Legal · English
Privacy Policy
This Privacy Policy explains how REFLO collects, uses, shares, and protects personal information when you use our desktop app, Account Hub, and Cloud History services.
Effective date: 2026-05-23 · Last updated: 2026-05-23
See also: Terms of Service
1. Scope and Controller
REFLO ("REFLO," "we," "us," or "our") operates the REFLO desktop application, Account Hub website, Cloud History API, and related services (the "Services").
For purposes of the EU General Data Protection Regulation (GDPR), UK GDPR, and similar laws, REFLO is the data controller for personal information described in this policy unless we state otherwise for organization/team features processed on behalf of a customer.
Contact: privacy@reflo.app (privacy) · support@reflo.app (support)
2. Information We Collect
We collect the following categories of information:
- Account and profile data: name, email address, password hash, organization/team membership, and account preferences.
- Billing data: subscription status, plan identifiers, and payment-related metadata processed by Paddle (we do not store full payment card numbers).
- Usage and device data: app version, operating system, diagnostic logs, crash reports, and feature usage needed to operate and secure the Services.
- Cloud History and sync data: file metadata, version history, storage usage, connection tokens, and encrypted or chunked content you choose to store in Cloud History.
- Communications: support requests, email delivery events (magic links, invites), and operational notices.
- Website data: cookies or similar technologies on the Account Hub for authentication sessions and security (see Section 9).
3. Sources of Information
We collect information directly from you, automatically when you use the Services, from your organization administrator (for team accounts), and from service providers such as payment processors and infrastructure hosts.
4. How We Use Information
We use personal information to:
- Provide, maintain, and improve the Services (including backups, versioning, search, and sync).
- Authenticate users and manage accounts, entitlements, and organization access.
- Process subscriptions, invoices, and tax compliance through our payment partner.
- Send transactional messages (sign-in links, security alerts, billing notices).
- Monitor performance, debug issues, prevent fraud and abuse, and comply with law.
- With your consent or as permitted by law, send product updates or marketing (you may opt out).
5. Legal Bases (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we rely on: (a) performance of a contract (providing the Services you request); (b) legitimate interests (security, product improvement, fraud prevention, internal analytics balanced against your rights); (c) consent (where required, e.g., optional marketing); and (d) legal obligation (tax, accounting, regulatory requests).
7. International Transfers
We may process and store information in countries other than your own. Where required, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms for transfers from the EEA, UK, or Switzerland.
8. Data Retention
We retain personal information for as long as your account is active or as needed to provide the Services, resolve disputes, enforce agreements, and comply with legal obligations.
Cloud History content is retained according to your plan, storage policies, and deletion requests. Backups may persist for a limited period after deletion for disaster recovery.
10. Security
We implement technical and organizational measures designed to protect personal information, including encryption in transit, access controls, and monitoring. No method of transmission or storage is 100% secure.
11. Your Privacy Rights
Depending on your location, you may have the right to access, correct, delete, restrict, or object to processing of your personal information, and to data portability.
EEA/UK residents may lodge a complaint with your local supervisory authority.
California residents (CCPA/CPRA) have the right to know categories of data collected, request deletion, correct inaccurate data, and opt out of sale/sharing (we do not sell personal information). You will not be discriminated against for exercising these rights.
To exercise rights, email privacy@reflo.app with enough information to verify your account. We respond within timelines required by applicable law.
12. Children's Privacy (COPPA)
The Services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information without verifiable parental consent, we will delete it promptly.
13. Automated Decision-Making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects without human review, except for security and anti-abuse measures (e.g., blocking suspicious sign-in attempts).
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised policy with an updated effective date and provide additional notice where required by law.
15. Contact Us
Privacy inquiries and data subject requests: privacy@reflo.app
General support: support@reflo.app
