Bonfiyah Get the app — free

Privacy & consent

What 'on-device' actually means (and what it doesn't).

'On-device' has quietly become the most abused word in the recording category. Here is exactly what runs on your iPhone, what leaves it, when, and why we won't hand you a slogan you'd have every right to distrust.

'On-device' has quietly become the most abused word in the recording category. It shows up on landing pages next to claims that don't hold, deployed to mean 'private' when it really means something specific and limited. I'd rather tell you exactly what it means in Bonfiyah — what runs on your device, what leaves it, when, and why — than hand you a slogan you'd have every right to distrust. Precision here isn't pedantry. It's the difference between a privacy claim you can rely on and one that falls apart the first time someone reads it carefully.

Around the fire, the circle only included who you could see. Nobody promised the conversation stayed in the clearing while quietly sending it over the next hill. The honest version of that promise, in software, is to say plainly where the words go.

What runs on your device.

When you record with Bonfiyah, the real-time transcription — turning what's being said into text as it's said — runs on your iPhone (or iPad, or Mac; it's a universal Apple app, all three synced over iCloud). The audio is processed locally to produce the live transcript. That's what 'on-device transcription' means, and it's a real, meaningful property: the everyday path of recording a conversation and getting a transcript does not require shipping your audio anywhere.

It also means the app keeps working in places the cloud can't reach. A basement clinic, an elevator, a field site with no signal — the recording captures and the transcript builds, because the work isn't waiting on a round-trip to a server.

What leaves your device, and exactly when.

Here's the part the slogans skip, and the part you actually want to know. There is an optional cloud-processing pass — a higher-accuracy transcription path, plus the Pro AI features that reason over your library. When that pass runs, audio (or transcript) leaves your iPhone to be processed. Real-time transcription runs on-device; audio leaves your iPhone only for the optional cloud-transcription pass you control.

Three things make that sentence safe to rely on.

It's optional. The cloud pass is something you control and enable. It's tied to whether you've turned on iCloud sync and cloud processing. If you haven't, the on-device path is what you get — no background default, no quiet exception.

It's specific. Audio leaves your device only for that pass — not as a background default, not silently, not 'to improve our service.' There's a defined reason it goes, and that reason is a thing you asked for.

It's bounded by a commitment. We do not train AI on your transcripts. That's not a marketing line — it's a binding commitment. Your conversations are processed to give you features, not to feed a model.

That's the whole shape of it: on-device by default for the core transcription, with a clearly labelled, user-controlled door for the optional pass that powers the higher-accuracy and AI layers. You can read the longer version on the privacy commitment page, which spells out the data handling rather than gesturing at it.

Why we won't say 'your audio never leaves your phone.'

You'll see that exact phrase — 'your audio never leaves your device,' '100% on-device, always' — all over this category. We won't write it, and the reason matters.

It isn't true for any app that offers a cloud-accuracy mode or cloud-based AI features, including ours when you turn those on. Saying 'never leaves your phone' while operating an optional cloud pass is, at best, a claim that quietly contradicts the product. At worst, in a category where recording law and privacy litigation are live and active, it's the kind of absolute that doesn't survive contact with discovery. We'd rather be precise than impressive. 'On-device for the core transcription; audio leaves only for the optional cloud pass you enable and control' is a longer sentence, and it has the advantage of being one we can stand behind in front of a lawyer.

The tell, when you're evaluating any recording app: an honest privacy claim names the exception. If a page promises absolute on-device privacy and also advertises cloud AI summaries, those two claims can't both be fully true, and the one that gives is the privacy one. The apps worth trusting are the ones that tell you where the door is.

Consent is a separate promise from privacy.

It's worth separating two things that get blurred together, because they're different protections doing different jobs.

Privacy is about where your data goes once a recording exists. Consent is about whether the recording should exist the way it does in the first place — whether the other people in the room agreed. Bonfiyah's consent tooling handles the second: it surfaces the consent rule for your location, captures verbal consent when you want it, and keeps an exportable log. It ships in every tier, free included.

One precision on consent that's the cousin of the privacy precision above: consent surfaces the rule for where you are. It does not tell you a recording is 'legal,' and it isn't legal advice. Same discipline — say exactly what the tool does, never more than it does. That same care extends to the voice layer underneath everything, where the binding between a voice and a name has real downstream consequences; if you want the engineering version of that honesty, the Voice ID page walks through how the matching works and where it can be wrong.

What this isn't.

This isn't a claim that Bonfiyah is the most private recording app in existence, or that no data ever moves, or that you should turn off the cloud features. The cloud pass is genuinely useful — it's where the higher-accuracy transcription and the AI layer live — and plenty of people will rightly want it on. The point of this piece isn't to scare you off the cloud. It's to make sure that when you decide, you're deciding on the real picture: on-device by default, an optional pass you control, a no-training commitment, and a company willing to tell you where the door is instead of pretending there isn't one.

If a privacy claim can't name its own exception, it isn't a privacy claim. It's a slogan.

Decide with the real picture.

The best way to trust a privacy posture is to use the product knowing exactly how it works — which is the whole reason this piece exists. Record with the on-device path. Turn the cloud pass on when you want the higher accuracy and the AI features, off when you don't. The control is yours, the behaviour is the behaviour described here, and the commitment not to train on your transcripts holds either way. Bonfiyah is free to start.

The clearing only ever held who you could see. We'll always tell you, plainly, when a word travels past the firelight.

— Richard

Before you go

Two ways to make Bonfiyah cheaper.

Bonfiyah Friends

Refer a friend, both sides get a free month.

Share your code; Apple credits both subscriptions automatically through Promotional Offer Codes. Twelve referrals = a free year.

How it works →

Intro pricing

Pro at $14.99/mo for two months. Pro AI at $24.99/mo for sixty days.

Real time to evaluate before the standard rate kicks in. Plus a 7-day automatic next-tier trial on every signup.

See the full ladder →
Bonfiyah

Privacy posts like this, by email

How we think about where your data goes, what we'll and won't claim, and the occasional disagreement with the rest of the category. About once a week.

No spam. We use ConvertKit. See our privacy policy.