Privacy Policy — Candor for Android
This Privacy Policy explains how the Candor mobile application ("Candor", the "App", "we", "us", or "our"), published by Belvantis ("Belvantis"), handles information when you install and use it on your device.
We built Candor as a private journal. Our default and strong preference is that your journal content never leaves your device. This policy describes what that means in practice, what limited optional features may involve third parties, and what rights you have.
1. Summary (TL;DR)
- Candor is a personal journaling app that runs on your Android device.
- We do not operate a server that stores your journal entries, AI reflections, voice recordings, or any content you create in the App.
- We do not collect analytics, telemetry, advertising identifiers, location data, or behavioral tracking from the App.
- All journal entries, reflections, attachments, and chat sessions are stored locally on your device, encrypted with AES-256-GCM and protected by Android Keystore.
- Optional features that involve third parties are clearly labeled in the App and only run when you turn them on: Google Drive backup (encrypted blobs only, in an app-private folder), on-device AI model download (from Hugging Face), and Android system speech recognition (if you use voice dictation).
- The App is provided as-is by an independent developer. There is no user account, no login to a Belvantis server, and no Belvantis-operated cloud.
- The App is not a medical device, mental-health service, or crisis line. AI output may be wrong or harmful — see the Terms of Service for the full disclaimer.
2. Who we are
The App is published by Belvantis, a sole-developer software project. References in this Policy to "we," "us," or "our" mean Belvantis.
You can contact us at: support@belvantis.com.
3. Scope of this Policy
This Policy covers:
- The Candor Android application distributed under the package name
com.belvantis.candor. - The website at
candor.belvantis.comto the extent it links to this Policy.
This Policy does not cover:
- Third-party services you choose to connect to the App (such as Google Drive or Hugging Face). Those services have their own privacy policies, which apply when you use them.
- Other apps on your device or other websites that may link to or from us.
4. Information we do not collect
To make this clear up front, by default Candor does not collect, transmit, or store on any server operated by us:
- Journal entries, drafts, titles, mood data, attachments, photos, audio recordings, or AI-generated reflections you create.
- Account identifiers (we do not require an account).
- Email addresses, names, phone numbers, or any contact information.
- Device identifiers (advertising ID, IMEI, MAC address, Android ID).
- Precise or coarse location data.
- IP-based geolocation, behavioral analytics, crash reports linked to identifiable users, advertising signals, or marketing attribution.
The App contains no analytics SDK, no advertising SDK, no third-party tracker, and no in-app telemetry that reports to Belvantis.
5. Information stored on your device
Everything you create in the App is stored on your device only, inside the App's private storage area, and encrypted at rest:
| Data | Where it lives | How it is protected |
|---|---|---|
| Journal entries (text, titles, mood, favorites) | Local SQLite database | AES-256-GCM record-level encryption + SQLCipher full-database encryption |
| AI reflections (Lens, Buddy) | Local SQLite database | Same as above |
| Buddy chat sessions and messages | Local SQLite database | Same as above |
| Attachments (images, audio recordings) | App-private file directory | Encrypted blob files (.enc) keyed off the same vault key |
| App preferences and the wrapped vault key | EncryptedSharedPreferences | Encrypted with a key held in Android Keystore |
| Downloaded AI model file | App-private file directory | Integrity-checked with SHA-256 before use |
The vault key that unlocks your content is generated on first launch on your device. It is wrapped using your passphrase (PBKDF2-HMAC-SHA256, 120,000 iterations, AES-256-GCM) and, optionally, a hardware-backed Android Keystore key tied to your device biometrics. The unwrapped key only exists in RAM while the App is unlocked, and is zeroed when the App is locked or backgrounded.
We have no copy of your vault key, your passphrase, or your data. If you lose your passphrase and have not enabled biometric unlock, your data cannot be recovered.
6. Optional features that involve third parties
Some features are off by default and only transmit data when you actively enable them. Each such feature is described below.
6.1 Google Drive backup (optional)
If you enable Google Drive backup in Settings → Backup & Data → Google Drive, the App requests access to Google Drive using only the https://www.googleapis.com/auth/drive.appdata scope. This scope grants the App access only to a private "App Data" folder that the App itself creates inside your Google Drive. We do not request, and the scope does not grant, access to any other files in your Drive.
When you enable backup, the App:
- Authenticates you to Google using Google's own OAuth flow on your device.
- Uploads encrypted backup bundles (the
.ilbkformat) to the App Data folder. Backups are encrypted on your device with a passphrase you choose, before upload. Google receives only encrypted bytes plus a filename and timestamp. - Lists, downloads, and deletes those bundles from the same folder when you ask the App to.
We do not transmit your vault key, your backup passphrase, your raw entries, or any unencrypted content to Google or to any other third party.
Your use of Google Drive is also subject to Google's terms and privacy policy: https://policies.google.com/privacy.
You can disconnect Google Drive at any time from Settings → Backup & Data, and you can revoke the App's access from your Google Account at https://myaccount.google.com/permissions.
In accordance with the Google API Services User Data Policy, including the Limited Use requirements: Candor's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Drive data only to enable user-visible features for backup and restore of the App's own data. We do not use Drive data for advertising, do not allow humans to read it, and do not transfer it to any third party except as needed to operate the backup feature on your device or as required by law.
6.2 On-device AI model download (optional)
If you turn on on-device AI in Settings, the App downloads an open-weights language model file (default: Gemma 4 E4B in .litertlm format, approximately 3.65 GB) from a public Hugging Face URL. The download is a normal HTTPS request for a publicly hosted file. The App does not send Hugging Face any of your journal data; it simply fetches the model.
You can change the download URL, supply your own Hugging Face token (if you choose), or disable on-device AI entirely from Settings.
6.3 Android system speech recognition (optional)
If you use the live voice-dictation button, the App asks the Android system speech recognizer to transcribe your speech. The App passes the EXTRA_PREFER_OFFLINE flag to prefer on-device recognition where the device supports it, but the actual recognizer is provided by the operating system or by an OEM/Google component, not by us. Depending on your device and configuration, the audio may be processed locally or sent to the system speech provider.
If you prefer fully offline transcription, the App offers a separate Whisper / Omnilingual offline path that runs on your device after you download the model.
6.4 External AI ("private AI") providers — not currently active
The App includes plumbing for a future external AI mode that would send PII-scrubbed text (with names, contacts, locations, identifiers replaced by placeholders) to an external model provider over HTTPS. This path is not connected to a real provider in the current release and does not transmit data. If we enable it in the future, the App will require your explicit opt-in and will explain what is sent before any data leaves your device. This Policy will be updated accordingly.
7. Permissions the App requests
The App declares the following Android permissions:
| Permission | Why it is requested |
|---|---|
INTERNET | Optional Google Drive backup, optional on-device model download, and any future opt-in network features |
RECORD_AUDIO | Voice journaling — only when you tap the microphone |
POST_NOTIFICATIONS | Daily reminder notification, if you enable it |
RECEIVE_BOOT_COMPLETED | Re-scheduling your reminder after a device reboot |
The App does not request location, contacts, calendar, SMS, call log, camera (other than the system gallery picker if you attach an image), or any health-data permissions.
8. Children
Candor is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe a child has used the App in a way that requires action by us, contact us at the email above.
9. Data retention and deletion
Because we do not store your content on our servers, there is no server-side retention period.
On your device:
- Entries, reflections, and chat messages remain until you delete them.
- Soft-deleted entries can be restored from the in-app trash until you empty it.
- You can wipe all App data from Settings → Backup & Data → Erase all data, or by uninstalling the App, or via Android's app-info screen.
- Encrypted backups in your Google Drive App Data folder remain there until you delete them in the App or in Google's interfaces.
10. Security
We use the following technical safeguards:
- AES-256-GCM authenticated encryption for each entry, reflection, attachment, and chat message.
- SQLCipher full-database encryption as a second layer.
- A 256-bit per-device random vault key, wrapped by your passphrase (PBKDF2-HMAC-SHA256, 120,000 iterations) and optionally by a hardware-backed Android Keystore key bound to biometric authentication.
FLAG_SECUREset on the activity to prevent app-switcher screenshots.- Auto-lock when the App is backgrounded and an idle timeout while it is open.
- Logging that strips sensitive fields in release builds.
No security measure is perfect. You are responsible for keeping your passphrase, your device passcode, and your backups secure.
11. International users and our role under data-protection law
The App can be installed and used worldwide. Because content stays on your device and on storage you control (such as your Google Drive App Data folder), there is no cross-border transfer of your journal data to or by us. If you use Google Drive, Google may transfer and store data in regions in accordance with its own policies.
Our role under the GDPR and similar laws. Because the App processes your journal content locally on your device and Belvantis does not receive that content, Belvantis is not a "controller" or "processor" of your journal content under the EU/UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act, or comparable laws. To the extent any jurisdiction nonetheless treats Belvantis as a controller of any limited information (for example, an email you send us at the support address), our legal bases for processing under Article 6 GDPR are: (a) the performance of a contract with you, namely these Terms (Article 6(1)(b)); (b) our legitimate interests in operating, securing, and improving the App and in defending legal claims (Article 6(1)(f)); and, where applicable, (c) your consent, which you may withdraw at any time (Article 6(1)(a)). We do not engage in profiling or solely-automated decision-making about you under Article 22 GDPR.
No HIPAA / no health-data framework. Belvantis is not a HIPAA "covered entity" or "business associate," is not subject to the HITECH Act, and does not handle "protected health information" as that term is used in U.S. or EU health-data regulation. The App is not a regulated medical device under any framework. Do not use the App to store information you intend to be treated under any such framework.
12. Your privacy rights
Depending on where you live, you may have rights under laws such as the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), or similar laws.
Because we do not collect or hold your personal information on our servers, most of those rights — for example, the right to access, correct, delete, port, or restrict processing of personal data — are exercised by you directly on your device, using the App's built-in features:
- Access / portability: export your entries as plain text or as an Obsidian-compatible vault from Settings → Export.
- Correction: edit any entry directly.
- Deletion: delete entries, reflections, sessions, attachments, or all App data from within the App; uninstall the App; or remove encrypted backup bundles from Google Drive.
- Object / withdraw consent: turn off any optional feature in Settings.
- No sale or sharing: we do not sell or share personal information for advertising or any commercial purpose, as those terms are defined under applicable law.
If you believe we hold personal information about you and you would like to exercise a right, contact us at support@belvantis.com. If you are in the EU/UK and we cannot resolve your concern, you have the right to lodge a complaint with your local data protection authority.
13. Third-party services
The App may interact with the following third parties when you opt in to features that require them. Their handling of your data is governed by their own policies:
- Google LLC — Google Drive and Google Identity (when you enable Drive backup): https://policies.google.com/privacy
- Hugging Face, Inc. — model file hosting (when you download an on-device AI model): https://huggingface.co/privacy
- Your device operating system vendor — for system-level features such as biometric authentication, speech recognition, and notifications.
We do not control these services and are not responsible for their practices.
14. Changes to this Policy
We may update this Policy from time to time. When we do, we will revise the "Last updated" date at the top and, where appropriate, surface the change in the App. Material changes that affect optional features will be disclosed before those features start handling new data.
Continuing to use the App after changes take effect means you accept the updated Policy.
15. Contact
Questions, requests, or complaints: support@belvantis.com.
You can also reach us at:
Belvantis · Attn: Privacy · support@belvantis.com