This Privacy Policy describes how Reflet ("we," "us," or "our") collects, uses, and shares information about you when you use our product feedback and roadmap management platform (the "Service").
1. Information We Collect
Account Information
When you create an account, we collect your email address, name (optional), and password (stored in hashed form). If you sign in via GitHub OAuth, we also receive your GitHub username, avatar, and account type. If you sign in via Google OAuth, we receive your Google email address, name, and profile picture.
Organization Data
When you create or join an organization, we collect the organization name, slug, logo, branding preferences (colors, custom CSS), and team member information including roles and email addresses.
Feedback and Content
We collect feedback titles, descriptions, status updates, votes, comments, importance ratings, and any other content you submit through the Service.
Widget and Visitor Data
When users interact with embedded Reflet widgets, we collect visitor identifiers (for anonymous users), user agent strings, page URLs, referrer information, and any external user metadata provided by the host application.
Support Conversations
If you use our support chat feature, we collect conversation messages, status information, and message reactions.
Usage and Technical Data
We automatically collect API request logs including IP addresses, endpoints accessed, HTTP methods, status codes, and timestamps. We also collect session data to keep you logged in.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process transactions and send related notifications
- Send you technical notices, updates, and support messages
- Respond to your comments, questions, and requests
- Provide AI-powered features such as feedback clarification, draft replies, and difficulty estimation
- Monitor and analyze trends, usage, and activities
- Detect, investigate, and prevent security incidents
3. Information Sharing
We share your information with the following third-party service providers who assist us in operating the Service:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Customer ID, subscription details |
| Resend | Email delivery | Email addresses, notification content |
| Convex | Database and backend | All user and organization data |
| GitHub | OAuth and issue sync | Account info, repository data |
| OAuth and AI features | Account info, feedback content for AI processing | |
| Anthropic | AI features | Feedback content for processing |
We may also share information when required by law, to protect our rights, or in connection with a business transfer.
4. Data Retention
We retain your information for as long as your account is active or as needed to provide the Service:
- Session data: 30 days
- Account data: Until you delete your account
- Feedback and organization data: For the lifetime of the organization
- API logs: 90 days
5. Your Rights
For EU Residents (GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Request erasure ("right to be forgotten")
- Restrict processing
- Data portability
- Object to processing
- Withdraw consent at any time
For California Residents (CCPA)
You have the right to:
- Know what personal information we collect
- Delete your personal information
- Opt-out of the sale of personal information
- Non-discrimination for exercising your rights
We do not sell personal information as defined by the CCPA.
6. International Data Transfers
Your information may be transferred to and processed in countries other than your own, including the United States. We rely on Standard Contractual Clauses and other lawful mechanisms to transfer data outside the European Economic Area.
7. Security
We implement appropriate technical and organizational measures to protect your information, including encryption in transit (TLS), secure password hashing, role-based access controls, and regular security reviews.
8. Children's Privacy
The Service is not intended for children under 16. We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us immediately.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the effective date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
10. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at:
Email: legal@reflet.app
Entity: Damien Schneider EI, France