Legal

Privacy Policy

Last updated: May 7, 2026

The short version: Benji is a paid Android app that runs locally. Your routines, journal entries, sparks balance, and the apps you’ve chosen to block all live in a database on your phone. There’s no account, no email, no password. The only thing that leaves your device is anonymous, aggregate usage counts — with no persistent device identifier and no personal data attached. See Section 1 for the honest details.

1. What we collect (and what we don’t)

Benji uses PostHog to count how features are being used and catch bugs. The setup is deliberately minimal:

  • No persistent device identifier.Each app launch generates a fresh, throwaway session ID. Nothing carries over between sessions, so we can’t recognize a returning device or build any kind of user profile.
  • No identification.We never call PostHog’sidentify()or set person properties. There is no person record in PostHog tied to you.
  • No IP-based location. GeoIP enrichment is disabled. Your IP address is not stored alongside events.

The events Benji sends to PostHog are limited to:

  • Feature flags — that something happened: completing onboarding, an alarm firing, the blocker intercepting an app, spending sparks to unlock a blocked app for a few extra minutes, a routine step being checked off, the journal being completed.
  • Counts — number of apps in your block list, number of routine steps, total sparks earned or spent in a session, number of journal tags selected.
  • Bucketed values— your bedtime and wake-up time grouped into broad ranges (e.g. “before 22:00 / 22:00–24:00 / after 00:00”), routine duration as short / medium / long, sleep-baseline self-rating as poor / okay / good.
  • Predefined enums— your sleep goal from the fixed onboarding list, predefined library task IDs (any custom task you create is reported only as “custom”), permission-grant booleans.

We use this data to find bugs, see which features are useful, and decide what to build next. We do not sell it, share it with advertisers, or use it for cross-app tracking. PostHog’s privacy policy is at posthog.com/privacy.

We do not send to PostHog: your name, email address, phone number, contacts, photos, location, biometrics, advertising identifiers, browsing history, device fingerprint, IP address, the precise time you set as your bedtime or wake-up, the package names of any apps you’ve added to your block list, the names of any apps the blocker intercepts, the names of any custom routine steps, the text content of your journal entries, the specific mood or dream tags you select, or your sleep-baseline numeric rating. Benji has no crash-reporting service installed.

2. What stays on your device

  • The name you give Benji during onboarding (used for the bear’s greetings).
  • The free-text body of your journal entries — only your selected mood/dream tags ever leave the device, never the words you wrote.
  • Your bedtime and wake-up time.
  • Your routines and custom routine steps.
  • Which apps you’ve chosen to block.
  • Your sparks balance, transaction history, and streak count.
  • Android usage-stats data the blocker reads to detect when a blocked app opens. The detection happens entirely on-device. We send PostHog a singleblocked_app_detectedevent when an interception occurs, with no app name or package name attached.

This data lives in a local SQLite database (benji.db) and Android SharedPreferences. It is removed when you uninstall the app.

3. Permissions Benji asks for (Android)

  • Notifications (POST_NOTIFICATIONS) — to ring your alarms and show the foreground-service indicator while the blocker is running.
  • Schedule exact alarm (SCHEDULE_EXACT_ALARM, USE_EXACT_ALARM) — so alarms fire at the time you set, not when the OS feels like it.
  • Full-screen intent — so the alarm screen can take over the display when an alarm rings.
  • Wake lock + boot completed — to keep alarms playing if the device sleeps and reschedule them after a phone restart.
  • Usage access (PACKAGE_USAGE_STATS, granted in Settings) — to detect when a blocked app is opened. Benji never reads the contents of those apps; only that one of your blocked apps came to the foreground.
  • Display over other apps (SYSTEM_ALERT_WINDOW, granted in Settings) — to show the blocker overlay on top of a blocked app.
  • Foreground service — Android requires a visible notification while the blocker watcher is running.
  • Battery exemption (optional) — to keep alarms and the blocker reliable on aggressive OEM battery savers (Samsung, Xiaomi, OnePlus, Huawei).

When Benji ships on iOS, this section will be updated with the equivalent iOS authorizations (Notifications and Apple’s Family Controls / Screen Time framework).

4. Third parties

  • PostHog — analytics, as described in Section 1. PostHog processes the anonymous events on its US infrastructure. Because the events carry no persistent identifier and no personal properties, there is no user-level data associated with them.
  • Google Play (and, when Benji ships on iOS, the Apple App Store) — handles your subscription purchase, billing, and refund flow per their own policies. Benji does not see your card or billing details.

We do not use ad networks, fingerprinting SDKs, attribution services, push-marketing platforms, or remote crash-reporting services.

5. Children’s privacy

Benji is intended for users 13 and older. We do not knowingly collect data from children under 13. If you’re a parent or guardian and your child under 13 has installed Benji, uninstall the app to remove every local trace; the analytics layer doesn’t keep a per-device record we can target for deletion (no persistent identifier). If you have a question or concern, email kbantadevelopment@gmail.com.

6. Your rights

Benji doesn’t collect names, emails, or accounts, and the analytics layer uses no persistent device identifier — each app launch produces a fresh, throwaway session ID and PostHog builds no profile of your device. There is therefore nothing on our side that maps to you as an individual to download, correct, or delete. To remove all Benji data from your device, uninstall the app — that clears the local SQLite database and Android SharedPreferences.

If you live in a jurisdiction with specific data-protection rights (GDPR, UK GDPR, CCPA/CPRA, Quebec Law 25, LGPD, etc.) and you still have a question or a request, email kbantadevelopment@gmail.com and we’ll honor any rights granted by your local law.

7. Changes to this policy

If this policy changes in a way that affects what we collect or how it’s processed, we’ll notify you in the app before the change takes effect. The “Last updated” date at the top of this page tracks the most recent revision.

8. Contact

Privacy questions, deletion requests, or anything that smells off: email kbantadevelopment@gmail.com.

~ ✦ ~