Privacy Policy — Candor AI Note, by Belvantis

The short version

Your notes are encrypted on your device. We never receive them in plaintext.
We don't run analytics, ad SDKs, crash reporters that read content, or trackers.
Cloud sync is optional. When enabled, the cloud sees ciphertext only.
On-device AI runs on your phone. Cloud AI (Candor AI) processes only the scoped notes you select, in plaintext, ephemerally — never trained on, never stored.
Subscriptions are handled by Apple StoreKit or Google Play Billing. We never see your payment info.

1. Scope

This Privacy Policy applies to the Candor AI Note application published by Belvantis on the Apple App Store (bundle com.belvantis.candor.ainote) and on Google Play (package com.belvantis.candor.ainote). It does not apply to other Belvantis products (OmniThink, Candor: Private AI Journal), each of which has its own policy.

2. What lives on your device

Candor AI Note is a local-first application. The following live on the device that wrote them:

Your notes, scopes, and tags.
Any voice transcription buffers (held in memory; not persisted unless you save them as an entry).
Your master password — never transmitted, never persisted anywhere readable.
The encryption key (derived from your master password via Argon2id), held in a hardware-backed store and wiped on lock.

2.1 At rest — encryption

Every note is sealed with XChaCha20-Poly1305 using a 256-bit data encryption key (DEK) before it is written to disk. The DEK is wrapped by a key derived from your master password using Argon2id with parameters tuned to ~500 ms on a recent phone.

iOS: the wrapped DEK is held in the iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly; the unwrap operation requires a biometric (Face ID / Touch ID) backed by the Secure Enclave.
Android: the wrapped DEK is held in the Android Keystore with hardware-backed key attestation (StrongBox where available); the unwrap operation requires a biometric.

2.2 In memory — search and lenses

Full-text search and lens execution decrypt entries into memory only for the lifetime of the user's foreground session, then the buffer is zeroed. Background processes do not have access to plaintext.

3. What we receive on our servers

By default: nothing.

The only paths that send data off your device are the ones you turn on:

Cloud sync — sends only ciphertext to your own iCloud (private CloudKit database) or your own Google Drive (app-folder scope). Apple / Google see encrypted blobs; we see nothing.
Candor AI (cloud lens) — sends only the notes inside the scope you selected for a single request, processes the request, returns the result, and discards the prompt. Bullet points below.
Crash reports — opt-in only. Stack traces and device model only. Never note content.

3.1 Candor AI (cloud lens) — what it processes

When you tap a lens with the Bundle subscription and select Candor AI as the engine:

The plaintext of only the notes in the scope you chose is sent over TLS 1.3 to a Belvantis inference endpoint.
The endpoint generates a response, returns it to your device, and discards the prompt and response from working memory.
We do not log prompts. We do not store responses. We do not train models on your content. We do not allow operators to read prompts in clear text.
An anonymous request ID (no user identifier) is kept for 24 hours to debug rate-limiting and abuse, then deleted.

3.2 On-device AI (Apple Intelligence / Gemini Nano)

The on-device engine processes the same scoped notes without a network call. On iOS this is Apple Intelligence (governed by Apple). On Android this is Gemini Nano / AICore (governed by Google). In both cases the model is system-managed and runs in a sandbox we cannot see into.

4. Categories and recipients

Data	Recipient	Lawful basis
Encrypted note blobs (sync, optional)	Apple iCloud / Google Drive — your account	Contract (your sync setting)
Plaintext scoped notes (cloud lens, optional)	Belvantis inference endpoint	Contract (your lens request)
Subscription status	Apple StoreKit / Google Play Billing	Contract
Crash reports (opt-in)	Belvantis	Consent

5. Identifiers

Candor AI Note does not assign you a user ID. We do not use IDFA, advertising IDs, fingerprinting libraries, or third-party SDKs that do. Subscription entitlement is derived from your App Store transaction or Play Billing token, which we verify with Apple or Google and discard.

6. Subscriptions and billing

Backup & Export ($2.99 / month) and Bundle ($5.99 / month) are auto-renewing subscriptions billed by Apple or Google, depending on the store you installed from. Cancel any time in Settings → Apple ID → Subscriptions (iOS) or Play Store → Subscriptions (Android). Belvantis never sees your card, billing address, or Apple ID / Google account email.

7. Your rights

Because we don't have your notes, most data-subject requests resolve trivially: there is nothing on our side to return, correct, or delete. You can:

Access: export your full vault as .ilbk, ZIP, or Obsidian markdown from inside the app.
Delete: uninstall the app or use Settings → Privacy → Erase Vault. Server-side, there is nothing tied to you to delete.
Withdraw consent for cloud features: turn off sync and switch the engine to on-device only.

8. Children

Candor AI Note is rated 17+ on the App Store and Mature on Google Play. It is not directed to children under 13 and we do not knowingly collect any information from children under 13.

9. Security

We use authenticated encryption (XChaCha20-Poly1305), a memory-hard KDF (Argon2id), TLS 1.3 for all transit, and hardware-backed key storage (Secure Enclave / Android Keystore StrongBox). No system is perfectly secure; if your master password is weak, your vault is only as strong as that password. There is no recovery path other than your master password + recovery key — by design.

10. Changes

Material changes will be announced inside the app at least 14 days before they take effect, and the effective date at the top of this policy will be updated.

11. Contact

Privacy questions: privacy@belvantis.com
Anything else: info@belvantis.com

Belvantis — a socially-driven technology company. The architecture is the privacy policy.

Privacy Policy.