Last updated: February 20, 2026
MyBons.ai ("we," "our," or "us") operates the MyBons.ai mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.
Personal Information: When you create an account, we collect your email address for authentication purposes.
Journal Content: The text, photos, and videos you add to journal entries are stored locally on your device. If you enable cloud sync, this content is encrypted on your device before transmission and stored in encrypted form on our servers (Supabase). We cannot read your journal content on the server.
Preferences & Personalization: We store your calibration choices (communication style, faith preference) and personalization text ("About you," "How to talk to you") locally on your device and, if signed in, synced to your account. Your faith preference (yes/no/only if I mention it) determines whether AI responses include Christian scripture and theology.
Usage Data: We track basic usage metrics such as the number of entries created and features used, solely for enforcing subscription limits and improving the App.
Saved & Insights: Bookmarked text and AI responses are stored locally on your device. Insights (detected patterns across entries) are computed locally using on-device analysis and are not transmitted to our servers.
AI Processing: When you use AI features (reflections, mantras, bonsai insights, conversations), your journal text is processed through our secure proxy. Before sending to OpenAI's API, we apply automatic PII redaction to strip email addresses, phone numbers, social security numbers, and credit card numbers from the text. OpenAI does not use this data for training purposes per their API data usage policy.
We use the information we collect to:
Your journal entries are stored locally on your device by default. If you sign in and enable sync:
Private entries are additionally protected with a passcode that is hashed using SHA-256 before storage. We cannot access or recover your passcode.
Developer access: Our security architecture is designed so that developers and server administrators cannot access your journal content. Remote data is encrypted before it leaves your device, and encryption keys are derived from your credentials and stored only on your device.
Before your journal text is sent to any third-party AI service, we automatically redact personally identifiable information (PII) including:
This is a best-effort automated filter. We recommend not including highly sensitive financial or identity information in journal entries.
We use the following third-party services:
Supabase: Authentication and encrypted cloud data storage. Subject to Supabase's privacy policy.
OpenAI: AI-powered reflections and insights. PII-redacted journal text is sent through our authenticated, rate-limited proxy to OpenAI's API. All requests require a valid user authentication token. OpenAI's API data usage policy states that data submitted via the API is not used for model training.
Tavily: Web search API used to enrich AI responses with current, relevant information. Search queries are derived from your journal content but are anonymized and not linked to your identity. Tavily does not store your data.
RevenueCat: Subscription and in-app purchase management. Subject to RevenueCat's privacy policy.
PostHog: Privacy-respecting analytics to understand how features are used and improve the App. We collect anonymous usage events but never collect or store the content of your journal entries through analytics. PostHog is GDPR-compliant. We do not track you across apps or websites. No advertising identifiers are collected.
Apple: Subscription payment processing via the App Store. Subject to Apple's privacy policy.
You can export all of your data at any time from Settings → Export My Data. This produces a complete JSON file containing all your journal entries, settings, and preferences. You can also import previously exported data into the App.
Your journal entries are retained as long as you maintain your account. Deleted entries are moved to a "Recently Deleted" folder and permanently removed after 30 days.
You may delete your account and all associated data at any time from within the App (Settings → Delete Account & Data) or by contacting us at jtchitla@mybonsaijournal.com. Account deletion is permanent and cannot be undone.
You have the right to:
To exercise any of these rights, use the in-app features or contact us at jtchitla@mybonsaijournal.com.
The App is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt-out of the sale of personal information. We do not sell personal information.
We may update this Privacy Policy from time to time. We will notify you of changes by updating the "Last updated" date at the top of this policy. Your continued use of the App after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy, please contact us at:
jtchitla@mybonsaijournal.com