'On-device' has quietly become the most abused word in the recording category. It shows up on landing pages next to claims that don't hold, deployed to mean 'private' when it really means something specific and limited. I'd rather tell you exactly what it means in Bonfiyah — what runs on your device, what leaves it, when, and why — than hand you a slogan you'd have every right to distrust. Precision here isn't pedantry. It's the difference between a privacy claim you can rely on and one that falls apart the first time someone reads it carefully.
Around the fire, the circle only included who you could see. Nobody promised the conversation stayed in the clearing while quietly sending it over the next hill. The honest version of that promise, in software, is to say plainly where the words go.
What runs on your device.
Several things never leave your iPhone (or iPad, or Mac; it's a universal Apple app, all three synced over iCloud). Your recording is captured and stored locally first. Your voiceprints — the compact signatures that let Bonfiyah recognise a returning speaker — are computed on your device. Translation runs on-device, using Apple's Translation framework. Proactive notifications are built and scheduled on your device as local notifications, never routed through a push server. And the optional app lock is Face ID / Touch ID, on the device.
There's also an on-device transcription fallback. If you ever exceed the daily cloud allowance, Bonfiyah falls back to Apple's on-device speech recognition so your capture is never blocked — fully local, no audio leaving the phone. The app keeps capturing even in places the cloud can't reach; the full cloud transcript catches up once you're back online.
What leaves your device, and exactly when.
Here's the part the slogans skip, and the part you actually want to know. To produce your full transcript, your audio is uploaded to our backend and sent to a dedicated cloud speech provider — that's the default path, and it's how you get an accurate, speaker-separated transcript. The Pro AI features then reason over that transcript in the cloud too. So yes: your audio and transcript do leave your device, for transcription and AI processing. We're not going to pretend otherwise.
Three things make that safe to rely on.
It's short-lived. The transcript is deleted from our speech provider immediately after processing, and the original audio auto-deletes from our servers within 7 days. Beyond that window, we no longer hold it.
It's specific. Your audio goes to the cloud to be transcribed and to power the features you're using — not as a background harvest, not silently, not 'to improve our service.' There's a defined reason it goes.
It's bounded by a commitment. We do not train AI on your transcripts or audio. That's not a marketing line — it's a binding commitment, contractual with our vendors and policy on our side. Your conversations are processed to give you features, not to feed a model.
That's the whole shape of it: a handful of things run on your device, the transcription and AI run in the cloud, and everything that goes there is short-lived and never used for training. You can read the longer version on the privacy commitment page, which spells out the data handling rather than gesturing at it.
Why we won't say 'your audio never leaves your phone.'
You'll see that exact phrase — 'your audio never leaves your device,' '100% on-device, always' — all over this category. We won't write it, and the reason matters.
It isn't true for any app that offers a cloud-accuracy mode or cloud-based AI features, including ours when you turn those on. Saying 'never leaves your phone' while operating an optional cloud pass is, at best, a claim that quietly contradicts the product. At worst, in a category where recording law and privacy litigation are live and active, it's the kind of absolute that doesn't survive contact with discovery. We'd rather be precise than impressive. 'A few things run on your device; transcription and AI run in the cloud, where everything is short-lived and never used for training' is a longer sentence, and it has the advantage of being one we can stand behind in front of a lawyer.
The tell, when you're evaluating any recording app: an honest privacy claim names the exception. If a page promises absolute on-device privacy and also advertises cloud AI summaries, those two claims can't both be fully true, and the one that gives is the privacy one. The apps worth trusting are the ones that tell you where the door is.
Consent is a separate promise from privacy.
It's worth separating two things that get blurred together, because they're different protections doing different jobs.
Privacy is about where your data goes once a recording exists. Consent is about whether the recording should exist the way it does in the first place — whether the other people in the room agreed. Bonfiyah's consent tooling handles the second: it surfaces the consent rule for your location, captures verbal consent when you want it, and keeps an exportable log. It ships in every tier, free included.
One precision on consent that's the cousin of the privacy precision above: consent surfaces the rule for where you are. It does not tell you a recording is 'legal,' and it isn't legal advice. Same discipline — say exactly what the tool does, never more than it does. That same care extends to the voice layer underneath everything, where the binding between a voice and a name has real downstream consequences; if you want the engineering version of that honesty, the Voice ID page walks through how the matching works and where it can be wrong.
What this isn't.
This isn't a claim that Bonfiyah is the most private recording app in existence, or that no data ever moves. Transcription and the AI layer run in the cloud — that's where the accuracy and the intelligence come from — and that's a real trade-off, not one we'll hide. The point of this piece isn't to pretend the cloud isn't involved. It's to make sure that when you decide, you're deciding on the real picture: a few things on your device, transcription and AI in the cloud, everything there short-lived, a binding no-training commitment, and a company willing to tell you where the door is instead of pretending there isn't one.
If a privacy claim can't name its own exception, it isn't a privacy claim. It's a slogan.
Decide with the real picture.
The best way to trust a privacy posture is to use the product knowing exactly how it works — which is the whole reason this piece exists. Your audio is transcribed in the cloud and then deleted — from our provider immediately, from our servers within 7 days — and the commitment not to train on your transcripts holds the whole time. That's the behaviour described here, in plain terms. Bonfiyah is free to start.
The clearing only ever held who you could see. We'll always tell you, plainly, when a word travels past the firelight.
— Richard