Is there a free trial?

Yes. Belong Pro includes a 7-day free trial. After that, Apple shows the App Store price before you subscribe.

What happens to my entries if I cancel?

Your data stays yours. You can keep recording, read, export, or delete your entries anytime. Free-tier AI generation is limited to 3 reflections per month and 10 reflection chat replies per day.

Can I switch plans later?

Anytime. Upgrade, downgrade, or pause your membership without losing your archive.

What if I cannot afford this?

Apply for a scholarship. We keep a quiet path open for anyone who needs it.

Is this end-to-end encrypted?

No, and we think it's important to say that plainly. Your entries are encrypted at rest and in transit, but our servers can access them to generate your reflections. True end-to-end encryption would mean we can't read anything you write — which would also mean the AI can't. We chose useful AI over marketing-friendly encryption. The AI providers we use — Anthropic, Google, and OpenAI — all operate under API terms that prohibit training on your data.

Who can see my journal entries?

You. And the services required to deliver the app — Supabase (storage), Anthropic (reflections), OpenAI (audio generation). All bound by contracts prohibiting data retention or training. Every service is named in the privacy policy.

Can I correct or delete what the AI remembers?

Yes. Memory editing is a first-class feature. Review, correct, or forget anything the AI has stored about you.

Will my journal content train AI models?

Never. Your entries are processed for your reflections only — they never enter our training, Anthropic's, or OpenAI's training datasets.

Privacy Policy

Effective: June 8, 2026 · Previous version: May 4, 2026

The short version

We collect what you write, what you record, and a small profile we build from your entries so the AI can sound like it knows you. All of it lives in our Supabase database in the US, encrypted at rest with AES-256 and in transit with TLS 1.2 or higher.

Voice transcription happens on your iPhone with WhisperKit; your audio is not sent to a third-party transcription service except as a fallback — if on-device transcription fails, the recording is sent to OpenAI’s Whisper API to be transcribed. The audio file itself is uploaded to our storage so you can replay it.

To generate reflections, reports, and chat, we send your transcripts (plus your synthesized profile and recent context) to either Anthropic’s Claude API or Google’s Gemini API, depending on which provider you pick in iOS Settings → AI Model. Both providers are contractually prohibited from training on the data we send.

Belong Journal is not end-to-end encrypted — the product is the AI reading your entries and reflecting back, so our servers need to be able to read what you wrote. We say this out loud because we’d rather lose a sale than lie.

You can export everything and delete your account from inside the app; account deletion hard-deletes your entries, recordings, AI content, profile, and memories within 30 days.

We do not sell your data, do not share it for advertising, do not run ad pixels, and do not embed third-party trackers; the only website measurement we run is Vercel’s cookieless aggregate page-view counter.

If anything in the detailed policy below contradicts this summary, the summary controls.

Belong Journal ("we," "us," "our") is operated by Matthew Esposito as a sole operator. We run the website belongjournal.ai and the Belong Journal iOS app (bundle ID: ai.belongjournal.app). This page explains what we collect, what we do with it, who else sees it, and what you can do about it.

We built Belong Journal on a simple belief: your thoughts belong to you. We’re not perfect, but we try to be honest about what happens with your data. The boring legal version below is the same as the friendly version we’d give a friend who asked.

What we collect

Account information

When you sign in with Apple or Google, we receive your email address and your name (only if you choose to share it). We never see your password — Apple and Google handle that. We store your email and display name in your profile.

Profile preferences

You can set a display name, an optional phonetic spelling for how the AI should pronounce your name in audio reflections, your timezone, your preferred reminder time, and a few other journaling preferences. These are used solely to personalize your experience.

Your synthesized profile

As you use Belong, the AI quietly extracts a profile of you from your entries — up to 28 fields covering things like the chapter of life you’re in, the values you lead with, the people who matter to you, what gives you energy and what drains it, and what you’re working toward. This profile makes reflections more specific to your actual life. You can read, edit, or refresh it any time from the More tab.

Journal entries

When you record an entry, we store:

The audio recording of your entry, in our secure storage (encrypted at rest)
The text transcription of that audio
Entry metadata: date, time, entry type (journal, prayer, brain dump, dream, gratitude, challenge, check-in), mood rating and optional mood tags
AI-generated reflections, daily/weekly/monthly/yearly reports, and chat conversations that draw from your entries
Memory snippets the AI extracts from your entries (with importance and confidence ratings) so it can carry context forward over time

Subscription information

If you subscribe to a paid plan, Apple processes the payment and RevenueCat manages the subscription state for us. We receive your subscription status (trial, active, cancelled, expired) and the dates around it. We never see your card details or payment information.

Usage and error data

We log a small set of typed product events (e.g., "recording_completed", "report_generated", "chat_message_sent") along with non-content metadata (duration, entry type, message-length bucket). We also log errors with stack traces and HTTP context. These logs never contain your entry text, message content, or any free-form things you wrote. We use them to debug, fix bugs, and understand which features people actually use.

Beta feedback

If you submit feedback through the in-app reporting tool, we store the type of feedback, your description, an optional screenshot you attached, your device info (model, iOS version), and the app version. Screenshots are kept in a private bucket and shared only with the founder for triage.

Notification device tokens

If you enable push notifications, your device sends us an Apple Push Notification Service (APNs) token. We store it on your profile so we can deliver reflection-ready, weekly-brief, and streak reminders. The token is rotated when you reinstall the app or revoke notifications.

Waitlist email (website)

If you join the waitlist on belongjournal.ai, we collect your email and (optionally) your name and a hint about how you found us, so we can let you know when the app opens up.

Website analytics

We use Vercel Analytics on belongjournal.ai for aggregate page-view counts. It is cookie-less, does not track you across sites, and is not joined to any account identifier. We do not run Google Analytics, Meta Pixel, ad networks, or any tracking pixels in our emails.

How we use your information

Transcribe your voice recordings into text (on your device — see below)
Generate AI reflections, reports, chat responses, and audio playback of reflections
Build and maintain the personal memory bank that helps the AI understand your story over time
Send you the reflections, reports, and reminders you’ve opted into
Manage your account and subscription
Debug, fix bugs, and improve the service based on aggregate usage and error patterns
Communicate with you about your account when something requires it

How we process your data

On-device transcription

Your voice recordings are transcribed to text using WhisperKit, which runs entirely on your iPhone. In almost all cases your audio is never sent to a third-party transcription service. The one exception is a fallback: if on-device transcription fails (for example, on an unusually long recording), the audio file is sent to OpenAI’s Whisper API to be transcribed instead. OpenAI’s commercial API terms prohibit training on customer data.

The audio file itself, however, is uploaded to our secure storage so you can play your entry back, edit it, and re-transcribe it later if you want. We want to be clear about that: transcription happens on your device (with the fallback noted above); the audio is stored on our servers (encrypted at rest, scoped to your account).

AI reflections, chat, and memory

Your transcripts, your synthesized profile, your recent conversation messages, and relevant past memories are sent to either Anthropic’s Claude API or Google’s Gemini API — depending on which provider you select in the iOS app under Settings → AI Model — to generate reflections, reports, and chat responses, and to extract new memories from your entries. Free-tier accounts use Gemini; Pro subscribers can pick either provider. Two narrow paths always use Claude regardless of your choice: the one-time Day 7 challenge profile extraction and the Day 7 capstone reflection.

Anthropic: commercial API terms prohibit training on customer data. Anthropic retains inputs and outputs for up to 30 days under their standard commercial API terms, used only for safety and abuse monitoring, then auto-deleted. (We are pursuing a Zero Data Retention agreement with Anthropic; this section will be updated when that agreement is in effect.)

Google: per Google’s Gemini API terms for paid usage, your prompts and responses are not used to train Google’s models. Google may retain content for a limited period for abuse monitoring under their standard API terms.

Memory search embeddings

To find the most relevant memories without re-reading every entry, we use OpenAI’s embedding model (text-embedding-3-small) to convert memory snippets, your chat messages, and short summaries of your entries into 768-dimensional number vectors. These vectors are stored in our database and searched locally; OpenAI just produces the math. OpenAI’s commercial API terms also prohibit training on customer data.

Text-to-speech

The AI-generated reflection text (not your raw entries) is sent to OpenAI’s TTS model (gpt-4o-mini-tts) so you can listen to your reflections instead of reading them. The audio file is stored in our secure storage and tied to the report it voiced. So you know the full picture: OpenAI handles three narrow, non-reflection tasks for us — converting written reflections into audio narration, generating the embeddings used for memory search (above), and transcribing a recording only as a fallback when on-device transcription fails. OpenAI does not generate your reflections or chat (Anthropic and Google do that), and OpenAI’s commercial API terms prohibit training on customer data.

Push notifications

When a new reflection or weekly brief is ready, we send a notification through Apple’s Push Notification Service (APNs). The notification payload contains a short, generic title and body (“Your reflection is ready”) and a deep-link to open the right screen in the app. The notification never contains your entry text, your reflection text, or any chat content.

Subscriptions

RevenueCat manages your subscription via Apple’s StoreKit 2. They receive an anonymous identifier and the transaction metadata Apple gives them. They never see your journal content or anything beyond what subscription management requires.

Email

Transactional emails (deletion confirmations, beta feedback acknowledgements) are sent through Resend. Resend sees the recipient address, the subject line, and the email body. We don’t use marketing tracking pixels in our emails.

Bottom line: we do not use your journal entries to train AI models. We do not sell or share your data with anyone outside the service providers above. We do not use ad networks. We do not let advertisers see what you write.

Storage and security

Database: Supabase Postgres, hosted in the US (us-west-1).
Row-level security on every table: the database itself enforces that you can only read or modify your own data. No user, no admin script, no random query can pull another person’s entries by accident.
Encrypted in transit: all communication uses HTTPS with TLS 1.2 or higher.
Encrypted at rest: audio recordings and database contents are encrypted on disk by Supabase using AES-256.
Authentication: handled by Apple and Google. We never see your password.
Audio storage: private buckets scoped to your user folder.
Beta feedback screenshots: private bucket, only accessible via short-lived (7-day) signed URLs sent to the founder’s ops email.

About end-to-end encryption

Belong Journal is not end-to-end encrypted. True end-to-end encryption would mean even our AI can’t read your entries — which is fundamental to how Belong works. The whole product is the AI reading your entries and reflecting back. If end-to-end encryption is essential to you, Belong isn’t the right tool. Day One offers it and is a good alternative.

What we do offer: encrypted in transit, encrypted at rest, strict row-level security, no training on your data, no ads, no third-party trackers. That’s the honest answer.

Third-party services

We share data only with the providers we need to deliver Belong:

Anthropic (Claude API) — when you select Claude as your AI provider, receives transcripts, your synthesized profile, memory snippets, and conversation context to generate reflections, reports, chat responses, and memory extractions. Also always used (regardless of your provider choice) for the Day 7 challenge profile extraction and the Day 7 capstone reflection.
Google (Gemini API) — when you select Gemini as your AI provider, receives the same inputs as Anthropic for the same purposes (reflections, reports, chat, memory extractions). Free-tier accounts default to Gemini.
OpenAI — receives memory snippets to generate embeddings (vectors used for search), AI-generated reflection text to generate audio narration, and — only when on-device transcription fails — the audio recording to transcribe as a fallback. OpenAI does not generate your reflections or chat.
Supabase — hosts our database, file storage, authentication, and edge functions.
RevenueCat — manages subscription status via Apple StoreKit 2.
Apple Sign-In / Google Sign-In — authenticate you and return your email and (with permission) your name.
Apple Push Notification Service (APNs) — delivers push notifications to your iPhone.
Resend — sends transactional emails from noreply@belongjournal.ai.
Vercel — hosts belongjournal.ai and provides aggregate page-view analytics (no cookies, no per-user tracking).

Each of these providers is bound by their own privacy and data-handling agreements. None of them are advertising networks. We pick infrastructure providers that don’t train on customer data. For the full list with hosting region, retention, and training stance, see our sub-processors page.

How long we keep things

Account, profile, journal entries, recordings, AI content, memories: retained until you delete them individually or delete your account.
Beta feedback (and any attached screenshots): retained until your account is deleted, or until we mark the issue resolved and roll it off, whichever comes later.
Waitlist email: retained until you ask to be removed or until we close the waitlist.
Usage and error logs: retained as an operational audit trail and for service improvement. These survive account deletion in anonymized form (your user ID becomes orphaned and can no longer be associated with you). We need this trail to debug issues that span many users. If you want your specific log records purged in addition to your account, email us and we’ll handle it within 30 days.
Transactional email logs: retained as proof of delivery (e.g., that your deletion-confirmation email actually fired).
Encrypted database backups: retained up to 30 days, then permanently removed (Supabase default).

When you delete your account, we hard-delete your entries, recordings, AI-generated content, memories, profile, and authentication record. The few categories that survive deletion are listed above — we keep them honestly rather than pretending they go away.

Your rights

Wherever you live, you have the right to:

Access the data we hold about you. Email us and we’ll send you an export within 30 days.
Export your entries, transcripts, recordings, and AI-generated content.
Delete your account and your data. You can do this directly in the app under More → Data → Delete Account.
Correct any inaccurate information. Most fields are editable in the app; for anything else, email us.
Opt out of AI-generated reflections by turning off scheduled reflections in the app.
Purge logs if account deletion isn’t enough for you. Email us; we’ll handle it within 30 days.

For all of the above, contact us at matthewericesposito@gmail.com.

Sensitive Personal Information & your choices

California’s privacy law (the CCPA, as amended by the CPRA) defines a category called Sensitive Personal Information — “SPI” for short. We want to be plain about how it applies here.

What we treat as Sensitive PI

The following data we collect about you is Sensitive PI under the CPRA:

Your journal entries, transcripts, audio recordings, AI reflections, chat messages, mood ratings and tags, and the memory snippets the AI extracts from them. Read together, these contain inferences about your mental and emotional state, which the CPRA categorizes as Sensitive PI.
Your synthesized profile — the up-to-28-field portrait the AI builds of you. This contains the same kind of inferences and is treated the same way.
Account credentials in the narrow sense that Apple’s and Google’s sign-in tokens pass through our auth layer. We never see your password.

What we do and don’t do with it

We use Sensitive PI only for the purposes spelled out in “How we use your information”: running the journaling features, generating reflections and reports, maintaining the memory bank, managing your account, fixing bugs, and sending the messages you opted into.

Under the CPRA’s narrow definition of “sell” and “share” (which includes selling for monetary or other valuable consideration, and sharing for cross-context behavioral advertising): we do not sell your Sensitive PI, we do not share it for cross-context behavioral advertising, and we do not use it for any purpose other than providing and improving Belong itself. No advertising partner, data broker, or analytics network receives any of it.

Your right to limit

California residents have the right to limit the use and disclosure of Sensitive PI to what is necessary to provide the service you asked for. Because that is already the only way we use it, there is nothing additional to opt out of for advertising or profiling outside the service. You retain the full set of CPRA rights below regardless. To exercise this right or any related request, see Your Privacy Choices.

Global Privacy Control

We honor the Global Privacy Control (GPC) signal on belongjournal.ai. If your browser sends a GPC signal, we treat it as a valid request to opt out of any sale or sharing of personal information for cross-context behavioral advertising — even though, as stated above, we don’t do that to begin with. The signal is recorded so we can prove compliance.

Your CCPA / CPRA rights

You have the right to:

Know what personal information and Sensitive PI we collect, why, and who we share it with.
Access a portable copy of your data.
Delete your data, with the narrow log-retention exceptions disclosed in “How long we keep things.”
Correct inaccurate personal information.
Limit the use of Sensitive PI to providing the service.
Opt out of sale and sharing for cross-context behavioral advertising.
Non-discrimination — we will not deny service or charge a different price for exercising any of these rights.

To exercise any California right, email matthewericesposito@gmail.com with “California privacy request” in the subject line. We respond within 45 days, with a possible 45-day extension if the request is complex (we’ll tell you in writing if we need it).

For European residents (GDPR / UK GDPR)

If you’re in the EEA, the UK, or Switzerland, you have rights to access, portability, rectification, erasure, restriction of processing, and the right to object. You can also lodge a complaint with your local supervisory authority.

Our lawful bases for processing your data:

Consent for processing your journal entries, recordings, and the AI features that act on them.
Performance of a contract for managing your subscription and account.
Legitimate interest for security logs, error tracking, and the operational measurements that keep the service working.

To exercise any GDPR right, email us at the address above.

Consumer health data — Washington residents

Washington’s My Health My Data Act (MHMDA) gives Washington residents specific rights over “consumer health data.” Because Belong collects data that reflects your mental and emotional state, MHMDA applies to us, and we want to be straightforward about it.

What counts as “consumer health data” here

In our context, consumer health data means any data we hold that identifies your past, present, or future physical or mental health status. For Belong that includes:

The contents of your journal entries, audio recordings, transcripts, and chat messages.
Your mood ratings, mood tags, entry types (prayer, gratitude, challenge, check-in, etc.), and the AI reflections, reports, and memory snippets derived from them.
The mental and emotional fields in your synthesized profile.

We do not collect biometric, fertility, gender-affirming care, reproductive, or precise-location health data. We do not infer or attempt to infer specific diagnoses.

How we use and share it

We process consumer health data only to provide Belong — the same purposes listed in “How we use your information” above. We do not sell it as MHMDA defines “sell.” We do not disclose it to anyone outside the sub-processors listed on our sub-processors page, each of which is contractually bound to use it only to deliver the service to you. No advertiser, broker, or analytics platform receives it.

Consent

Washington residents are asked for explicit, opt-in consent at account creation inside the iOS app, before any consumer health data is collected or processed. The consent is logged with a timestamp on your account and can be withdrawn at any time. Withdrawing consent stops further processing and triggers an account-deletion flow on request.

Your MHMDA rights

If you are a Washington resident you have the right to:

Confirm whether we are processing your consumer health data, and access a copy of it.
Withdraw consent for our continued collection and processing.
Delete your consumer health data; on receipt of a verified request we will hard-delete it from our production systems within 30 days and from encrypted backups as those backups roll off.
Receive a list of the third parties with which we have shared your consumer health data — that is the sub-processors page, kept up to date.
Appeal a denial of any of the above by replying to our response email; we will provide a written decision within 45 days.

We do not use geofences around any healthcare facility, mental-health provider, addiction-recovery resource, or similar location to identify, track, or send notifications to consumers, and we never will.

Contact for Washington requests

Email matthewericesposito@gmail.com with “Washington MHMDA request” in the subject line. You may also file a complaint with the Washington State Attorney General if you believe your rights have been violated.

Children’s privacy

Belong Journal is intended for people 13 and older. We do not knowingly collect information from children under 13. If you believe a child has signed up, contact us and we’ll delete the account promptly.

Changes to this policy

We’ll update this policy when something material changes — a new third-party service, a change in retention, a meaningful change in how AI is used. When that happens, we’ll update the effective date at the top, and notify you in-app or by email if the change affects you. Continued use after a change means you accept the updated policy. For sub-processor changes specifically, see our 30-day-notice commitment on the sub-processors page.

Contact

Questions, concerns, requests? Reach us at matthewericesposito@gmail.com. We answer every email.