BYOK — bring your own AI key

Most journaling apps with AI features have the same shape under the hood. You write something. The app sends your writing to a server. The server sends it to OpenAI or Anthropic or Google. The response comes back. Along the way, a copy of your most private writing has sat on at least two machines that aren’t yours, and you have to trust two companies’ retention policies, not one.

Candovo doesn’t do this. We use a model called bring-your-own-key, or BYOK. The short version is that the AI features in the app talk directly to Google’s Gemini API from your phone, using a key you generate yourself. Our servers are not in the loop. We never see your transcripts, your reflections, or what you asked the AI to help you think through.

This article explains why that matters, how it works, and what you actually have to do to set it up. The setup takes about two minutes. The architecture is the more interesting part.

What BYOK means in plain language

Normally, an app’s AI features work like this. You pay the app a monthly subscription. The app pays OpenAI or Google for AI usage. To make that payment work, your prompts pass through the app’s servers, because that’s where the API key lives.

BYOK flips that around. You generate the API key. You paste it into the app once. From then on, when the app needs to call the AI, it makes that call directly from your phone using your key. The app’s servers don’t sit in the middle, because they don’t have to. You’re paying Google directly for AI usage. We’re not subsidizing it, and we’re not collecting your prompts to do so.

That’s it. That’s the whole idea.

The architectural picture

When you ask Candovo to summarize your week or surface patterns across recent entries, here’s what happens.

Your phone reads the relevant transcripts from local storage. It assembles a prompt. It sends the prompt directly to generativelanguage.googleapis.com using your API key. Google’s servers run the model. The response comes back to your phone. The phone shows it to you.

At no point does that prompt or that response touch a Candovo server. We don’t have an “AI proxy.” We don’t log AI requests. We don’t have a debug endpoint where the last 100 prompts sit waiting for a developer to look at them, because the request never goes through us.

Compare that to the alternative. If we hosted the AI ourselves, we’d need to collect your transcripts so we could send them to Google on your behalf. We’d need to store them, at least transiently, in our queue or our logs. We’d need a privacy policy that says “we may access your transcripts to provide AI features,” because we’d have to. We’d need a way to handle the situation where a customer support ticket asks why a summary came back wrong, which would require some employee to look at the prompt that produced it. That employee would be looking at your private reflections.

We don’t have to thread any of those needles, because we don’t have your transcripts in the first place.

Setting up a Gemini API key

Here’s the step-by-step. The whole thing is free, and it takes a couple of minutes.

1. Open aistudio.google.com in a browser. (Either your phone’s browser or your laptop’s works fine. The page looks slightly better on a laptop.)
2. Sign in with a Google account. If you have a Gmail address, that works. You don’t need a separate developer account.
3. Click “Get API key” in the left sidebar.
4. Click “Create API key.” Google will ask if you want to create a new project or use an existing one. If you don’t have a Google Cloud project, just let it make one for you. The name doesn’t matter.
5. Copy the key. It’s a long string starting with AIza. Treat it like a password.
6. Open Candovo. Go to Settings, tap AI Provider, tap API Key. Paste the key in.
7. That’s it. AI features unlock immediately.

If something goes wrong at step 3 or 4, the most common cause is that you signed in with a Google Workspace account whose admin has restricted Google AI Studio. In that case, sign in with a personal Gmail account instead. Workspace policies are a separate world we can’t fix from our side.

What our server sees and doesn’t see

Worth being explicit about this, because “we don’t see your data” is a claim that means a lot of different things in practice.

What Candovo’s servers do see:

• Your account email (so we know who’s logged in)
• Your subscription status (so we know what tier you’re on)
• Basic crash and error telemetry, with no transcript content attached
• Sync metadata if you opt into iCloud sync (timestamps and entry IDs, but not contents; the contents are end-to-end encrypted)

What Candovo’s servers do not see:

• Audio recordings (they never leave your phone, because Apple’s on-device speech recognition transcribes locally)
• Transcripts of your entries
• The prompts you send to the AI
• The responses the AI gives back
• Whether you’ve marked an entry as discussed
• Search queries you run inside the app

The home page has a comparison table that walks through this against hosted-AI competitors. The short version is that the gap between “we have your data and promise not to look at it” and “we don’t have your data” is the entire reason we built Candovo this way.

What it costs you

For typical use, it costs nothing.

Google offers a free tier on the Gemini API that covers more requests than a journaling app needs. The rate limits are generous, and the daily quota is generous. We’ve stress-tested a heavy power user pattern, which is something like 15 entries a day with weekly summaries, monthly retrospectives, and an AI chat conversation every couple of days. That pattern doesn’t come close to the free tier ceiling. Most people will use a fraction of that.

If you do exceed the free tier, Google bills you directly. Not us. You can set a hard spending cap in your Google Cloud billing settings, and we recommend you do, even though you almost certainly won’t hit it. A $5 monthly cap is far above what a normal user would ever spend.

This is also why the Candovo subscription is $12.99 a month or $79.99 a year, not the $20+ that hosted-AI journaling apps charge. We’re not paying for your AI. We don’t need to bake those costs into our subscription. The cost saving moves to you.

Failure modes, honestly

A few things can go wrong with BYOK. None of them are catastrophic, but you should know about them.

The most common one is losing your key. If you delete it in Google AI Studio, or your account gets suspended, the AI features stop working until you generate a new key. Your entries are unaffected because the transcripts live on your phone. Paste a new key into Settings and you’re back.

Rate limits happen rarely. Google occasionally tightens the free tier without notice. If you hit one, the app tells you and backs off for a few minutes. Try again later.

The bigger structural risk is API deprecation. Google could change or deprecate the Gemini API tomorrow. Probably won’t, but it could. If it happens, we’d ship an update that supports a different provider. Swapping providers is straightforward, because the app talks to the API directly. There’s no middleware on our side to rewrite.

And then there’s just the internet. If you’re offline, AI features won’t work, but the journal still does. Voice in, transcript out, all on-device. Summaries wait until you’re back online.

Brief FAQ

Why Gemini and not OpenAI? Two reasons. The free tier is real, so the cost story works for normal users. And the quality at the tasks we care about, like writing summaries and pulling patterns out of weeks of entries, holds up against GPT-4 class models. We’re not married to Gemini. If a better free option appears, we’ll add it.

Does BYOK make Candovo cheaper for me? Yes. The subscription is $12.99 a month or $79.99 a year, versus $20+ for journaling apps that host their own AI. You’re saving the difference because you’re paying Google nothing (free tier) and us less.

Can I use a different model? Not yet. Gemini is the only supported provider at launch. The architecture supports adding more providers, and we’ll do that when it makes sense. If you have a specific provider you want, email me.

What if I don’t want to use AI at all? Then don’t. The core journaling experience works without an API key. Voice capture, on-device transcription, search, browsing entries, marking entries as discussed. All of it works without ever touching the AI features. The key is optional.

Is this just a way to avoid paying for AI? Partly, yes. It’s also a way to make the privacy story honest. Both things are true and they reinforce each other. We don’t want to pay for your AI usage, and we also don’t want your transcripts on our servers. BYOK solves both at the same time.

The whole design exists because we wanted to build a journaling app we’d actually trust with the stuff we wouldn’t put on someone else’s server. That meant not building the version where the company can read what you wrote. BYOK is what that looks like in the architecture diagram.