Bronsik is an AI-powered voice companion application. You can talk to your AI companion using real-time voice conversations. It features AI memory (so it remembers your preferences), animated avatars that react as the AI speaks, and support for 10+ languages.

How does the AI voice companion work?

Bronsik uses OpenAI Whisper to convert your voice to text, then sends it to a large language model (LLM) for a response. The response is converted back to natural-sounding speech using OpenAI TTS and streamed to you in real time with sentence-boundary audio chaining for ultra-low latency.

Is there a free plan?

Yes. Bronsik offers a Free Trial plan with 5 minutes of voice conversation per week — no credit card required. It is a great way to experience the AI companion before upgrading.

What does the Pro plan include?

The Pro plan ($14.99/month) includes 300 minutes of voice per month (with a 20 min/day soft cap), a fully animated AI avatar, and the AI memory feature so Bronsik remembers your preferences across sessions.

What does the Max plan include?

The Max plan ($19.99/month) includes 600 minutes of voice per month (with a 20 min/day soft cap), 2D & 3D avatars, memory, mood tracking, and all voice styles.

What languages does Bronsik support?

Bronsik supports 10 languages including English, Urdu, Hindi, Arabic, Spanish, French, German, Korean, Japanese, and Chinese. Both AI responses and voice input/output adapt to your selected language.

What is the AI memory feature?

The AI memory feature allows Bronsik to remember things about you across conversations — your name, preferences, or anything you share — making every interaction feel more personal over time. Memory is available on Pro and Max plans.

What is the animated avatar feature?

Pro and Max users unlock an animated AI avatar that reacts in real time as Bronsik speaks. You can choose from multiple avatar styles in the Settings panel.

Can I cancel my subscription?

Yes. You can cancel at any time from the Settings panel. You keep access to your paid plan until the end of your current billing period. After that, your account automatically reverts to the Free Trial tier.

Is my payment information secure?

Yes. All payments are processed using industry-standard bank-level encryption. We never store your card details on our servers. Your payment data is handled by a PCI DSS Level 1 certified payment processor.

Trust & Safety

Security at Bronsik

How we protect your account, your conversations, and your data — honestly and without overpromising.

Last updated: March 15, 2026

Encrypted in Transit

TLS 1.2+ on all connections

Encrypted at Rest

AES-256 on all stored data

Zero Data Selling

Your data is never sold

Security Practices

Infrastructure Security

Bronsik's backend runs on Supabase — enterprise-grade cloud infrastructure that meets SOC 2 Type II and ISO 27001 compliance standards.

Transport security

All data between your browser (or the Android app) and our servers is encrypted using TLS 1.2 or higher. Connections using outdated protocols are refused.

Data at rest

All stored data — accounts, session records, usage data, and memory summaries — is encrypted at rest using AES-256.

Database access

No public database endpoints are exposed. Row-Level Security (RLS) is enforced at the database level, ensuring authenticated queries can only access data belonging to the authenticated user.

Environment isolation

Production, staging, and development environments are fully isolated with separate credentials, access controls, and databases.

HTTPS enforcement

HSTS (HTTP Strict Transport Security) headers are set to prevent protocol downgrade attacks. All HTTP traffic is redirected to HTTPS.

Authentication & Account Protection

Password hashing

Passwords are never stored in plain text. We use bcrypt hashing with per-user salts before storage.

JWT tokens

Sessions are managed via short-lived JSON Web Tokens (JWT), cryptographically signed and verified on every request. Access tokens expire after 1 hour; refresh tokens expire after 7 days of inactivity.

OAuth 2.0

Google Sign-In uses the OAuth 2.0 protocol. We never receive or store your Google password — only a verified email and display name.

Rate limiting

Authentication endpoints (login, signup, password reset) are rate-limited to prevent brute-force and credential stuffing attacks.

Session management

You can sign out at any time from the app, which invalidates your session tokens. Clearing app data on Android or clearing browser cookies also terminates all active sessions.

Account deletion

You can permanently delete your account from Settings → Account. This immediately revokes all sessions and schedules all your data for deletion within 30 days.

Conversation & Voice Security

Your conversations are private by design. Here is exactly how they are handled:

Text conversations

Messages are sent via encrypted HTTPS to our AI inference provider (Groq). Conversations are processed in real-time and are not stored on our servers by default. If you enable the Memory feature (Max plan), only summarized conversation context is stored — never full transcripts — and only accessible by you.

Voice input

Microphone audio is either streamed over encrypted WebSocket or sent as an encrypted API call to our speech-to-text provider (OpenAI Whisper). Raw audio is not stored after transcription. Only the resulting text transcript is briefly used for the AI response, then discarded.

AI responses (TTS)

Text-to-speech audio is streamed directly to your device and is not stored on our servers.

No conversation logging

We do not log or store your conversations for AI training or any other purpose without your explicit consent.

Payment Security

All payment processing is handled by LemonSqueezy, a PCI DSS compliant payment processor. We never receive, transmit, or store your raw payment card number or banking details. LemonSqueezy tokenizes all payment information before it reaches our systems.

Our servers only receive a customer ID and subscription status — never raw financial data. Payment-related webhooks from LemonSqueezy are verified using cryptographic signature validation before processing.

Access Controls

Principle of least privilege

Team members have access only to the systems and data required for their specific role. No one has blanket access to all user data.

Row-Level Security (RLS)

Database policies at the infrastructure level enforce that an authenticated user's queries can only read or modify their own data — not other users' records.

API authentication

Every request to a protected API endpoint is authenticated via JWT verification. Unauthenticated requests are rejected with a 401 response.

Input validation and sanitization

All incoming API payloads are validated and sanitized to prevent injection attacks including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.

Content Security Policy

CSP headers are set on web responses to mitigate XSS risks from injected scripts.

Abuse Prevention

We take platform safety seriously and have implemented multiple layers of abuse prevention:

Rate limiting

All API endpoints are rate-limited. General API: 500 requests per 15 minutes. Chat/AI endpoints: 30 requests per minute. Checkout: 10 requests per hour.

Usage caps

Voice usage is capped per session (maximum 4 hours per session) to prevent billing abuse and runaway usage by automated clients.

Webhook idempotency

Payment webhooks from LemonSqueezy are processed with idempotency checks — each event is only processed once, preventing duplicate subscription activations.

Acceptable use enforcement

We monitor for patterns indicating violation of our Acceptable Use Policy (Terms of Service, Section 7). Accounts found to be abusive may be suspended without prior notice.

Suspicious Activity Monitoring

We maintain basic monitoring to detect and respond to unusual patterns that may indicate security threats or abuse:

Authentication anomalies

Multiple failed login attempts from the same IP trigger temporary rate limiting and may result in a temporary lockout.

Unusual usage patterns

Abnormally high API usage rates that exceed normal human interaction patterns are flagged for review. This helps identify compromised accounts or automated abuse.

Webhook validation

All payment processor webhooks are cryptographically verified before being acted upon, protecting against forged payment events.

Error monitoring

Application-level errors are logged (without storing user content) to allow us to detect and fix security issues quickly.

If we detect suspicious activity on your account, we may contact you at the email address on file to verify your identity before taking any action.

Third-Party Security

We carefully evaluate the security practices of every provider we integrate with.

Supabase

Database & Auth

SOC 2 Type II, ISO 27001 certified. Enterprise cloud hosting with full encryption and RLS.

Groq

AI Inference

Enterprise-grade API security. Data processed in isolated environments with zero retention commitments.

OpenAI

Voice Processing

SOC 2 Type II certified. Audio data is not retained after the API request completes.

LemonSqueezy

Payments

PCI DSS compliant. No raw card data reaches our servers.

We only share data with third parties to the minimum extent necessary to provide the Service. We do not sell user data to any third party.

Vulnerability Disclosure

We take security vulnerabilities seriously and appreciate responsible disclosure from the security community. If you discover a security issue with Bronsik, please report it privately before any public disclosure.

Security Email

security@bronsik.com

Acknowledgement

We will confirm receipt within 24 hours

Status update

We will provide an update within 72 hours

In scope

Authentication bypass, data access between users, injection vulnerabilities, insecure direct object references, payment logic flaws

Out of scope

Social engineering, denial-of-service attacks, attacks on third-party infrastructure, theoretical vulnerabilities without proof of concept

We do not take legal action against researchers who disclose vulnerabilities in good faith and follow responsible disclosure principles. We cannot offer bug bounties at this time, but we will publicly acknowledge contributions where the researcher consents.

Incident Response

In the event of a security incident affecting user data:

Notification window

We will notify affected users within 72 hours of discovery, in compliance with GDPR Article 33 and applicable breach notification laws.

Contact channel

Notifications will be sent to the email address associated with your account.

What we communicate

We will explain clearly: what happened, what data was affected, what we have done in response, and what actions (if any) you should take.

Transparency commitment

We will not delay notifications to protect our reputation — transparency in incidents is a commitment we make to our users.

Ongoing Security Practices

Application dependencies are regularly reviewed and updated to patch known vulnerabilities (CVEs)

Security patches are applied as soon as they are available and tested

HTTPS is enforced with HSTS headers to prevent protocol downgrade attacks

Content Security Policy (CSP) headers mitigate cross-site scripting risks

API endpoints are protected against CSRF with appropriate validation

Database schemas enforce type safety and constraints to prevent malformed data

Production server logs do not contain personally identifiable conversation content

Our Honest Position

No system is perfectly secure. We have built Bronsik with security as a foundational concern — not an afterthought — but we are a small team and we will not make promises we cannot keep.

What we can honestly say

We follow industry-standard practices for encryption, authentication, access control, and abuse prevention. We use established, well-audited infrastructure providers. We monitor for anomalies and respond to incidents promptly.

What we will not claim

That we are impenetrable, that no breach is ever possible, or that our security is equivalent to that of large enterprises with dedicated security teams. We are honest about who we are and what we can do — and we are committed to continuous improvement.

If you ever have concerns about the security of your account or data, please contact us. We will always take your concerns seriously.

Your trust, our priority

Built with security
from day one.

Questions about how we protect your data? We're always happy to talk.

Start Talking Free Contact Us