mode — listener stays on; broadcast queued & sent on reconnection; SMS falls back to local 911 push-button.
- Headphones connected — uses headset mic + speakers; still triggers normally.
7 · UC-6 — The trigger (t = 0)
UC-6 · TRIGGER
Maria (voice) → Mayday daemon
It is 11:42pm. Maria is on I-285 West, ~7 minutes from drop-off. The passenger has leaned forward and grabbed her arm. Both hands should be on the wheel.
Main flow
1.
Maria speaks, voice level ~70dB (whisper-shout), clearly: "Mayday Mayday Mayday."t = 0.00s
2.
On-device wake-word model (Picovoice) scores the audio against her personal embedding. Confidence 0.94 — above personalized threshold 0.86.t = 0.72s
3.
Silent handoff: ringer muted, haptic off, screen stays at current brightness (no flash), Lyft driver app stays foreground (no app-switch tell). A long, single, very soft haptic pulse fires once so Maria feels confirmation without the passenger noticing.t = 0.80s
4.
Phone screen shows a tiny unobtrusive Mayday Live Activity chip: "● Recording — Mayday active". Tap = status; long-press = safe-word.
5.
Parallel fork: UC-7 (capture), UC-8 (broadcast), UC-9 (voice call) all triggered simultaneously.
Acceptance criteria
- End-to-end trigger latency (last syllable → capture start) ≤ 1.0s (P95).
- Passenger cannot detect the trigger from screen, sound, or vibration.
- If trigger is in error, safe-word stops the event within 5s of speaking it.
8 · UC-7 — Evidence capture
UC-7 · CAPTURE
Mayday daemon → S3 vault
Main flow
1.
Front camera (rear-facing seat cam) + back camera (driver-cam) start simultaneously. Audio captures 16kHz mono. Resolution 720p to keep uplink ≤ 2 Mbps.t = 1.0s
2.
Each 5-second chunk is encrypted (AES-256-GCM, key wrapped per-user), SHA-256 hash computed, and uploaded to S3 via presigned multipart URL.t = 1.2s onward
3.
Each chunk's hash is appended to an append-only ledger in Postgres (
event_chunks table) — this is the chain-of-custody receipt.4.
S3 Object Lock (Compliance mode) is enabled on the bucket — even Mayday engineers cannot delete or modify before the legal hold is lifted.
5.
GPS pings every 5s, IMU 50Hz, barometer 10Hz — appended to the same event log.
Edge cases
- Cell drops — chunks queue locally; upload resumes automatically; ledger records gaps.
- Storage full — older chunks drop first; current event never dropped.
- Phone damaged — captured-so-far is safe in cloud; on-phone vault preserves the last 30 min locally until next reconnect.
Acceptance
- 30-min continuous capture without dropping a chunk.
- Chain-of-custody hash verifiable end-to-end.
- Auto-purge after 30 days unless flagged by UC-11 / UC-12.
9 · UC-8 — Broadcast to trusted contacts
UC-8 · BROADCAST
Mayday + Twilio
Main flow
1.
Mayday enqueues a
broadcast job: 5 contacts × {SMS + push + email fallback}.t = 1.2s2.
Twilio Programmable Messaging sends SMS in parallel. Template: "MAYDAY: Maria triggered Mayday at 11:42pm. Live audio + map: mayday.app/e/. Tap to listen. Reply SAFE to acknowledge." Sent from a short-code
884-233 (MNDAY).3.
Each link is a signed, no-login web view showing: live GPS pin updating every 5s, current speed/heading, live audio (WebRTC, opt-in), and a button "Call Maria" / "I'm calling 911" / "She's safe — disarm".
4.
Push notifications sent to contacts who have the Mayday app (Maria's partner does, from UC-1 referral).
5.
If social blast enabled: posts a single Mastodon/X tweet via her pre-authorized template (none here — disabled).
Acceptance
- SMS delivered to all 5 contacts within 5s of trigger (Twilio median ≈1.4s in US).
- Live audio link is opt-in per contact (default opt-in for marked "always listen").
Failure modes
- Twilio down — fall back to Bandwidth; then to Apple/Android push with SMS retry via secondary provider.
- Contact phone off — SMS queues; voicemail fallback is OPTIONAL and requires user pre-consent (avoids legal issues).
10 · UC-9 — AI voice call & operator handoff
UC-9 · VOICE
Mayday AI + BPO operator + Maria
This is the heart of the system — and the bet that no other safety app makes.
Main flow
1.
Mayday places an outbound Twilio call from a Mayday-owned number (e.g.
+1 (404) 555-MDAY) to Maria's phone. Audio is auto-answered at low volume so the passenger may not notice immediately.t = 4s2.
AI voice agent (OpenAI Realtime, custom system prompt for safety) opens: "This is the Mayday Safety Service on a recorded line for Maria. Maria, you triggered Mayday. I'm here with you. I can hear what's happening. Nod if you want me to stay silent."t = 6s
3.
In parallel, the AI opens a Twilio call to the first available BPO supervisor in the 24/7 queue. Live audio + GPS stream from Maria's phone is also piped to the supervisor's web console via LiveKit.t = 4–10s
4.
Supervisor Jordan (Atlanta-based, ex-911 dispatcher) accepts. AI summarizes: "User Maria, rideshare driver, threat in progress, passenger male late-20s, location I-285 West mm 22, speed 64 mph, audio: shouting."t = 18s target, t = 24s actual
5.
Jordan takes over voice on the line. He speaks calmly, addressing the passenger by inferred name from the Lyft manifest: "Hey, this is Jordan with the Mayday Safety Service. I'm listening live. We've already contacted police and they have your plate. Maria is going to pull over at the next well-lit exit. Stay calm." — a verbal de-escalation tactic shown to reduce assault probability in transit settings.
6.
Jordan presses DISPATCH in the console → UC-10.
Why a human, not just AI
- De-escalation research (Police Foundation, FBI BAU) shows trained humans outperform AI in crisis dialogue.
- Operator judgment on "is this real?" is faster and more accurate than any 2026 LLM.
- Liability: a licensed human dispatcher on the call is the legal lever insurance + courts accept.
Acceptance
- Human voice on Maria's line ≤ 30s P95.
- Recording chain-of-custody unbroken from Maria's phone to operator's headset.
11 · UC-10 — 911 dispatch
UC-10 · DISPATCH
BPO operator + RapidSOS + PSAP
Main flow
1.
Jordan clicks DISPATCH. RapidSOS Ready payload pre-built: GPS (33.7891, -84.4692), speed 64mph, last 60s audio clip, user profile (Maria, female 31, no weapons, no medical), vehicle plate, attached evidence link.
2.
RapidSOS pushes to the appropriate Fulton County PSAP. The 911 dispatcher sees the case auto-populate.
3.
Jordan stays on the line with Maria. Simultaneously he calls 911 voice via a dedicated RapidSOS line that supports audio relay. He relays: "Mayday Safety, calling on behalf of Maria [last], rideshare driver, currently westbound I-285 mm 22, passenger threatening, audio relay active, plate Georgia [ABC-123]."
4.
Maria, hearing Jordan's calm voice, signals she can pull over. Jordan coaches her: "At the next exit, well-lit gas station. Stay in the car, doors locked, engine running."
5.
Two Georgia State Patrol units dispatched. ETA 4 minutes.
6.
Maria exits at the well-lit Shell station. Passenger sees the lights behind him. He bails out of the car and runs; troopers pursue.
7.
Maria is safe, in her locked car, on the line with Jordan. Troopers return to take her statement.
Edge cases
- PSAP rejects audio relay (some rural jurisdictions) — fall back to text-to-911 + voice-only relay to Maria.
- Cell signal lost — last-known GPS sent; BPO continues calling Maria's voicemail with pre-recorded instruction.
- Maria becomes unreachable — escalation: call partners, call Lyft's Critical Response Line, then 911 with cell-silent dispatch.
12 · UC-11 — Resolve the event
UC-11 · RESOLVE
Maria + BPO + Mayday
Main flow
1.
Maria, now safe, says safe-word: "All clear, false alarm... no, all clear, I'm safe." Safe-word is verified against her voiceprint.
2.
Mayday transitions from ACTIVE → RESOLVING. Capture stops. Live audio links to contacts auto-revoke in 60s.
3.
Jordan asks the four post-event questions: "Are you injured? Do you need medical? Do you want Lyft to send a replacement driver? Do you consent to share the recording with police?"
4.
Maria says: injured no, medical no, replacement yes, share yes.
5.
Mayday generates a one-page incident PDF + evidence bundle, links sent to Maria and (with her consent) the trooper on scene.
6.
Trusted contacts receive: "Maria has resolved her Mayday event. She's safe." + care resources.
7.
Lyft Critical Response Line receives a structured event JSON for their own internal tracking.
Outcome
Event sealed. Maria is physically safe. Recording held under legal hold pending UC-12. Total elapsed trigger-to-resolve: 11 minutes 14 seconds.
13 · UC-12 — Evidence handoff
UC-12 · EVIDENCE
Maria + Mayday + investigating officer + DA
Main flow (3 days after the event)
1.
Detective Alvarez (case #2026-GA-048812) requests the recording. Maria consents in-app: 4-digit PIN + biometric.
2.
Mayday generates an Evidence Bundle: incident PDF, original MP4 (encrypted, decrypted server-side), SHA-256 manifest, GPS+IMU log, full operator transcript, chain-of-custody log.
3.
Detective receives a one-time signed URL (24h) to download, plus a notarized chain-of-custody PDF (Mayday is an authorized e-notary in GA).
4.
Passenger is arrested 9 days later, identified via Lyft's facial-recognition partnership (with warrant). Recording is admitted as evidence.
5.
Mayday retains the original for 1 year (or per Maria's preference), then auto-deletes per privacy policy.
Compliance anchors
- Fed. R. Evid. 901 (authentication) — chain-of-custody PDF + notarized hash.
- Fed. R. Evid. 902(13)/(14) — certified records from a digital process.
- GA two-party consent (OCA §16-11-66) — recording disclosed on AI/human handoff (PRD §12).
14 · UC-13 — Post-incident care
UC-13 · AFTERCARE
Maria + Mayday + partner orgs
Main flow
1.
Within 24 hours, Mayday prompts Maria: "How are you feeling?" Quick-reply chips: I'm shaken but OK · I want to talk to someone · I want to take the night off · I'm fine, back to driving.
2.
If she picks "shaken" or "talk to someone" — Mayday offers a free 30-min session with a partner therapist (Lyft's partnership with Lyft Healthcare, or RAINN for non-Lyft users).
3.
Workers'-comp paperwork pre-filled for Lyft (assault-on-driver is covered in most states; CA, NY, IL first to mandate).
4.
Mayday offers to schedule a free shift-cash reimbursement: $250 Lyft credit for lost fares that night.
5.
Optional: anonymous story sharing (with consent) to power Mayday's PR & future audio-event ML training.
6.
30-day check-in: "Are you still driving? Want us to tune your trigger phrase to be more sensitive / less sensitive?"
Why this matters
Aftercare is the lever that turns a one-time user into a 5-year subscriber. It also reduces PTSD-driven churn — and is the highest-impact part of the product for the user's actual recovery.
15 · Cross-cutting error & edge cases
| Scenario | Detection | Fallback |
|---|---|---|
| False trigger (cough / sneeze / TV in background matches voiceprint) | Personalized threshold + audio-event cross-check | AI pre-screen for 8s; if no threat signals, automatic safe-disarm; user sees "Was that you? Tap to confirm" |
| Phone stolen mid-event | Disconnect + GPS shows sustained motion faster than running | Operator calls the phone; if no answer, calls partners; if threat to operator is heard, immediate 911 dispatch via cell-silent |
| Cellular outage (rural / subway / jamming) | No ack from cloud within 5s of trigger | Local 30-min buffer; auto-flush on reconnect; pre-cached SMS via satellite (iOS 18 emergency SOS via satellite) |
| Battery dies | Last gasp event with last GPS+audio chunk | Cloud-broadcast "Phone went dark at X" to contacts; contacts receive Mayday operator call to coordinate on-the-ground help |
| Passenger sees the screen | n/a | Stealth UI design (PRD §4 C10); Live Activity chip is small + dim |
| Voice model stolen (someone records Maria saying trigger) | Motion / grip / heartbeat cross-check (Watch, V2) | Multi-factor: voice + sustained grip pressure + Watch heart-rate spike |
| BPO queue full | Queue depth > N seconds | AI extends handling; auto-pages secondary BPO; SLA breach logged |
| 911 audio relay rejected | PSAP auto-responds "no audio relay" | Fallback to text-to-911 + voice call from Mayday number relaying to Maria |
| Maria says safe-word mid-event | Voice match + no concurrent threat audio | Stop capture, notify contacts "false alarm," log for threshold tuning |
16 · Requirements derived from these use cases
Each UC implies concrete engineering, ops, and product requirements. Pulling the highest-leverage ones:
| Req ID | From UC | Requirement | Acceptance |
|---|---|---|---|
| R-1 | UC-6 | On-device wake-word detection with personalized model | Detection latency P95 ≤ 1.0s; FAR ≤ 1.5/user/mo |
| R-2 | UC-6 | Silent handoff (no screen flash, no audio cue) | Passenger-detection test in usability lab ≤ 5% |
| R-3 | UC-7 | Dual-camera + audio concurrent capture with 5s encrypted chunking to S3 | 30-min continuous capture without dropping a chunk |
| R-4 | UC-7 | Append-only chain-of-custody ledger | Every chunk SHA-256 logged; tamper-evident |
| R-5 | UC-8 | Broadcast to N contacts via Twilio + push + email | Delivered to ≥4/5 contacts within 5s |
| R-6 | UC-9 | Outbound Twilio call from Mayday number to user, AI-greeted | Call placed within 5s of trigger |
| R-7 | UC-9 | BPO supervisor console with live audio + GPS + transcript | Human voice on user line P95 ≤ 30s |
| R-8 | UC-10 | RapidSOS / Carbyne integration for 911 | Case auto-populates at PSAP; audio relay supported where jurisdiction allows |
| R-9 | UC-10 | Verbal de-escalation playbooks for operators | Operators certified per Police Foundation standard |
| R-10 | UC-11 | Voiceprint-verified safe-word | Disarm within 5s of safe-word spoken |
| R-11 | UC-12 | Notarized evidence bundle export | Detective-acceptable per Fed. R. Evid. 901/902 |
| R-12 | UC-13 | 24h aftercare prompt + partner network (RAINN, Lyft Healthcare, therapists) | ≥40% of users engage aftercare; partners contracted in 10 states by launch |
| R-13 | UC-3 | Mandatory first-run drill + monthly cadence | Cannot skip; 70% monthly retention of drill habit |
| R-14 | UC-5 | Battery drain ≤ 5%/hr during shift arm | Measured on iPhone 12 and Pixel 6 baseline |
| R-15 | UC-3 | Always-Allow location enforced before app is armed | Foreground-only ("While Using") is rejected with one-tap Settings CTA; app stays unarmed; cached last 24h of fixes available offline |
| R-16 | UC-3 | Always-on microphone + media-recording permissions enforced; iOS mic-indicator and Android MediaProjection-prompt supported | All 6 onboarding entitlements (mic, location-Always, camera, mic+media-recording, motion, notifications+critical alerts) granted before first-run drill; trigger-time MediaProjection completes in < 2s |
Appendix · What this document proves
- Capability is concrete, not aspirational. Every step has timing, owner, and failure mode. The system survives the realistic messiness of a 65-mph attack by a stranger in the back seat.
- Viability shows up in the seams. Referral attribution (UC-1), trial conversion (UC-2), drill-driven retention (UC-4), aftercare-driven LTV (UC-13) — each UC maps to a revenue or retention lever.
- The hard parts are named, not hidden. False triggers, phone-theft mid-event, battery death, 911 audio rejection, BPO queue saturation, voice-model theft — all listed with detection + fallback.
- Compliance is built-in. Two-party consent, evidence admissibility (FRE 901/902), e-notary, S3 Object Lock — baked into UC-9, UC-11, UC-12.