REFLECT
Privacy Policy
Last updated: March 2026
REFLECT ("we", "us", "our") is operated by Rafay Essani, an individual
based in Pakistan. This Privacy Policy explains what personal data we
collect, why we collect it, how it is used, and what rights you have
over it. By using REFLECT you agree to this policy.
REFLECT is a private journaling tool. Your reflections are not read by
our team, not sold, and not used to train any AI model. This policy
exists to be honest about how the app works — not to obscure anything.
1. Who we are
REFLECT is operated by Rafay Essani, an individual. For all privacy
matters, contact us at
essanirafay@gmail.com.
2. What data we collect
-
Account data: your name and email address, provided
automatically when you sign in with Google via Supabase Auth.
-
Reflection content: the thoughts, mirror responses,
mood check-ins, and closing takeaways you create inside the app.
-
Usage data: how often you use the app and which
features you access (not the content of your reflections).
-
Subscription data: your plan type and billing
status, managed by Lemon Squeezy (web) or Apple App Store (iOS). We
do not store your card number or full payment details.
-
Guest session data: if you use REFLECT before
signing up, your first two reflections are stored only in your
browser's local storage on your device. They are never sent to our
servers until you choose to create an account.
3. Why we collect it (legal basis)
-
To provide the service: account data, reflection
content, and subscription status are necessary to operate REFLECT.
-
Legitimate interest: usage data helps us understand
how the app is used so we can fix problems and improve it. This data
does not include the content of your reflections.
-
Your consent: by signing up, you agree to this
policy. You may withdraw at any time by deleting your account.
4. How your reflection content is processed
When you submit a reflection, your text is sent to an AI language
model (via OpenAI or OpenRouter) solely to generate a mirror response.
This is how the core feature works. We want to be transparent about
this:
- Your text is transmitted to the AI provider to generate a response.
- We do not instruct these providers to store, train on, or analyze your content.
- OpenAI's API terms state that API inputs are not used to train their models by default.
- Beyond the API request, your reflection content is stored only in our Supabase database, accessible only to your account.
We do not read your reflections. No human at REFLECT has routine
access to your reflection content.
5. Third-party services we use
-
Supabase — database and authentication. Your data
is stored in Supabase's infrastructure. See
supabase.com/privacy.
-
Google (via Supabase Auth) — used only to
authenticate you. We receive your name and email from Google when
you sign in.
-
OpenAI / OpenRouter — AI response generation. Your
reflection text is sent to them to generate a response. It is not
stored or used for training by default. See
openai.com/policies/privacy-policy.
-
Lemon Squeezy — payment processing for web
subscriptions. We never see your card details. See
lemonsqueezy.com/privacy.
-
RevenueCat — iOS subscription management. See
revenuecat.com/privacy.
We do not sell your data to any third party. We do not share your
data with advertisers.
6. Data storage and security
Your data is stored in Supabase's cloud infrastructure with row-level
security (RLS) enabled — meaning database queries are restricted to
your account only. Our backend enforces authentication on every
request. Data is transmitted over HTTPS. We do not log the content of
your reflections.
While we take reasonable security measures, no system is completely
secure. If you become aware of a security concern, please contact us
immediately at
essanirafay@gmail.com.
7. Data retention
Your data is retained for as long as you maintain an account. If you
delete your account via Settings → Delete account, all your data —
including reflections, mood check-ins, usage records, and account
details — is permanently deleted from our systems within 30 days.
Lemon Squeezy and Apple may retain billing records as required by
their own policies and applicable law.
8. Your rights
Regardless of where you are located, you have the right to:
- Access the data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (in-app via Settings, or by emailing us)
- Object to or restrict certain processing
- Withdraw consent at any time by deleting your account
To exercise any of these rights, email
essanirafay@gmail.com. We
will respond within 30 days.
9. Children's privacy
REFLECT is not directed at children under the age of 13. We do not
knowingly collect personal data from anyone under 13. If you believe a
child under 13 has provided us with personal data, please contact us
and we will delete it promptly.
10. International data transfers
REFLECT is operated from Pakistan. Our infrastructure providers
(Supabase, OpenAI, Lemon Squeezy) are based in the United States and
may process your data there. By using REFLECT, you consent to your
data being processed in these jurisdictions. We choose providers that
maintain appropriate data protection practices.
11. Changes to this policy
If we make material changes to this policy, we will notify you via
email or an in-app notice at least 14 days before the changes take
effect. Continued use of REFLECT after that date constitutes
acceptance of the updated policy. The "Last updated" date at the top
of this page always reflects the most recent revision.
12. Governing law
This Privacy Policy is governed by the laws of the Islamic Republic of
Pakistan. Any disputes arising from this policy shall be subject to
the jurisdiction of the courts of Pakistan.