How Pensory handles your data.

The short version

• No accounts. No email. No password. No login. Ever.
• Your reflections are encrypted on your device using AES-256-GCM, with a key only your phone knows.
• Our servers store metadata, not content - when you talked to Pensory, how many tokens, which prompt version. Never what you wrote.
• AI conversations pass through our server in plaintext on their way to Anthropic. We don't log them. They're discarded the instant the reply comes back. This is the one tradeoff.
• Backups are end-to-end encrypted with your own passphrase. Your cloud (iCloud, Google Drive) sees an opaque file.
• No third-party analytics, no advertising SDKs, no fingerprinting.

Anonymous by design

On first launch, Pensory generates a random identifier - a UUID - and stores it in your phone's secure enclave (iOS Keychain, Android Keystore). We call it your device ID. It's the only identifier our servers ever see.

We don't ask for an email or phone number. You don't have a profile. If you uninstall and reinstall the app, a new device ID is generated and your previous device - from our servers' perspective - simply stops sending requests. We have no way to link the two.

You can choose an optional first name during onboarding so the AI can address you. That name lives in your phone's preferences and travels with each AI request. We never store it on our servers. If you'd rather stay nameless, leave it blank.

What lives only on your device

Your reflections - both the quiet writing entries and the conversations with Pensory - never leave your phone in plaintext, except in the specific moment described in The AI tradeoff below.

They are stored in a SQLite database on your phone, with the body, summary, and tags encrypted column-by-column using AES-256-GCM. The encryption key is generated on first launch and held in your phone's secure enclave. It never leaves the device. If you uninstall the app, the key is destroyed; the encrypted entries on the disk become unrecoverable.

The only fields we leave unencrypted in the local database are the timestamp, the chosen emotion (e.g. calm, vulnerable), and the intensity slider value. None of these are personally identifying.

The app also stores small preferences in plain text on your phone: your chosen atmosphere theme, soundscape, optional first name, and onboarding state. None of this is sent anywhere except the name (only during AI calls, see below).

What our servers see

Our API is a stateless proxy with operational metadata. Two stores live behind it.

Postgres - operational metadata

For each device that has ever used Pensory, we keep:

• The device ID
• First-seen and last-seen timestamps
• Lifetime conversation and message counters (numbers, not content)
• Your subscription state, if you've purchased Plus (handled via RevenueCat)

For each conversation, we keep one row of audit data:

• A conversation ID (generated by your phone)
• Start and last-message timestamps
• Token counts (input, output, cache hits)
• The model name (e.g. claude-haiku-4-5-20251001) and prompt version, so we can attribute regressions when we update the prompt
• A boolean indicating whether the AI surfaced crisis-resource information (see Crisis-resource handling)
• An error count, if anything went wrong

Notice what's not in that list: messages, summaries, your name, your emotion, your reflections.

Redis - the weekly rate-limit window

To enforce the free-tier limit (3 conversations per week), we keep a small set keyed by your device ID. It contains the conversation IDs you've started in the last 7 days, and self-deletes after 7 days. Nothing else.

Server logs

When something goes wrong or for routine performance monitoring, our application writes operational logs. These contain a hashed device ID for correlating events, plus token counts and error stacks. They never contain message content.

The honest tradeoff: AI conversations

Pensory's conversation mode is powered by Anthropic's Claude. To get a reply, your message has to leave your phone in plaintext. There is no way around this with current AI providers - the model needs to read what you wrote.

What we do with that:

• Your message reaches our API over HTTPS.
• Our API forwards it to Anthropic, also over HTTPS, along with a system prompt and (with your context) up to seven recent entry summaries decrypted briefly on your phone before being sent.
• Anthropic returns a reply.
• Our API passes the reply back to your phone.
• The plaintext on our server is discarded as soon as the request finishes. It is not written to logs, not persisted to a database, not cached.

Anthropic processes the message under their own privacy terms. We send no identifier that ties the message to you - only an opaque session identifier our system uses for its own audit row. If you want to read Anthropic's posture, see anthropic.com/legal/privacy.

We're working on a future "AI off" mode that lets you journal entirely on-device, without ever calling the AI. If a true zero-trust posture matters to you, that mode will be the right choice when it ships.

RevenueCat (subscription handling)

If you subscribe to Plus, our app talks to RevenueCat to manage the App Store / Play Store receipt. We send your device ID as an opaque "subscriber ID" so RevenueCat can attach your purchase to your install. RevenueCat returns whether you have an active subscription and when it expires. Our server stores that expiry date so the app can unlock Plus features without contacting RevenueCat on every request.

We don't share any reflection content, name, or AI conversation with RevenueCat. We don't share advertising identifiers (we don't have any). RevenueCat sees the same opaque device ID that we do.

Backups

Pensory's backup is opt-in and end-to-end encrypted on your device before it leaves. When you tap Export, the app:

• Asks you for a passphrase (Pensory never sees it).
• Derives a wrapping key from your passphrase using PBKDF2-HMAC-SHA256 with 600,000 iterations and a fresh random salt.
• Wraps your device's encryption key and a copy of your encrypted SQLite database with AES-256-GCM.
• Hands the resulting .pensorybackup file to your phone's share sheet.

Wherever you save it - iCloud Drive, Google Drive, AirDrop, email - your cloud provider sees an opaque ciphertext blob. Without your passphrase, nothing in the file is recoverable. We do not have your passphrase. We cannot reset it. Choose one you'll remember.

Restore reverses the process: you provide the passphrase on the receiving device, the file is decrypted in memory, and the restored database is written to local storage.

Crisis-resource handling

Pensory's AI is instructed to surface trusted crisis resources (such as 988 in the US or findahelpline.com internationally) when a conversation suggests acute distress. To monitor whether this safety mechanism is working, our audit row includes a single boolean: did this conversation include crisis resources in the AI's reply?

We don't store what was said. We don't know who you are. The flag exists so we can verify our prompts are working as intended and improve them when they aren't. If you're in a moment that scares you, the resources in the app are real - please reach out.

Your control

• Delete a single entry: swipe to delete from the Sky tab.
• Delete everything: uninstall the app. Your encrypted database and the encryption key are both removed by the operating system. The data on your phone becomes unrecoverable.
• Export everything: use the encrypted backup feature in the You tab.
• Stop using AI: for now, choose Write quietly at the start of a session - no message leaves your phone. A device-wide "AI off" toggle is on our roadmap.
• Ask us to delete server-side metadata: email [email protected] with your device ID (find it under You · About). We will delete the operational metadata associated with that device within 30 days.

Children & age

Pensory is intended for users 17 years and older. The app's content includes themes that may not be appropriate for children - quiet reflection, mood, and AI-assisted conversation, including occasional crisis-resource information. We do not knowingly collect data from anyone under 17. If you're a parent or guardian and you believe your child has used Pensory, contact [email protected] and we'll delete the device's metadata.

Permissions you might see

iOS may show permission prompts for the following. Pensory uses none of them actively today; they appear because of underlying system frameworks the app links against:

• Photo Library / Camera: only triggered if you choose to share or import a backup file via the system share sheet. Pensory does not access photos or the camera on its own.
• Notifications: the onboarding screen mentions notifications, but the current release does not actually schedule any. A gentle reminder system is on our roadmap.

The app does not request microphone, location, contacts, calendar, health, or any other sensitive permission.

Security

• All API traffic is TLS 1.2+ over HTTPS.
• Local data is encrypted with AES-256-GCM. Keys are stored in iOS Keychain or Android Keystore.
• Backups are encrypted with PBKDF2-HMAC-SHA256 (600k iterations) wrapping AES-256-GCM.
• We don't use cookies or session tokens. We don't collect IP addresses for anything beyond the brief moment a request is in flight.
• Our API runs on Railway, which provides at-rest encryption for Postgres and Redis.

If you discover a security issue, please report it to [email protected]. We treat reports with care.

Changes to this policy

If we change anything material - new data points collected, a new third-party processor, a different cryptographic primitive - we will update the Last updated date above and, when the change is significant, surface a quiet in-app note. The current version is always at www.pensoryapp.com/privacy.

Contact

Privacy questions, deletion requests, security reports: [email protected].

General support: [email protected] · /support.

Pensory is built by Workflow Precision LLC.