reflct.ai

Privacy Policy

Last updated: May 28, 2026

Reflct ("we," "our," or "us") is a personal cognitive tool that helps you capture, organize, and reflect on your thoughts. This policy explains what data we collect, how we use it, and the choices you have.

We built Reflct for ourselves first. We treat your data the way we'd want ours treated: with care, minimalism, and respect.

What We Collect

Account Information

When you sign up, we collect your phone number or email address for authentication. We may also store a display name if you provide one.

Voice Recordings & Transcriptions

Reflct's core experience involves voice capture. When you record, audio is streamed to a third-party transcription service (currently Deepgram) for real-time speech-to-text conversion. The resulting transcriptions are stored in your account.

We do not permanently store raw audio files on our servers. Audio is processed in real-time and discarded after transcription.

Conversations & Content

Text you enter, conversations with the Reflct agent, and any content generated from your inputs (summaries, insights, patterns) are stored in your account and associated with your user profile.

Integrated Services & Browser Extension

Reflct can sync data from third-party services you connect, with your explicit permission. Each connection is opt-in and can be revoked at any time from the Sources page in the app.

The Reflct Chrome extension stores your Reflct API key and sync state locally in your browser so it can connect to your account. It uses your existing browser sessions for Claude.ai, ChatGPT, and LinkedIn, but it does not collect or send your passwords or third-party session cookies to Reflct.

  • AI conversations — Claude.ai and ChatGPT conversation titles, timestamps, message text, and related metadata, fetched by the Reflct Chrome extension from accounts you are already signed into.
  • LinkedIn network data — your first-degree LinkedIn connections and selected profile details, such as names, profile URLs, headlines, current roles, companies, work history, education, skills, connection dates, and profile email addresses when LinkedIn provides them. We do not collect LinkedIn passwords, session cookies, private messages, browsing history, or precise location.
  • Email (Google) — email thread metadata and content, accessed via Google OAuth with read-only scope. We do not send email on your behalf.
  • Calendar (Google) — calendar events, accessed via Google OAuth with read-only scope.
  • Local sources (Mac) — the Reflct Sync desktop app can sync iMessage history and Claude Code sessions from your Mac, with your permission.
  • Instagram — direct message history, where you have authorized the connection.
  • Code activity (GitHub) — commit metadata and repository activity from connected accounts.

Financial Data

If you connect a bank or credit card account, Reflct uses Plaid to retrieve your transaction history (read-only). This includes merchant names, amounts, dates, categories, and account identifiers. Reflct does not access or store your online banking credentials — Plaid handles authentication directly with your financial institution and provides Reflct with a secure access token, which we encrypt at rest. Reflct cannot move money, initiate payments, or modify your accounts in any way. You can disconnect your accounts at any time from the Sources page, which immediately revokes Reflct's access.

Device & Usage Data

We collect minimal analytics to understand how the product is used — page views, feature usage, and basic device information. We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies and does not track individual users.

How We Use Your Data

  • Provide the service — transcribe your voice, generate insights, and power the Reflct agent.
  • Improve the product — we use aggregate, anonymized usage patterns to make Reflct better. We do not train AI models on your personal data.
  • Communicate with you — transactional messages like authentication codes. No marketing spam.
  • Support connected-source sync — keep track of sync status, avoid duplicate imports, and notify you when a connected source needs re-authentication.

Third-Party Services

We rely on a small set of trusted infrastructure providers:

  • Supabase — database, authentication, and file storage. Data is hosted on AWS infrastructure.
  • Deepgram — real-time speech-to-text transcription. Audio is processed and not retained by Deepgram after transcription.
  • Anthropic— powers the Reflct agent. Conversations with the agent are sent to Anthropic's API for processing. Anthropic does not use API inputs to train models.
  • Plaid— read-only access to bank and credit card transaction history when you connect a financial account. Plaid acts as the secure bridge between Reflct and your financial institution. Plaid's privacy practices are described at plaid.com/legal.
  • Google — OAuth provider for Gmail and Google Calendar integrations, with read-only scopes.
  • Vercel — application hosting and edge delivery.
  • Plausible — privacy-focused, cookie-free web analytics.

We do not sell your data to anyone. We do not share your personal content with third parties beyond what is necessary to operate the service as described above.

For Chrome Web Store data disclosures, the Reflct extension collects personally identifiable information, personal communications, and website content only to provide the sync features you enable. We do not use extension-collected data for advertising, creditworthiness, resale, or unrelated purposes.

Data Storage & Security

Your data is stored in a PostgreSQL database hosted by Supabase on AWS infrastructure in the United States. All data is encrypted in transit (TLS) and at rest. Access to production data is restricted and requires multi-factor authentication.

Row-Level Security (RLS) policies ensure that you can only access your own data. No other user can read your conversations, transcriptions, financial transactions, or insights.

Sensitive third-party credentials — such as Plaid access tokens and OAuth refresh tokens for connected accounts — are additionally encrypted at the application layer using AES-256-GCM before being stored, with the encryption key held separately from the database.

A copy of our full security policy is available on request — email evan@reflct.ai.

Your Rights

You have the right to:

  • Access your data — everything in Reflct is visible to you in the app.
  • Export your data — you can request a full export of your account data at any time.
  • Delete your data — you can request complete deletion of your account and all associated data. We will process deletion requests within 30 days.
  • Correctyour data — if something is inaccurate, let us know and we'll fix it.

Data Retention

We retain your data for as long as your account is active. If you delete your account, we will remove all personal data within 30 days, except where required by law.

Anonymized, aggregate analytics data may be retained indefinitely as it cannot be linked back to individual users.

Children's Privacy

Reflct is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to This Policy

We may update this policy from time to time. If we make significant changes, we will notify you through the app or via email. Continued use of Reflct after changes constitutes acceptance of the updated policy.

Contact

Questions about this policy or your data? Reach out at evan@reflct.ai.

© 2026 Reflct. All rights reserved.