Three statuses. Two privilege flags. One source of truth.
Three speaker statuses (Granted, Unknown, Internal Use Only), two Privilege flags (per-speaker and per-story) with two type variants (Attorney-Client or Doctor-Patient), and an identity bit so You always renders as itself. The app shows each state visually — and the same marking carries into every email, every PDF, every SMS, every Markdown export.
v3.0.911 The Privileged picker now lets you choose between Attorney-Client (legal) and Doctor-Patient (medical) at recording start, mid-recording, or anytime during playback. The banner, subject prefix, and PDF header reflect whichever type you chose.
Why three statuses plus two flags, not a single on/off toggle.
Most recorders treat consent as a single on/off toggle. Real conversations have nuance. A speaker who hasn't been asked yet is different from one whose contributions are for internal review only. Attorney-client work requires an affirmative legal marking that's distinct from any consent decision — and that marking can apply to a single speaker (when only the attorney in the room is privileged) or to the whole conversation (when the entire meeting is work product). The model maps directly to the decisions that actually get made.
Every other state in Bonfiyah's UI — every banner, every pill, every export header — is derived from this single source of truth. Change a status or flip a flag; every surface updates.
When a user revokes consent, the speaker returns to Unknown. Revocation is a state transition recorded in the audit log — not a separate stored state. See the audit log section for how the transition is captured and exports as evidence.
Reference
The five speaker markings.
Each row is one marking a speaker can carry: three consent statuses, one per-speaker Privilege flag (Attorney-Client or Doctor-Patient), and an identity bit for the app owner. Story-level Privilege is a sixth marking that applies to the whole conversation — that one gets its own section below. Badge mocks match the iOS app exactly. Email and PDF pills show how recipients see the marking when you share the recording.
| State · Badge | When it applies | Email pill | PDF pill |
|---|---|---|---|
| You | The speaker is the app owner. Set automatically. | Consent Granted | green pill |
| Granted | User tapped "Grant consent for this story" — or the speaker replied "yes" to a consent SMS, or the consent prompt captured a verbal yes at record-start. | Consent Granted | green pill |
| Unknown | No consent record yet. Default state for any speaker who hasn't been asked or confirmed. | Consent Unknown | grey pill |
| Internal Use Only | User tapped "Mark Internal Use Only." Signals to recipients that the speaker's contributions are for internal review, not external share. | Internal Use Only | purple pill |
| Privileged (Attorney-Client or Doctor-Patient) | User tapped "Mark this speaker as Privileged" on the shield menu, then picked the type — Attorney-Client (legal) or Doctor-Patient (medical). Legal/medical marking — overrides consent display. The banner, subject prefix, and pill reflect whichever type was chosen. | ATTORNEY-CLIENT / DOCTOR-PATIENT | red pill (lock-shield icon, all caps) |
The speaker is the app owner. Set automatically.
Email pill
Consent GrantedPDF pill
green pillUser tapped "Grant consent for this story" — or the speaker replied "yes" to a consent SMS, or the consent prompt captured a verbal yes at record-start.
Email pill
Consent GrantedPDF pill
green pillNo consent record yet. Default state for any speaker who hasn't been asked or confirmed.
Email pill
Consent UnknownPDF pill
grey pillUser tapped "Mark Internal Use Only." Signals to recipients that the speaker's contributions are for internal review, not external share.
Email pill
Internal Use OnlyPDF pill
purple pillUser tapped "Mark this speaker as Privileged" on the shield menu, then picked the type — Attorney-Client (legal) or Doctor-Patient (medical). Legal/medical marking — overrides consent display. The banner, subject prefix, and pill reflect whichever type was chosen.
Email pill
ATTORNEY-CLIENT / DOCTOR-PATIENTPDF pill
red pill (lock-shield icon, all caps)Story-level privilege
Mark a whole conversation, not just one speaker.
Per-speaker privilege handles the case where only one party in a multi-party meeting is privileged — the attorney in a legal meeting, or the clinician in a medical one. Story-level privilege handles the other case: when the entire conversation is privileged work product.
Flip the "Mark Privileged" checkbox in the story metadata row and pick the type — Attorney-Client (legal) or Doctor-Patient (medical). The banner, subject prefix, and PDF header below show the Attorney-Client variant; Doctor-Patient renders identically with DOCTOR-PATIENT PRIVILEGE in place of the attorney-client text. When on:
- · Red
ATTORNEY-CLIENT PRIVILEGEbanner at the top of every email summary you send - ·
[ATTORNEY-CLIENT PRIVILEGE]subject-line prefix on every outgoing email - · Same red banner at the top of every PDF export
- · Red pill on the Stories list cell so the marking is visible at a glance
- · Plain-text banner on SMS and Markdown share fallbacks — recipients without HTML still see the marking
Per-speaker and story-level privilege are independent. A user can mark a single attorney as Privileged inside an otherwise un-privileged story, mark the whole story as Privileged, or both.
Subject
[ATTORNEY-CLIENT PRIVILEGE] Smith v. Jones — settlement strategy review
Attorney-Client Privilege
This communication is protected work product. Do not forward.
Story · Settlement strategy review
Recorded 2026-05-09 · 47 min · 3 speakers
Mock — every Bonfiyah email export with story-level privilege on renders this way. Subject prefix, red banner, per-speaker pills.
The cascade · v3.0.562
One priority ladder. Every surface.
Every speaker on every story is rendered through a single priority cascade. The most-restrictive marking always wins — on the Playback row, in the AI Summary, in the Transcript, in every PDF, in every email body, in the Stories list.
- Attorney-Client Privileged — red shield. Set via the story-level toggle or per-speaker shield menu. Beats everything below.
- Internal Use Only — purple. Set via the story-level toggle. Beats per-speaker consent. Demoted when the story toggle is OFF. By default, Internal-Use-Only speakers are included in what you send or export — turn the toggle off before sharing externally.
- Consented (You) — green, owner short-circuit. The operator is treated as Granted on every surface unless Attorney-Client Privilege or Internal Use Only beats it.
- Per-speaker consent — Granted (green), Requested (amber), Denied / Revoked (red), Unknown (gray).
Story master toggles vs per-speaker overrides.
Master Privilege ON (Attorney-Client or Doctor-Patient — you pick the type) marks every speaker on the story as Privileged. Master Privilege OFF clears the per-story privileged-speakers list entirely — symmetric bulk apply / bulk clear. Per-speaker overrides (via the shield menu) let you mark a single privileged party — an attorney or a clinician — inside an otherwise un-privileged story without flipping the master.
Master Internal ON renders every speaker as Internal. Master Internal OFF demotes stale per-speaker "internal" markings back to Consent Unknown — the story-level toggle is the gateway, so a story without the Internal flag never surfaces the purple banner on any surface.
Underlying consent decisions are preserved through every toggle. Flip Attorney-Client Privilege off and the per-speaker consent state resurfaces. The audit log records every transition with timestamp, method, and chain-of-custody hash.
The full reference, as a PDF.
Eight-page operator + counsel reference: priority ladder, worked examples, banner placement, cross-device sync, redaction rules, and the engineering invariants. Share with your firm's compliance team.
Bonfiyah-branded · marked Confidential · © 2026 Bonfiyah, Inc.
Every change recorded, every export defensible.
Every consent state change is logged with a timestamp, the speaker ID, the old → new state transition, the method (verbal capture, SMS reply, in-app tap), and a chain-of-custody hash. Where applicable, the recorded audio of the consent statement itself is preserved alongside the log.
Privilege toggles are first-class entries — a change from Granted → Privileged is logged with the same fidelity as a consent grant. The full audit log exports as PDF with the chain-of-custody hash inline, suitable for evidentiary use.
Read the full consent feature page for the workflow walkthrough.
What recipients see
The marking carries through.
Privilege isn't just an in-app marking. Every share format renders it the same way — so a recipient reading an email, opening a PDF, or scanning an SMS knows immediately what they're holding.
[ATTORNEY-CLIENT PRIVILEGE] Smith v. Jones
Red banner above the body, capitalized subject prefix, per-speaker red pills in the speakers section.
Smith v. Jones · Recorded 2026-05-09 · SHA-256 ······
Same red banner at the top of page one. Per-speaker coloring in the speakers list. Banner repeats on every page footer.
SMS / Markdown
━━━━━━━━━━━━━━━━━━━━ ATTORNEY-CLIENT PRIVILEGE ━━━━━━━━━━━━━━━━━━━━
Plain-text banner with rule lines. Recipients without HTML still see the marking unambiguously.
Every tier · Including Free
Free in every tier.
Consent management — including Attorney-Client Privilege — is included in Free, Pro, and Pro AI. It's the architecture, not a feature gate. Two-party consent law doesn't only apply to paying users; attorney-client privilege protections don't either. Putting privilege markings behind a paywall would be both ethically off and strategically self-sabotaging.
Read the pricing comparison — the "Consent & Privilege Management" row reads ✓ across all three columns.
Privacy commitments.
No transcripts, no consent logs, and no privilege markings are used to train any AI model. Audio leaves the device only for the upstream transcription pass — and only if iCloud sync or upstream processing is enabled. Privileged recordings can run with iCloud sync off if your firm's policy requires it.
Read the full privacy commitment for the binding promises and the technical architecture.
FAQ
How does Bonfiyah's consent model work?
Three speaker statuses, two Privilege flags (each Attorney-Client or Doctor-Patient), and an identity bit. The statuses: Granted (consent given verbally, by SMS reply, or by tap), Unknown (no consent record yet — the default), Internal Use Only (the user has marked the speaker's contributions as not-for-external-share). The privilege flags: per-speaker Privilege (for when only one party in a multi-party meeting is privileged — the attorney in a legal meeting or the clinician in a medical one) and per-story Privilege (for when the whole conversation is privileged work product). Each carries a type — Attorney-Client (legal) or Doctor-Patient (medical). The identity bit marks the app owner so You always renders as itself. When a user revokes consent, the speaker returns to Unknown — revocation is a state transition recorded in the audit log, not a separate stored state.
How does the priority ladder work?
Attorney-Client Privileged (red) beats Internal Use Only (purple), which beats per-speaker consent (green / red / gray). The most-restrictive marking always wins on every surface — playback, AI Summary, transcript, every PDF, every email. The operator (you) is treated as Consent Granted by default — recording is the affirmative act. Attorney-Client Privilege and story-master Internal still win over the owner short-circuit, so a privileged or internal story still shows the operator with the matching banner.
What happens when I toggle the story Master Attorney-Client Privilege or Master Internal OFF?
Toggling Master Attorney-Client Privilege OFF clears the per-story privileged-speakers list entirely. Toggling Master Internal OFF demotes any stale per-speaker "Internal Use Only" markings back to "Consent Unknown" for this story. The story-level toggles are the gateway — the underlying per-speaker consent decisions are preserved, but display markings reflect the story's classification, not stale state from prior taps.
Does the marking sync across iPhone, iPad, and Mac?
Yes. All four state pieces (story Master Attorney-Client Privilege, story per-speaker privileged IDs, story Master Internal, per-speaker consent) live on the backend Story record. Every device fetches from the same authoritative source. When you toggle Master Attorney-Client Privilege OFF on iPhone, the next time you open the same story on iPad or Mac, the local cache updates and displays drop the red shield automatically.
How does Attorney-Client Privilege render in exports?
Story-level privilege adds a red ATTORNEY-CLIENT PRIVILEGE — CONFIDENTIAL banner at the top of every email summary and every PDF export, prefixes outgoing email subjects with [ATTORNEY-CLIENT PRIVILEGE], shows a red pill on the Stories list cell, and prepends a plain-text banner on SMS or Markdown fallbacks. Per-speaker privilege paints that speaker's pill red across every surface regardless of consent state.
Is Attorney-Client Privilege a paid feature?
No. Consent management — including Attorney-Client Privilege — is in Free, Pro, and Pro AI. Privilege is legal architecture, not a feature gate. Two-party consent law and attorney-client privilege protections don't only apply to paying users.
Try it on your next recording.
Bonfiyah on iPhone, iPad, and Mac. Consent + Privilege are in every tier.
Want the state-by-state recording-law summary?
One page, plain language, every U.S. state plus the EU/UK/Canada/Australia. Plus our take on what changes for legal, medical, and journalism use.
No spam. We use ConvertKit. See our privacy policy.