Reflect Logo
Reflect

Privacy Policy

Last updated: 18 March 2026

1. Introduction

Reflect ("we", "us", "our") is operated by Cankat Sarac. We are committed to protecting your privacy and ensuring the security of the personal information you share with us through the Reflect mobile application (the "App") and the website at reflectapp.software (the "Website") (collectively, the "Service").

This Privacy Policy explains what personal data we collect, how we use and protect it, who we share it with, and what rights you have in relation to your data. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree with the practices described in this Privacy Policy, please do not use the Service.

2. Data Controller

The data controller responsible for your personal data is:

Cankat Sarac

Trading as Reflect

Email: support@reflectapp.software

Website: reflectapp.software

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address — required for account creation and login
  • Display name — if provided through social login (Google or Apple)
  • Profile photo URL — if provided through social login
  • Unique user identifier (UID) — automatically generated by our authentication provider
  • Authentication provider — whether you registered with email/password, Google, or Apple Sign-In

3.2 Reflection and Journal Data

The core of our Service involves personal reflections. We process:

  • Reflection content — the text you write in response to daily questions
  • Reflection quality scores — depth analysis scores generated by our AI system
  • Question categories — which life categories (e.g. Self-awareness, Relationships, Goals, Emotions, Health) your reflections belong to
  • Timestamps — when reflections are created
  • Time spent — duration of your reflection writing sessions

Important: Your reflection content may include sensitive personal information relating to your mental health, emotions, relationships, and personal circumstances. We treat all reflection data as sensitive personal data and apply enhanced protections accordingly.

3.3 AI Coaching Chat Data

When you use our AI coaching feature, we process:

  • Chat messages — your messages and AI-generated responses
  • Conversation context — the reflection content associated with each chat session
  • Chat usage counts — the number of AI chats you use per day (for rate-limiting free users)

3.4 Usage and Progress Data

  • Streak information — current and longest consecutive days of reflection
  • Category metrics — attempt rates and quality scores per reflection category
  • 30-day rolling statistics — recent engagement patterns for your dashboard
  • Question history — which questions have been presented to avoid repetition

3.5 Subscription and Payment Data

If you subscribe to Reflect Premium, the following data is processed:

  • Subscription status — whether you have an active premium subscription
  • Plan type — monthly, quarterly, or annual
  • Subscription expiry date
  • Purchase transaction identifiers — processed by Apple App Store or Google Play Store

We do not collect or store your payment card details, bank account information, or other financial data. All payment processing is handled directly by the Apple App Store or Google Play Store. Subscription management is facilitated by RevenueCat (see Section 5).

3.6 Device and Technical Data

  • Language preference — your selected interface language
  • Session tokens — for maintaining your login session (24-hour expiry)
  • Platform type — iOS, Android, or Web

3.7 Information We Do NOT Collect

We want to be transparent about what we do not collect:

  • We do not use third-party analytics or tracking SDKs (no Mixpanel, Amplitude, Google Analytics, or similar)
  • We do not serve advertisements or use ad-tracking technologies
  • We do not collect precise location data
  • We do not access your camera, microphone, contacts, or photo library
  • We do not engage in cross-app tracking or build advertising profiles
  • We do not sell your personal data to any third party

4. How We Use Your Information

We use the information we collect for the following purposes:

PurposeLegal Basis (GDPR)
To create and manage your accountPerformance of contract
To provide daily reflection prompts and record your responsesPerformance of contract
To analyse reflection depth and provide quality scoresPerformance of contract
To provide AI coaching conversationsPerformance of contract
To display your progress dashboard, streaks, and analyticsPerformance of contract
To process your premium subscriptionPerformance of contract
To authenticate your identity and secure your accountLegitimate interest (security)
To personalise daily questions and avoid repetitionLegitimate interest (service improvement)
To communicate with you about your account or service changesLegitimate interest / Performance of contract
To comply with legal obligationsLegal obligation

Where we process sensitive personal data (such as reflection content that may relate to your mental health or emotional well-being), we rely on your explicit consent as the legal basis under Article 9(2)(a) GDPR, which you provide when creating your account and submitting reflections.

5. Third-Party Service Providers

We use the following third-party service providers to deliver the Service. Each provider processes data in accordance with their own privacy policies, which we encourage you to review:

5.1 Firebase (Google LLC)

Purpose: User authentication and account management

Data shared: Email address, display name, user UID, authentication tokens

Location: United States

Privacy policy: firebase.google.com/support/privacy

5.2 Google OAuth

Purpose: Social login authentication ("Sign in with Google")

Data shared: Authentication request; data received includes name, email, profile picture

Scopes requested: openid, profile, email

Privacy policy: policies.google.com/privacy

5.3 Apple Sign-In

Purpose: Social login authentication on iOS ("Sign in with Apple")

Data shared: Authentication request; data received may include name and email (at user's discretion)

Security: Uses cryptographic nonce protocol

Privacy policy: apple.com/legal/privacy

5.4 RevenueCat, Inc.

Purpose: In-app subscription and purchase management

Data shared: App user identifier, subscription status, purchase history, platform information

Location: United States

Privacy policy: revenuecat.com/privacy

5.5 AI Service Providers

To provide AI-powered reflection analysis and coaching, your reflection content and chat messages are transmitted to the following AI service providers via encrypted HTTPS connections. We use a fallback chain to ensure service availability:

Primary: OpenRouter (New Computer Corporation)

Models: Meta Llama 3.3 70B, DeepSeek R1, Mistral Small 3.1

Privacy policy: openrouter.ai/privacy

First fallback: Google Gemini (Google LLC)

Model: Gemini 2.5 Flash

Privacy policy: ai.google.dev/terms

Second fallback: Mistral AI (Mistral AI SAS)

Model: Mistral Small Latest

Location: France (European Union)

Privacy policy: mistral.ai/terms

Please note: When you use the AI coaching feature, the text of your reflections and chat messages is transmitted to these providers for processing. Each provider has its own data retention policies. We do not control how these providers may use, store, or retain your data beyond our contractual arrangements with them. We recommend reviewing their privacy policies if you have concerns about how your reflection content is handled.

6. Data Storage and Security

6.1 Local Storage

The majority of your personal data — including reflections, chat history, progress metrics, and streaks — is stored locally on your device using encrypted device storage (AsyncStorage). This data is protected by your device's operating system encryption.

Data stored locally on your device includes:

  • Your reflection content and quality scores
  • AI coaching chat histories
  • Daily session data and question history
  • User profile and streak information
  • Authentication session tokens
  • Language preference

6.2 Remote Storage

  • Firebase Authentication: Your credentials and authentication tokens are stored on Firebase servers (Google Cloud infrastructure)
  • RevenueCat: Your subscription status and purchase information
  • AI providers: Your reflection and chat data is transmitted for processing; retention periods vary by provider

6.3 Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data transmitted between your device and our servers uses HTTPS/TLS encryption
  • Authentication tokens are generated using cryptographic randomness and expire after 24 hours
  • Apple Sign-In uses the cryptographic nonce protocol for additional security
  • Google OAuth uses PKCE (Proof Key for Code Exchange) flow for mobile security
  • Passwords are hashed and managed by Firebase — we never store plaintext passwords
  • Firebase Security Rules enforce authentication requirements for all data access

While we take reasonable steps to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

7. Data Retention

Data TypeRetention Period
Account credentials (Firebase)Until account deletion
Session tokens24 hours (auto-expiry)
Reflection content and scoresUntil account deletion (stored locally)
Chat historyUntil associated reflection is deleted or account deletion
Question history60 days (auto-pruned)
Subscription informationUntil account deletion (managed by RevenueCat and app stores)
AI provider processing logsPer each provider's data retention policy

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States (Firebase, RevenueCat, OpenRouter, Google Gemini) and France (Mistral AI).

For transfers from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The EU-US Data Privacy Framework, where applicable
  • Other appropriate safeguards as required by applicable data protection law

9. Your Rights Under GDPR (EEA and UK Users)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

  • Right of access (Article 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
  • Right to erasure (Article 17): You may request deletion of your personal data. You can delete your account directly within the App under Profile settings.
  • Right to restriction of processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances.
  • Right to data portability (Article 20): You may request a machine-readable copy of the personal data you provided to us.
  • Right to object (Article 21): You may object to processing based on legitimate interests.
  • Right to withdraw consent (Article 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint: You have the right to file a complaint with your local data protection supervisory authority.

To exercise any of these rights, please contact us at support@reflectapp.software. We will respond to your request within 30 days.

10. Your Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale or sharing: We do not sell or share your personal information for cross-context behavioural advertising. There is no need to opt out.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a request, please email us at support@reflectapp.software. We will verify your identity before processing your request and respond within 45 days.

11. Children's Privacy

The Service is not intended for children under the age of 16 (or 13 in jurisdictions where the Children's Online Privacy Protection Act (COPPA) applies). We do not knowingly collect personal information from children under these ages.

If we become aware that we have collected personal data from a child under the applicable minimum age without verifiable parental consent, we will take steps to delete that information as quickly as possible. If you believe a child under the applicable age has provided us with personal information, please contact us at support@reflectapp.software.

12. Account Deletion

You may delete your account at any time from within the App (Profile > Delete Account). When you delete your account:

  • Your Firebase authentication credentials are permanently deleted
  • All locally stored data is removed from your device, including: reflections, chat histories, session data, user profile, daily sessions, and question history
  • Your RevenueCat customer profile is disassociated
  • This action is irreversible — your data cannot be recovered after deletion

Please note that data already transmitted to AI providers may be retained in accordance with their respective data retention policies. Active subscriptions should be cancelled through the Apple App Store or Google Play Store before deleting your account, as account deletion does not automatically cancel your subscription billing.

13. AI and Automated Decision-Making

The Service uses artificial intelligence to:

  • Analyse the depth and quality of your reflections (producing a score from 0 to 100)
  • Generate coaching responses in the AI chat feature
  • Provide personalised prompts and follow-up questions

These AI features are intended as tools for personal development and self-awareness. They do not constitute medical, psychological, therapeutic, or professional advice. No automated decisions with legal or similarly significant effects are made about you based on this processing.

Your reflection content is not used to train AI models. We use the AI providers' APIs solely for real-time inference (processing your input and generating a response). We do not contribute your data to any training datasets.

14. Cookies and Website Tracking

Our Website (reflectapp.software) uses minimal data storage technologies:

  • localStorage: We store your language preference in your browser's local storage to remember your selected language between visits. This is strictly functional and does not track you.

We do not use cookies for analytics, advertising, or tracking purposes on our Website. For further information, please see our Cookie Policy.

15. Third-Party Links

The Service may contain links to third-party websites or services, including the Apple App Store, Google Play Store, and social media platforms. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you through the App or by email for significant changes
  • Where required by law, obtain your consent before processing your data under revised terms

We recommend reviewing this Privacy Policy periodically. Your continued use of the Service after changes take effect constitutes your acceptance of the revised Privacy Policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Reflect

Email: support@reflectapp.software

Website: reflectapp.software

We aim to respond to all enquiries within 30 days.

← Back to Home