Bonfiyah

Binding · operationalised

Privacy Commitment.

Twelve specific things we will not do with your data, and why each is enforced by code or by contract — not by trust.

This page is distinct from the legal privacy policy, which is a regulatory document. This is the manifesto — the things we are willing to publicly commit to, in plain language, that competitors cannot copy without restructuring their actual product.

New in v3.1 · privacy by design

Sign in with Apple. The most private way in.

Bonfiyah uses Sign in with Apple — the most private way to sign into an app, and the way we recommend you sign in. No password to create or leak. No Google or Facebook login. No email harvesting: Apple can hand us a one-way relay address (Hide My Email), so we may never even see your real email. We recommend signing in on purpose — because for a tool that records real conversations, anonymous-and-untraceable is the wrong design. Three reasons, every one of which protects you:

🔐

Your data is yours — tied to you, not a device

Your recordings, transcripts, and voice memory belong to your identity and sync privately across your devices. Lose your phone, keep your library. And there's no orphaned anonymous data in our system we couldn't tie to you — or honor a deletion request for.

⚖️

Accountability for a recording tool

Recording a conversation carries real legal weight — most U.S. states require every party to consent. A verified account holder is the accountable person who obtained that consent. It protects everyone in the room, and it keeps Bonfiyah from ever being an anonymous surveillance tool.

🛡️

A fair, abuse-resistant free tier

Real identity makes real per-person limits work — the free 120-minute-a-month cap, referral rewards, cost controls. No bot armies draining a service that paying and free users share. Identity is what keeps the free tier generous and honest.

And the guarantee runs the other way, too: because it's Sign in with Apple, Bonfiyah never sees a password, never builds a marketing profile from your login, and you can revoke our access at any time from Settings → your name → Sign in with Apple, right on your iPhone. We take the minimum to run your account; Apple keeps the rest.

Apple's standard for personal-data security is the one we hold ourselves to.

Apple has made personal-data security a defining commitment — privacy by design, data minimization, on-device processing, and an App Store that polices what an app is even allowed to collect. Building Bonfiyah exclusively on Apple platforms isn't a limitation; it's a deliberate choice to inherit that standard: a passwordless sign-in, an opaque identifier instead of your real identity, a Face ID / Touch ID lock backed by the Secure Enclave, on-device translation and voiceprints, and your synced data living in your own iCloud — encrypted by Apple, out of our reach.

Apple secures the platform; we hold everything we touch to the same bar — we don't train AI on your conversations, your audio is gone from our servers within 7 days, transcripts are deleted from our provider immediately, there are no ad trackers and no data brokers, and export-everything / delete-everything are one tap away. We don't claim Apple's endorsement — no app gets that — but we deliberately chose to be measured against the standard Apple set. We are.

Commitment 01

We do not train any model on your transcripts or audio.

Not for retrieval, not for ranking, not for "general improvement." Your conversations are not training data — not for AI Summaries, not for Promise Tracker, not for the voice-recognition model that recognizes returning speakers.

Operationalised by: we opt out of AssemblyAI's model-training program and delete each transcript from AssemblyAI immediately after processing (their retention floor is a 1-hour TTL); original audio auto-deletes from our own servers within 7 days, and only minimal billing metadata persists. Our analysis provider, Anthropic Claude, runs under a commercial no-training agreement (inputs and outputs are never used for training and are deleted within 30 days). We do not enable any model-training program on any vendor account, ever, and we have no plan to.

Commitment 02

We do not run cross-account voice search, ever.

There is no global voice database. There is no "find this voice across all Bonfiyah users" pathway. Your speaker library lives in your account and stops there.

Operationalised by: every voice fingerprint is stored under your account identifier; the matching query physically scopes to your account's library only. There is no shared index, by architecture.

Commitment 03

Your audio is short-lived on our servers.

Recording capture happens on your device. Audio uploads to our backend just long enough to be transcribed, then the original audio bytes auto-delete from our servers within seven days. Local copies stay on your own devices, under your Apple ID, until you remove them.

We keep your transcript and notes — that's the value you came back for — but we don't hold onto the raw audio. And you stay in control: you can export or permanently delete any recording, transcript, or voice signature at any time, and a full account deletion wipes your data from our servers and storage.

Operationalised by: (1) a daily cleanup job removes every audio chunk from our servers within seven days of transcription — non-negotiable, configurable down only. (2) A right-to-delete endpoint unlinks your audio from both our database and our object storage on request and on full account deletion. The transcript and your notes are what we retain to power the cross-recording features; the raw audio is not kept past the 7-day window.

Commitment 04

Compatibility Analysis won't run without confirmed consent.

Compatibility Analysis isn't a casual feature — it's an AI read of two people's communication patterns, and that's the kind of analysis that needs both parties to have agreed to the recording. The app refuses to compute it unless both speakers carry a granted-or-internal consent state on the source story. There's no override slider.

Operationalised by: the consent gate runs in the analysis pipeline. A story with any non-granted speaker is excluded from the input set.

Commitment 05

Per-speaker consent is in every tier, including Free.

Recording laws vary by state and country, and recording someone without their consent is a category of harm we don't want any of our users — paid or free — to drift into. So we don't charge for the safety rails. Every Free user gets the same consent module: per-speaker consent state, automatic redaction of non-consenting speakers from exports, verbal-prompt detection that grants consent when you announce the recording, and a consent audit log you can review or share.

Operationalised by: the consent module ships in every tier from first install. We don't gate it behind a paywall. Note that knowing which legal rules apply where you are is on you — Bonfiyah doesn't offer legal advice or jurisdiction-by-jurisdiction guidance.

Commitment 06

Revoke consent, and the redaction is real.

When you revoke a speaker's consent on a story, their utterances are redacted from every transcript, email, and PDF that exports from that story going forward. AI analyses the story fed into are flagged for re-run. The audio itself follows the standard 7-day auto-purge. Delete the entire story and the cascade is immediate.

Operationalised by: redaction is enforced server-side in the export pipeline — not just hidden in the UI. The consent state machine writes an audit row on every change so you can see who was revoked, when, and by which method.

Commitment 07

No telemetry on your transcripts.

Bonfiyah's analytics know that you opened the app, that an AI feature was used, and that an export ran. They do not know what was in the transcript, who the speakers were, or what the summary said. The content of your conversations is structurally outside the analytics pipeline.

Operationalised by: the analytics SDK has no read access to the recordings table; the privacy nutrition labels in App Store Connect document this explicitly.

Commitment 08

No advertising. No ads on you. No ads from anyone.

Bonfiyah is funded by subscriptions, not by advertising. Your data does not feed an ad model — there is no ad model — and we will not introduce one. If we ever change this, it would be a major-version migration with affirmative re-consent.

Operationalised by: the pricing covers the engineering and inference costs at sustainable scale. We don't need ads, and we don't want them.

Commitment 09

Subpoena response policy is published.

If we receive a valid legal request for your data, we will tell you (where legally permitted), give you the right of first refusal to comply yourself, and only produce the minimum amount of data legally required. We will not over-comply.

Operationalised by: our published privacy policy includes the response procedure. Where your data lives on your device or in your iCloud, we can't access it; for what we do hold — transcripts and the analysis derived from them — we produce only the minimum a valid order legally requires.

Commitment 10

Voice signatures are biometric data; we treat them that way.

Under GDPR, BIPA, and similar regimes, voice fingerprints are biometric identifiers. Ours are stored under your account, isolated from every other user's library, and sent over HTTPS only when matching a new utterance against your existing speakers. Fingerprints can't be reversed back into audio. Unused fingerprints (no recording activity for 90 days) auto-purge. Delete a speaker, the fingerprint goes — both immediately, and on a daily integrity pass.

Operationalised by: the cross-recording identity layer in /features/voice-id, with biometric consent surfaced as part of the standard recording-consent flow.

Commitment 11

Notifications are local. We do not use APNs.

Proactive Notifications are computed on Bonfiyah's backend from your own cohort's data and delivered as a list to your iPhone, where iOS schedules each as a local notification on your device. We never use Apple Push Notification Service for proactive pings — which means your notification content is never visible to APNs servers, never logged in our infrastructure, and never visible to a third-party push provider. The pings live entirely between your iPhone and the lock screen.

Operationalised by: the candidate-feed endpoint returns a list, not a payload. The iOS app schedules each candidate via UNUserNotificationCenter.add(_:); the body of the notification — the quote, speaker name, deadline — is constructed and stored on-device. Most apps with "smart notifications" pump body content through APNs; ours doesn't. Read the architecture →

Commitment 12

If we ever change any of these, we tell you affirmatively.

Privacy policies usually change quietly with a footer date and a "we updated our policy" email. We will not do it that way. A material change to any commitment on this page is a major-version event, with an in-app re-consent dialog and a public changelog entry, and the old policy preserved.

Operationalised by: a versioned commitments file in the codebase that the app reads at launch; a mismatch surfaces a re-consent flow and refuses to run features behind the changed clauses until you've affirmatively accepted.

Compliance posture

Our HIPAA posture.

Bonfiyah is not a HIPAA-compliant service. We are not a HIPAA Business Associate. We do not currently offer Business Associate Agreements (BAAs).

We build to HIPAA's design principles wherever they intersect what we ship: minimum-necessary data collection, encryption in transit, audit logging on every consent state change, per-speaker redaction on export, user-controlled deletion, no AI training on your content, no advertising trackers. That's the spirit. It is not the certification.

If you are a covered entity — a healthcare provider, a health plan, a clearinghouse — or a business associate already operating under a BAA, please don't use Bonfiyah to capture, transmit, or store Protected Health Information (PHI) without first conducting your own compliance review. Talk to your compliance officer. The fact that we apply HIPAA-aligned practices is not the same as the fact that you're allowed to use us for PHI under your specific covered-entity obligations.

Bonfiyah is not HIPAA-compliant and does not offer Business Associate Agreements. We'd rather tell you that plainly than imply otherwise.

Why this page exists.

Most apps have a privacy policy. The privacy policy is a legal document, written by lawyers, designed to satisfy regulators. It is not the document that tells you what the company actually believes about your data.

This page is the document that tells you what we believe. It is shorter than the policy and more specific. Each commitment has a how-it's-enforced line, because "we promise" is cheap and "the architecture makes it impossible to do otherwise" is not.

If you found this page persuasive, the operative test is whether competitors can copy it. They cannot — at least not without changing how they actually run. That is the point. The post-AI privacy moat is not a clever clause; it is which products had the discipline to refuse the easy growth lever in the first place.

Bonfiyah

Get notified if any of these change

A material change to any commitment on this page is a major-version event. We email everyone before it happens. Subscribe and we'll tell you.

No spam. We use ConvertKit. See our privacy policy.