Privacy Policy — Candor for iOS

Effective date: May 7, 2026 · Last updated: May 7, 2026

This Privacy Policy explains how the Candor iOS application ("Candor", the "App", "we", "us", or "our"), published by Belvantis ("Belvantis"), handles information when you install and use it on your iPhone or iPad.

Candor for iOS is built so your journal content stays on devices you own. This policy describes what that means in practice, what limited optional features may involve Apple services, and what rights you have.

1. Summary (TL;DR)

Candor is a personal journaling app that runs on your iPhone and iPad.
We do not operate a server that stores your journal entries, AI reflections, voice recordings, or any content you create in the App.
We do not collect analytics, telemetry, advertising identifiers, location data, or behavioral tracking from the App.
All journal entries, reflections, attachments, and chat sessions are stored encrypted on your device with XChaCha20-Poly1305 (libsodium) using a key derived from your passphrase via Argon2id.
Optional features that involve Apple services are clearly labeled in the App and only run when you turn them on or use them: iCloud / CloudKit private database sync (encrypted ciphertext only), Apple's Speech framework for voice dictation (or a fully on-device alternative), and App Store In-App Purchase for the optional Pro unlock.
The App is provided as-is by an independent developer. There is no Belvantis user account, no login to a Belvantis server, and no Belvantis-operated cloud.
The App is not a medical device, mental-health service, or crisis line. AI output may be wrong or harmful — see the Terms of Service for the full disclaimer.

2. Who we are

The App is published by Belvantis, a sole-developer software project. References in this Policy to "we," "us," or "our" mean Belvantis.

You can contact us at: support@belvantis.com.

3. Scope of this Policy

This Policy covers:

The Candor iOS application distributed under the bundle identifier com.belvantis.candor, including its Widget Extension and Share Extension targets.
The marketing pages at candor.belvantis.com to the extent they link to this Policy.

This Policy does not cover:

Apple services you connect to the App (iCloud, CloudKit, Apple Speech, Siri, Shortcuts, the App Store). Apple's privacy practices govern those services.
Other apps on your device or other websites that may link to or from us.

4. Information we do not collect

By default, Candor for iOS does not collect, transmit, or store on any server operated by us:

Journal entries, drafts, titles, mood data, attachments, photos, audio recordings, transcripts, or AI-generated reflections you create.
Account identifiers (we do not require an account).
Email addresses, names, phone numbers, or any contact information.
Device identifiers (IDFA, IDFV, MAC address).
Precise or coarse location data.
IP-based geolocation, behavioral analytics, crash reports linked to identifiable users, advertising signals, or marketing attribution.

The App contains no analytics SDK, no advertising SDK, no third-party tracker, and no in-app telemetry that reports to Belvantis. Apple's standard App Store Connect aggregates (download counts, anonymous crash reports through Xcode Organizer when you opt in via iOS Settings → Privacy & Security → Analytics & Improvements → Share With App Developers) are governed by Apple's privacy policy, not this one.

5. Information stored on your device

Everything you create in the App is stored on your device, inside the App's sandbox container, and encrypted at rest:

Data	Where it lives	How it is protected
Journal entries (text, titles, mood, favorites, categories)	Local SwiftData / SQLite store inside the App sandbox	Per-record XChaCha20-Poly1305 (libsodium) authenticated encryption + iOS Data Protection (`NSFileProtectionComplete`)
AI reflections (Spark, Reflect, Buddy)	Same SwiftData store	Same as above
Buddy chat sessions and messages	Same SwiftData store	Same as above
Attachments (images, voice recordings)	Encrypted blob files in the App sandbox	Encrypted with the same vault key; `.completeFileProtection` on disk
Pending-draft outbox (autosave snapshots) and per-entry version history	Encrypted JSON files in the App sandbox	Same vault key; `.completeFileProtection`
Capture Inbox queue (Siri / Widget / Share captures while locked)	`group.com.belvantis.candor` App Group container, `CaptureInbox/<UUID>.json`	Plaintext while locked (the DEK is wiped); protected by `.completeFileProtection` so files are unreadable while the device itself is locked. Drained into encrypted entries on next foreground unlock.
Wrapped vault key + Pro entitlement state	iOS Keychain	Wrapped with a key derived from your passphrase via Argon2id (32 MiB / 3 iter); Keychain accessibility set to `kSecAttrAccessibleWhenUnlockedThisDeviceOnly`
Downloaded on-device AI model files	`<AppSupport>/LLMModels/<modelDir>/` and `<AppSupport>/TranscriptionModels/<modelDir>/`	Per-model integrity manifest (`.candor.download.complete.v1`) recording every file's path and size; partial / corrupted downloads are detected and re-fetched.

The vault key (DEK) that unlocks your content is generated on first launch on your iPhone. It is wrapped using your passphrase (Argon2id, 32 MiB memory cost, 3 iterations) and stored in the iOS Keychain. Optionally, you can enable Face ID / Touch ID unlock; on those flows the unwrap is gated by the Secure Enclave's biometric attestation. The unwrapped key only exists in process memory while the App is unlocked, and is wiped on background or lock.

We have no copy of your vault key, your passphrase, or your data. If you lose your passphrase and have not enabled biometric unlock, your data cannot be recovered.

6. Optional features that involve Apple services

Some features only transmit data when you actively enable them or use them. Each is described below.

6.1 iCloud / CloudKit sync (Pro, optional)

If you turn on iCloud sync in Settings → Privacy & Storage → iCloud Sync and you have an active Pro entitlement, the App stores encrypted journal records in your private CloudKit database, in the container iCloud.com.belvantis.candor. CloudKit is provided by Apple Inc. and operates under Apple's privacy practices.

What goes to iCloud:

Encrypted ciphertext blobs for entries, attachments, voice recordings, weekly reflections, and the wrapped key bundle. Apple receives only ciphertext plus structural metadata (record IDs, timestamps).
The encrypted key bundle (EncryptedKeyBundle) so you can unlock your vault on a second device with the same passphrase.

What does not go to iCloud:

Your passphrase. We never have it.
Your unwrapped vault key (DEK). It exists only in RAM on your unlocked device.
Plaintext entries, transcripts, mood labels, or AI reflections.

You can disable iCloud sync at any time. iCloud Drive, iCloud Backup, and CloudKit are governed by Apple's privacy policy at https://www.apple.com/legal/privacy/.

6.2 Apple Speech framework / SFSpeechRecognizer (optional)

If you tap the microphone to dictate an entry, the App by default uses Apple's on-device SFSpeechRecognizer with the requiresOnDeviceRecognition flag set where the device supports it. Whether transcription happens locally or via Apple's servers depends on your device, language, and iOS version; some languages still require server-side processing through Apple. In that case, audio is processed by Apple (not by Belvantis) under Apple's privacy practices.

If you prefer fully offline transcription regardless of language, the App offers a separate Omnilingual ASR path based on the open-source sherpa-onnx 1B model. You download it once (about 1 GB) and from then on every transcription happens entirely on-device with no Apple involvement.

6.3 On-device AI model download (optional)

If you turn on on-device AI in Settings → AI, the App downloads an open-weights language model (default depends on your device's RAM — Gemma 3 1B for 4–6 GB iPhones, Gemma 3 4B or larger for 8 GB+ devices) over HTTPS. The download is a normal HTTPS request for publicly hosted files. The App does not send any of your journal data to the model host; it simply fetches the model.

The App also has an Azure Blob Storage mirror as automatic fallback for transient host failures. The mirror is a passive file source — your journal data is never sent to the mirror or to anyone else; only file requests for the model itself.

6.4 App Intents, Siri, and Shortcuts (optional)

The App registers App Intents (AppendToCandorIntent, OpenCandorWritingIntent, StartCandorVoiceIntent) so you can quick-capture by saying "Hey Siri, add to Candor" or by running a Shortcut. Siri's interpretation of your phrase happens via Apple's Siri service under Apple's privacy practices. The captured text is then enqueued by the App into a local App Group inbox; nothing is sent to Belvantis.

6.5 In-App Purchase (optional)

If you choose to unlock Candor Pro, the purchase flow runs entirely through Apple's StoreKit. We use Apple's Transaction.currentEntitlements and Transaction.updates APIs to detect whether your Apple ID owns the non-consumable IAP com.belvantis.candor.pro. Apple handles the receipt; we never see your payment information, your Apple ID, or your billing address. The App stores only a local boolean ("hasPro") derived from Apple's StoreKit response.

6.6 No external AI / no third-party LLM

Candor for iOS does not integrate a third-party LLM provider, does not send any text to a remote model, and does not include cloud-AI plumbing. All language-model inference happens on-device via Apple's MLX framework on the Metal GPU.

7. Permissions the App requests

The App requests the following iOS permissions, each only at the point you use the relevant feature:

Permission	Why it is requested
`NSMicrophoneUsageDescription`	Voice journaling — only when you tap the microphone
`NSSpeechRecognitionUsageDescription`	Apple Speech framework dictation (optional; Omnilingual offline path does not require this)
`NSPhotoLibraryUsageDescription` / `NSPhotoLibraryAddUsageDescription`	Attaching a photo to an entry, when you choose
Notifications (optional)	Daily reminder, if you enable it
Face ID / Touch ID (`NSFaceIDUsageDescription`)	Unlocking the encrypted vault, if you enable biometric unlock
iCloud / CloudKit entitlement	Syncing encrypted journal records across your iPhone and iPad, if you enable iCloud sync
App Group `group.com.belvantis.candor`	Cross-process capture inbox shared between the main app, the Widget Extension, and the Share Extension
Increased Memory Limit entitlement	Required by Apple's MLX framework to load on-device language models above the default jetsam limit

The App does not request location, contacts, calendar, SMS, call log, camera (other than the system gallery picker if you attach an image), HealthKit, or any health-data permissions.

8. Children

Candor is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe a child has used the App in a way that requires action by us, contact us at the email above.

9. Data retention and deletion

Because we do not store your content on our servers, there is no server-side retention period.

On your device:

Entries, reflections, and chat messages remain until you delete them.
Soft-deleted entries can be restored from the in-app Trash until you empty it.
You can wipe all App data from Developer → Erase All Data (in DEBUG builds) or by uninstalling the App, or via iOS Settings → General → iPhone Storage → Candor → Delete App.
If iCloud sync is on, encrypted records are also stored in your private CloudKit container. They are removed when you delete entries in the App and on iCloud's normal record-deletion cadence; you can also remove them via iCloud's own management surfaces.
The Storage Manager (Settings → Privacy & Storage → Storage) lets you reclaim space per category — voice, image attachments, AI models, transcription models — without deleting your journal entries.

10. Security

We use the following technical safeguards:

XChaCha20-Poly1305 authenticated encryption (libsodium) for each entry, reflection, attachment, and chat message.
Argon2id (32 MiB memory cost, 3 iterations) to derive the key-wrapping key from your passphrase.
iOS Data Protection at NSFileProtectionComplete level on the SwiftData store, the autosave outbox, the version-history ring buffers, and the App Group capture inbox — files are unreadable while the device is locked.
iOS Keychain with kSecAttrAccessibleWhenUnlockedThisDeviceOnly for the wrapped vault key.
Face ID / Touch ID unlock attestation routed through the Secure Enclave (when you enable biometric unlock).
Auto-lock when the App backgrounds; a privacy shield on the multitasking switcher snapshot.
Logging that strips sensitive fields in release builds.
Per-entry 5-revision history and an autosave outbox so a crash mid-paragraph does not lose your work.

No security measure is perfect. You are responsible for keeping your passphrase, your device passcode, and your backups secure.

11. International users and our role under data-protection law

The App can be installed and used worldwide. Because content stays on your device and on storage you control (your private CloudKit container, accessed only by you), there is no cross-border transfer of your journal data to or by us. If you use iCloud, Apple may transfer and store data in regions in accordance with its own policies.

Our role under the GDPR and similar laws. Because the App processes your journal content locally on your device and Belvantis does not receive that content, Belvantis is not a "controller" or "processor" of your journal content under the EU/UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act, or comparable laws. To the extent any jurisdiction nonetheless treats Belvantis as a controller of any limited information (for example, an email you send us at the support address), our legal bases for processing under Article 6 GDPR are: (a) the performance of a contract with you, namely these Terms (Article 6(1)(b)); (b) our legitimate interests in operating, securing, and improving the App and in defending legal claims (Article 6(1)(f)); and, where applicable, (c) your consent, which you may withdraw at any time (Article 6(1)(a)). We do not engage in profiling or solely-automated decision-making about you under Article 22 GDPR.

No HIPAA / no health-data framework. Belvantis is not a HIPAA "covered entity" or "business associate," is not subject to the HITECH Act, and does not handle "protected health information" as that term is used in U.S. or EU health-data regulation. The App is not a regulated medical device under any framework. Do not use the App to store information you intend to be treated under any such framework.

12. Your privacy rights

Depending on where you live, you may have rights under laws such as the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), or similar laws.

Because we do not collect or hold your personal information on our servers, most of those rights — for example, the right to access, correct, delete, port, or restrict processing of personal data — are exercised by you directly on your device, using the App's built-in features:

Access / portability: export your entries as plain markdown (with optional voice and image assets) or as an encrypted .ilbk backup from Settings → Privacy & Storage → Backup & Restore.
Correction: edit any entry directly. Per-entry version history lets you restore a prior revision via Settings → Privacy & Storage → Sync Health → Earlier versions.
Deletion: delete entries, reflections, sessions, attachments, or all App data from within the App; uninstall the App; or remove encrypted iCloud records via your iCloud account.
Object / withdraw consent: turn off any optional feature in Settings.
No sale or sharing: we do not sell or share personal information for advertising or any commercial purpose, as those terms are defined under applicable law.

If you believe we hold personal information about you and you would like to exercise a right, contact us at support@belvantis.com. If you are in the EU/UK and we cannot resolve your concern, you have the right to lodge a complaint with your local data protection authority.

13. Apple-specific disclosures

The App is distributed through the Apple App Store. The following Apple services may interact with the App; their handling of your data is governed by Apple's privacy policy:

App Store / StoreKit — for distribution and the optional Pro In-App Purchase (com.belvantis.candor.pro).
iCloud / CloudKit — for end-to-end encrypted sync (when you enable it). The container is iCloud.com.belvantis.candor, private database.
Apple Speech framework / SFSpeechRecognizer — for dictation (when you use it).
Siri / App Intents / Shortcuts — for "Add to Candor" voice capture and Shortcuts automation.
Face ID / Touch ID and the Secure Enclave — for biometric unlock attestation.

Apple's privacy policy is at https://www.apple.com/legal/privacy/. Apple's role under the App Store EULA, the Apple Media Services Terms, and the iCloud Terms applies independently of this Policy.

14. Privacy nutrition label (App Store)

The App's App Store privacy disclosure is, in plain English: "Data Not Collected." The Pro IAP is processed by Apple StoreKit; we do not collect any data from that flow ourselves. iCloud sync moves only ciphertext to a container you own. App Intents inputs are queued locally to an App Group inbox.

15. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the "Last updated" date at the top and, where appropriate, surface the change in the App. Material changes that affect optional features will be disclosed before those features start handling new data.

Continuing to use the App after changes take effect means you accept the updated Policy.

16. Contact

Questions, requests, or complaints: support@belvantis.com.

You can also reach us at:

Belvantis · Attn: Privacy · support@belvantis.com