journal bot about Pricing Log in Start here →

Privacy

Built so your journal stays yours. Here's exactly what that means.

What this app protects

  • AI runs on this server. Whisper transcribes your voice, Qwen does sentiment + answers your questions, nomic-embed indexes your entries — all on this server. The current configuration does not call out to third-party AI providers like OpenAI, Google, or Anthropic. You can verify which models are running at /status.
  • Encrypted at rest with a per-user key. Your transcripts, summaries, mood labels, and tags are encrypted before they're saved. A database leak yields ciphertext for those fields. Exception: the vector embeddings used for search are not encrypted in this version, so semantic content of entries could be partially recoverable from embeddings alone — we're working on that.
  • Passphrase mode available. For the strongest guarantee, you can choose to encrypt with a passphrase only you know. In passphrase mode the server operator cannot decrypt your data at rest. In standard mode (the default) the operator can — the master key that wraps your user key lives on the server. Details below.
  • No tracking, no ads, no data resale. The current install does not run Google Analytics, Mixpanel, or Sentry. A single signed session cookie for sign-in, nothing else.
  • Your data is yours — to keep, take, or delete. /export downloads everything as a ZIP. /forgetme CONFIRM deletes your account from the active database. Encrypted backups are purged within 30 days.
Encryption is on for this server.

What's saved

  • Your Telegram name and ID (for sign-in).
  • Your messages to the bot — text, voice, photos, locations.
  • AI-derived metadata — sentiment, summary, tags.
  • An audit log of sensitive actions (logins, exports, deletions).

What's not saved

  • Your email address.
  • Your phone number.
  • Third-party cookies or trackers.
  • Anything in third-party AI providers.

Who sees what

Who What they see
You Everything you write — from any device, anytime.
Other users Nothing. Accounts are fully isolated.
Telegram Your messages in transit through their network (same as any messaging app).
Third-party AI The current configuration does not send content to third-party AI APIs. Verify at /status.
The server Standard server-side access, same as any hosted app. Encryption-at-rest applies; passphrase mode goes further.

Your rights, in buttons

  • See: every entry shows up in your list.
  • Take: /export — ZIP of JSON + audio + photos. Open format, no lock-in.
  • Edit: delete and resend any entry you want to correct.
  • Delete: /forgetme CONFIRM — removes your account from the active database; encrypted backups are purged within 30 days.
  • Audit: every sensitive action is logged and visible in /settings.

Live system status

The /status page is public. It shows which AI models are running and whether the workers are healthy. No login. Verify before you trust.

Technical detail: the trust model

In standard mode (the recommended option for nearly everyone), encryption keys are managed by this server. That's the same situation you have with Notion, Apple Notes, or any hosted app: the service operator could — technically — decrypt your data if they wanted to. The difference here is that (a) the app is small and known, (b) no third party touches your words, and (c) if that model doesn't convince you, the passphrase mode is right there and removes that possibility entirely.

In passphrase mode, your data is encrypted with a key derived from a passphrase only you know — never sent to the server in storable form. Even with full server access the operator cannot read your entries at rest. The tradeoff: forget the passphrase, no recovery.

I'm convinced — start →

Formal documents: Privacy Policy · Terms of Service · Consumer Health Data Policy (Washington)