Most apps that say "AI-powered" have a quiet asterisk attached. The asterisk usually reads something like: we send your content to OpenAI, but we call it "anonymized" or "encrypted in transit." A few are honest about it. Most are not.
I want to be direct about what MoodHaven does, because vagueness on this specific question is how trust erodes.
What the AI sees
When you enable an AI feature in MoodHaven, the model receives a small block of aggregate metadata — numbers and category labels your device computes from your mood ratings, timestamps, and writing patterns. The exact fields depend on which feature you used. A request for writing prompts reads roughly like this:
Average mood: 3.2/5 (improving trend) · recent 3.4/5 · volatility low
Dominant emotions recently: grateful, anxious, reflective
Journaling frequency: daily · current streak: 6 days
Best day for journaling: Sunday
Gratitude mentions: 40% of entries · goal mentions: 15% of entries
A weekly reflection or a wellness insight sends a slightly different slice — entry counts over a period, the spread of your 1-to-5 mood ratings, sentiment percentages, time-of-day patterns. But it is the same kind of data every time: counts, averages, frequencies, streaks, and emotion labels. Never a sentence you wrote.
Those values get dropped into the request right next to an instruction that tells the model, in as many words, to base its response on your patterns, not your actual journal content. There is no entryContent field, no recentEntries, no excerpt of your writing. The request has nowhere to put your words.
The emotion labels deserve a note, because that is the one place text is involved. Categories like "grateful" or "anxious" are worked out on your device by scanning your entries locally — but only the resulting labels travel with the request. The sentences they came from never leave.
What the AI never sees
The content of any journal entry you have written. Not a sentence, not a phrase, not a word. This is not a soft commitment that might change in a future version. The code that assembles the AI request object has no access to decrypted entry content. Entry content is AES-256-GCM ciphertext at rest, and the only place it is decrypted is in the editor on your device.
AI is off by default, and it stays off until you act
When you first install MoodHaven, AI features are disabled. You have to go into Settings, find the AI section, read what it does, and explicitly turn it on. There is no nudge flow, no onboarding step that quietly suggests enabling it, no banner that appears after a week. It is off. You turn it on if you want it.
When you do enable it, you also have to provide an API key. MoodHaven does not have its own AI backend. The request goes through your account.
BYOK: your key, your account
If you use your own OpenAI API key, the metadata object described above is sent to OpenAI under your credentials, not ours. That means it appears in your OpenAI usage dashboard. It counts against your billing. And it is subject to OpenAI's data handling policies for API calls, which are different from their consumer product policies.
This is worth understanding clearly. When you use BYOK, MoodHaven is a client library that calls OpenAI on your behalf. We are not a middleman holding your key on a server somewhere. The key lives in encrypted storage on your device and is passed directly in the request.
Ollama: zero data leaves your machine
If you run a local Ollama instance, none of this goes anywhere. The request goes from MoodHaven to a process running on your own computer. No network traffic exits your machine. This is the most private AI configuration and the one I use personally.
Setup requires installing Ollama and pulling a model, which takes some technical comfort but is not difficult. The MoodHaven settings panel has a field for the Ollama endpoint, and once it is pointed at your local instance, AI features work identically.
You can read the code
I am not asking you to take my word for any of this. The metadata is computed in useInsights.ts, and the exact text sent to the model is built by the buildPromptGenerationPrompt, buildInsightsPrompt, and buildWeeklyReflectionPrompt functions in aiService.ts — you can read every field that goes into the request. None of them reads or attaches decrypted entry content to an outbound request.
If you find one, open an issue. That would be a bug, and I would treat it as a serious one.
MoodHaven is free and open source. Read the source on GitHub or download the desktop app.