Legal
Last updated: March 28, 2026 · Effective: March 28, 2026
Be Candid (“we,” “us,” or “our”) operates the Be Candid mobile application and website at becandid.io (collectively, the “Service”). We are committed to protecting the privacy and security of your personal information. This Privacy Policy describes what information we collect, how we use it, who can access it, and the choices you have.
Be Candid handles sensitive personal data related to behavioral health and intimate relationships. We treat this responsibility with the seriousness it deserves. Your journal entries are encrypted before they reach our database. Your partner never sees your browsing history. Your therapist only sees what you explicitly consent to share.
When you create an account, we collect your email address, display name, and password (hashed, never stored in plain text). You may optionally provide a phone number for SMS notifications and a timezone for scheduling.
Be Candid monitors your device screen activity to detect content that matches the accountability categories you selected during onboarding (e.g., “Pornography,” “Social Media,” “Gambling”). We record the category and severity level of detected activity, along with a timestamp and the platform (iOS, Android, or web).
We do NOT collect: URLs visited, screenshots, screen recordings, browsing history, app usage logs, or the specific content you viewed. Our on-device detection identifies the category of content without transmitting the content itself to our servers.
You may write journal entries using our Candid Journal feature. Journal content — including freewrite text, guided prompt responses (tributaries, longings, roadmap), mood ratings, and tags — is encrypted using AES-256-GCM encryption with per-user derived keys before it is stored in our database. This means even our database administrators cannot read your journal entries without your encryption key.
We store check-in responses (mood ratings, self-assessments), conversation outcome ratings (1-5 scale, feeling words), and AI-generated conversation guides. Conversation guides and outcome notes are encrypted before storage.
When you invite an accountability partner, we store their name, email address, phone number (optional), and relationship type (friend, spouse, mentor, coach, therapist, pastor). We track relationship-level XP and engagement metrics to power the relationship level system.
If your accountability partner is your spouse, additional data is collected with their explicit consent: spouse journal entries (encrypted, separate from the monitored user’s journal), impact check-in responses (feelings, trust meter, safety assessment), and Committed Contender milestone progress. See Section 4 for the spouse consent model.
If you connect a therapist, we serve them a read-only view of your data based on five independent consent toggles you control (journal, moods, streaks, outcomes, patterns). See Section 4.3.
We collect device identifiers for push notification delivery, session information for security (device fingerprint, IP address, login timestamps), and basic usage analytics. We use this data for security (detecting unauthorized access), improving the Service, and delivering notifications.
Payment processing is handled entirely by Stripe, Inc. We store your Stripe customer ID, subscription plan, and subscription status. We do not store credit card numbers, bank account details, or other payment credentials. See Stripe’s privacy policy at stripe.com/privacy.
We use your information to:
Journal entries, conversation guides, conversation outcome notes, spouse journal entries, and weekly reflections are encrypted using AES-256-GCM with per-user keys derived via HKDF from a master encryption key. This encryption occurs in our application layer beforedata reaches the database. Even if the database were compromised, encrypted fields would be unreadable without the application-layer keys.
Our database (hosted by Supabase on AWS) encrypts all data at rest using AES-256 and all data in transit using TLS 1.2+. Row Level Security (RLS) policies enforce that each user can only access their own data at the database level. Authentication is handled by Supabase Auth with bcrypt password hashing.
Push notifications displayed on your lock screen are sanitized to remove sensitive details. Partner alert notifications say “Your partner could use your support” — not the category name or any identifying information. This prevents accidental disclosure if someone else sees your lock screen.
We track active sessions and limit concurrent sessions to five per account. New device logins trigger a push notification to your existing devices. You can view and revoke sessions from Settings, and “Log out everywhere” is available for emergencies.
Your accountability partner can see:
Your accountability partner cannot see:
If your partner is your spouse, they have their own private journal that you cannot access unless they explicitly share a specific entry using a per-entry toggle. Spouse impact check-ins (feelings, trust meter) are only visible to you if the spouse enables the “Share with partner” toggle on each individual check-in. The default is private.
If you connect a therapist, you control their access through five independent consent toggles: journal entries, mood timeline, focus streaks, conversation outcomes, and pattern analysis. Each toggle can be changed or revoked at any time from Settings. The therapist portal is read-only — therapists cannot modify, delete, or add to your data. When you revoke access, the therapist loses access immediately.
Our crisis language detection scans your journal freewrite text for distress indicators (e.g., expressions of self-harm or suicidal ideation). This detection runs entirely on your device (client-side). If detected, a resource banner is displayed privately to you with contact information for crisis helplines. This detection is never sent to our servers, never shared with your partner or therapist, neverstored, and never blocks you from saving your journal entry.
We use the following third-party services to operate Be Candid:
We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes. We do not display ads in Be Candid.
You control your data retention period through Settings (configurable from 30 to 365 days). Events, journal entries, alerts, and conversation data older than your retention period are automatically purged. You can also manually purge specific data types at any time from Settings.
Account data (email, name, preferences) is retained as long as your account exists. When you delete your account, all associated data is permanently deleted within 30 days.
Be Candid is designed for users aged 18 and older. We do not knowingly collect personal information from anyone under 18 years of age. Users must confirm they are at least 18 years old during account creation. If we learn that we have collected personal information from a person under 18, we will delete that information and terminate the associated account.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@becandid.io.
We may disclose your information if required by law, subpoena, court order, or other legal process. We may also disclose information if we believe in good faith that disclosure is necessary to protect the safety of any person or to prevent illegal activity. We will notify you of such requests unless we are legally prohibited from doing so.
Important: Because journal entries and conversation data are encrypted at the application layer, a database-level subpoena would return encrypted data that cannot be read without our application-layer decryption process. We will respond to valid legal process but cannot decrypt data that has been purged per your retention settings.
Be Candid is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and/or by posting a notice in the app at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.
If you have questions or concerns about this Privacy Policy or your data, contact us at: