Commitment 01
We do not train any model on your transcripts or audio.
Not for retrieval, not for ranking, not for "general improvement." Your conversations are not training data — not for AI Summaries, not for Promise Tracker, not for the voice-recognition model that recognizes returning speakers.
Operationalised by: we opt out of AssemblyAI's model-training program and delete each transcript from AssemblyAI immediately after processing (transcripts carry a 1-hour TTL, uploaded audio is deleted within 48 hours, and only minimal billing metadata persists); our analysis provider, Anthropic Claude, runs under a commercial no-training agreement (inputs and outputs are never used for training and are deleted within 30 days). We do not enable any model-training program on any vendor account, ever, and we have no plan to.
Commitment 02
We do not run cross-account voice search, ever.
There is no global voice database. There is no "find this voice across all Bonfiyah users" pathway. Your speaker library lives in your account and stops there.
Operationalised by: every voice fingerprint is stored under your account identifier; the matching query physically scopes to your account's library only. There is no shared index, by architecture.
Commitment 03
You own your audio. We don't.
Recording capture happens on your iPhone. Audio uploads to our backend just long enough to be transcribed, then the audio bytes auto-delete from our servers within seven days. After that, the only place your recordings live is your iCloud Drive — synced across your devices on your Apple ID, under your custody, encrypted with your iCloud keys.
We can't hand your audio to anyone — law enforcement, lawyers, hackers — because we don't have it. The architecture removes us from the chain of custody on purpose. If a subpoena arrives at Bonfiyah for your audio, the honest answer is "we don't keep it." Your recordings are between you and Apple, the same way your iMessages are.
Operationalised by: (1) a daily cleanup job removes every audio chunk from our servers within seven days of transcription — non-negotiable, configurable down only. (2) Audio files write directly to your iCloud Drive's Bonfiyah container via `setUbiquitous(true,…)` so they sync across your devices on your Apple ID, count against your iCloud+ quota (not ours), and disappear if you uninstall the app or delete the folder in Files.app. The transcript and your notes are kept by us — they're the value you came back for; the raw audio is yours alone.
Commitment 04
Compatibility Analysis won't run without confirmed consent.
Compatibility Analysis isn't a casual feature — it's an AI read of two people's communication patterns, and that's the kind of analysis that needs both parties to have agreed to the recording. The app refuses to compute it unless both speakers carry a granted-or-internal consent state on the source story. There's no override slider.
Operationalised by: the consent gate runs in the analysis pipeline. A story with any non-granted speaker is excluded from the input set.
Commitment 05
Per-speaker consent is in every tier, including Free.
Recording laws vary by state and country, and recording someone without their consent is a category of harm we don't want any of our users — paid or free — to drift into. So we don't charge for the safety rails. Every Free user gets the same consent module: per-speaker consent state, automatic redaction of non-consenting speakers from exports, verbal-prompt detection that grants consent when you announce the recording, and a consent audit log you can review or share.
Operationalised by: the consent module ships in every tier from first install. We don't gate it behind a paywall. Note that knowing which legal rules apply where you are is on you — Bonfiyah doesn't offer legal advice or jurisdiction-by-jurisdiction guidance.
Commitment 06
Revoke consent, and the redaction is real.
When you revoke a speaker's consent on a story, their utterances are redacted from every transcript, email, and PDF that exports from that story going forward. AI analyses the story fed into are flagged for re-run. The audio itself follows the standard 7-day auto-purge. Delete the entire story and the cascade is immediate.
Operationalised by: redaction is enforced server-side in the export pipeline — not just hidden in the UI. The consent state machine writes an audit row on every change so you can see who was revoked, when, and by which method.
Commitment 07
No telemetry on your transcripts.
Bonfiyah's analytics know that you opened the app, that an AI feature was used, and that an export ran. They do not know what was in the transcript, who the speakers were, or what the summary said. The content of your conversations is structurally outside the analytics pipeline.
Operationalised by: the analytics SDK has no read access to the recordings table; the privacy nutrition labels in App Store Connect document this explicitly.
Commitment 08
No advertising. No ads on you. No ads from anyone.
Bonfiyah is funded by subscriptions, not by advertising. Your data does not feed an ad model — there is no ad model — and we will not introduce one. If we ever change this, it would be a major-version migration with affirmative re-consent.
Operationalised by: the pricing covers the engineering and inference costs at sustainable scale. We don't need ads, and we don't want them.
Commitment 09
Subpoena response policy is published.
If we receive a valid legal request for your data, we will tell you (where legally permitted), give you the right of first refusal to comply yourself, and only produce the minimum amount of data legally required. We will not over-comply.
Operationalised by: our published privacy policy includes the response procedure. Most of your data is on your device or your iCloud, where we don't have access to it; the architectural choice is the most material protection.
Commitment 10
Voice signatures are biometric data; we treat them that way.
Under GDPR, BIPA, and similar regimes, voice fingerprints are biometric identifiers. Ours are stored under your account, isolated from every other user's library, and sent over HTTPS only when matching a new utterance against your existing speakers. Fingerprints can't be reversed back into audio. Unused fingerprints (no recording activity for 90 days) auto-purge. Delete a speaker, the fingerprint goes — both immediately, and on a daily integrity pass.
Operationalised by: the cross-recording identity layer in /features/voice-id, with biometric consent surfaced as part of the standard recording-consent flow.
Commitment 11
Notifications are local. We do not use APNs.
Proactive Notifications are computed on Bonfiyah's backend from your own cohort's data and delivered as a list to your iPhone, where iOS schedules each as a local notification on your device. We never use Apple Push Notification Service for proactive pings — which means your notification content is never visible to APNs servers, never logged in our infrastructure, and never visible to a third-party push provider. The pings live entirely between your iPhone and the lock screen.
Operationalised by: the candidate-feed endpoint returns a list, not a payload. The iOS app schedules each candidate via UNUserNotificationCenter.add(_:); the body of the notification — the quote, speaker name, deadline — is constructed and stored on-device. Most apps with "smart notifications" pump body content through APNs; ours doesn't. Read the architecture →
Commitment 12
If we ever change any of these, we tell you affirmatively.
Privacy policies usually change quietly with a footer date and a "we updated our policy" email. We will not do it that way. A material change to any commitment on this page is a major-version event, with an in-app re-consent dialog and a public changelog entry, and the old policy preserved.
Operationalised by: a versioned commitments file in the codebase that the app reads at launch; a mismatch surfaces a re-consent flow and refuses to run features behind the changed clauses until you've affirmatively accepted.
