Privacy Policy

Last updated: 2026-04-26

This policy describes how Reflect (“we”, “us”) processes data when operators (mobile app studios) integrate the Reflect SDK and use the Reflect dashboard. We act as a data processor — the operator is the controller of any end-user data passing through Reflect.

What we collect

From mobile end-users (via your SDK integration):

Install identifiers (UUID generated client-side, GAID on Android, IDFA on iOS only when ATT consent is granted).
Device metadata: OS version, country (from IP geolocation, IP discarded after lookup), language, model.
App-defined events your SDK reports — event name, timestamps, optional revenue values.
Hashes (SHA-256) of email/phone for partner postbacks where the operator opts in. Raw email/phone is never stored.

From operators: account email, company name, optional phone for billing, IP address of admin sessions for security.

What we do NOT collect

Cleartext PII (email, phone) from end-users — only hashes for matching.
Location coordinates — we resolve country from IP and discard the IP.
Cross-app tracking identifiers — every Reflect tenant is isolated.

How long we keep it

Events & attributions: 90 days hot, 13 months in cold storage. Operator can request earlier deletion via /settings or the GDPR/CCPA endpoints below.
Postback logs: 30 days.
Billing records: 7 years (US/EU tax requirements).

End-user rights (GDPR / CCPA)

End-users contact the app operator directly. Operators have these endpoints in Reflect to satisfy user requests:

POST /api/privacy/delete — delete all data for an install_uuid or hashed-email match.
POST /api/privacy/export — return a JSON dump of everything we hold for that user.

Sub-processors

Cloudflare — compute, storage (D1, R2, KV), CDN. All Reflect data is on Cloudflare infrastructure.
Resend — transactional email (login magic links, usage alerts).
PayPal — subscription billing. Reflect never sees card details.

Where data lives

Cloudflare workers run at the closest edge to the request. Persistent stores (D1, R2) are configured with primary regions reflective of the operator's tenancy. Specific region commitments are in the DPA.

Security

HMAC-SHA256 signing on every SDK event — server rejects tampered payloads.
AES-GCM at-rest encryption for partner credentials (CAPI tokens, OAuth refresh tokens).
SHA-256 hashing of email/phone before postback transmission.
TLS 1.2+ for every endpoint. HSTS preload on the marketing site.

Contact

[email protected] for privacy questions or to file a complaint with our DPO.

Questions? Email [email protected]. A Retroage Engineering product.