Privacy policy

Last Updated: 02-15-2026

1. Overview

This Privacy Policy explains how Reflect collects, uses, and protects personal information.

Reflect is designed as a private reflection tool for managers. We respect the sensitivity of professional notes and treat user data accordingly.

2. Information We Collect

Reflect is designed as a private reflection tool for managers. We respect the sensitivity of professional notes and treat user data accordingly.

A. Account Information

  • Name
  • Email address
  • Login credentials

B. User-Provided Content

  • Meeting titles
  • Observations
  • Reflections
  • Notes
  • Manager-defined metadata

C. Usage Data

  • Log data (IP address, browser type)
  • Device information
  • Interaction patterns

D. Analytics Data

We use analytics tools on our marketing website and within the application to understand usage patterns and improve the Service.

On our marketing website, we use Google Analytics to collect information such as IP address, browser type, device information, and pages visited.

Within the application, we use PostHog to collect product usage data such as feature interactions, navigation events, and timestamps. We configure analytics tools to avoid collecting user-entered reflection content.

E. Payment Data

If applicable:

  • Billing information processed via third-party payment processor
    (We do not store full credit card numbers.)
  • Payment Information

If you purchase a paid subscription, payments are processed by our third-party payment processor, Stripe, Inc. (“Stripe”).

When you enter payment information:

  • Your payment details (such as credit card number and billing information) are transmitted directly to Stripe.

Reflect does not store full credit card numbers on our servers.

We may receive limited billing information from Stripe, such as:

  • Last four digits of your card
  • Card brand
  • Billing status
  • Subscription status

Stripe processes your payment information in accordance with its own Privacy Policy, available at:https://stripe.com/privacy

We encourage you to review Stripe’s policies to understand how your payment data is handled.

3. How We Use Information

We use information to:

  • Operate the Service
  • Generate AI-based insights
  • Improve functionality
  • Provide customer support
  • Ensure security
  • Analyze usage patterns to improve the marketing website and application experience

We do not sell user data.

We do not use user content for advertising.

4. AI Processing

User content may be processed by AI systems to generate summaries or insights.

We:

  • Use AI strictly to support user-requested features
  • Do not intentionally train public models on user content

OpenAI does not use customer API data to train models by default.

5. Data Sharing

API data:

  • Is not used to train public models
  • May be retained for limited time for abuse monitoring
  • Is handled under OpenAI’s enterprise privacy commitments

We share information only with:

  • Hosting providers
  • Database providers
  • Payment processors
  • AI service providers
  • Legal authorities when required

All service providers are required to maintain reasonable security safeguards.

6. Service Providers

We use carefully selected third-party service providers to operate Reflect. These providers process information on our behalf and are contractually obligated to implement reasonable safeguards.

We share information only with:

  • Supabase, Inc.
    Used for database hosting, authentication, and secure data storage.
  • Vercel Inc.
    Used for application hosting and infrastructure delivery.
  • OpenAI, L.L.C.
    Used to generate AI-assisted summaries and insights based on user-submitted content.
    OpenAI processes data submitted via its API in accordance with its own policies. As of this writing, OpenAI does not use API customer data to train its public models.
  • Stripe, Inc.
    Used to securely process subscription payments and manage billing.
  • Postmark, Inc.
    Used to send transactional emails such as account verification, password resets, and system notifications. Postmark processes email addresses and delivery metadata necessary to provide these services.
  • Google LLC
    Used to provide analytics for our marketing website through Google Analytics.
  • PostHog, Inc.
    Used to provide product analytics within the application to understand feature usage and improve performance. We configure PostHog to avoid collecting user-generated reflection content.

We do not sell personal information. We share data only as necessary to operate the Service or comply with legal obligations.

7. Data Retention

We retain personal information only for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

Account Information

We retain your account information (such as name and email address) while your account is active. If you close your account, we will delete your account information from our active systems within 30 days, unless a longer retention period is required by law.

User Content (Notes, Reflections, Observations)

We retain user-generated content for as long as your account remains active. If you delete specific content, it is removed from active systems. If you close your account, all associated user content is permanently deleted from active systems within 30 days.

Billing & Transaction Records

Billing records are retained as required for accounting, tax, and legal compliance purposes.

System Logs & Security Data

Operational and security logs may be retained for a limited period (generally up to 90 days) for fraud prevention, debugging, and system integrity.

Backup Systems

Deleted data may remain in encrypted backup systems for a limited period consistent with standard disaster recovery practices. Backup data is not actively processed and is securely deleted in accordance with our backup retention schedule.

8. Security

We implement:

  • Encryption in transit (HTTPS)
  • Access controls
  • Authentication safeguards

However, no system is completely secure.

9. Your Rights

Depending on your location, you may have rights to:

  • Access your data
  • Correct inaccuracies
  • Delete your data
  • Export your data

For U.S. users, state-specific privacy laws (e.g., CCPA) may apply.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers (such as name, email address, IP address)
  • Internet or other electronic network activity information (such as usage data and interaction logs)
  • Commercial information (such as subscription status and billing history)
  • Professional or employment-related information (to the extent users choose to include such information in their own notes)

We collect this information directly from users and from their interactions with the Service.

10. International Users

Reflect is operated from the United States and is intended for users located within the United States.

We do not currently market or intentionally offer the Service to individuals located in the European Union or other jurisdictions with comprehensive data protection laws.

If you access the Service from outside the United States, you do so at your own initiative and are responsible for compliance with local laws.

11. Children

Reflect is not intended for individuals under 18.

We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Privacy Policy. Continued use indicates acceptance.

Questions about your privacy?

Reach out to our team if anything needs clarification or feels unclear.

Contact Us