Privacy Policy — Reflect

Last updated: May 2, 2026

Introduction

Reflect is a private journaling app. This policy explains what leaves your device, what stays on it, and how to delete it all. It's written in plain English so you can verify it against what the app actually does. If anything is unclear, email [email protected] and we'll explain.

What We Collect

Your journal content: the text, photos, voice memos, mood, reactions, stickers, location, and weather you tag. These live on your device and, if you turn on backup or sync, in our encrypted cloud storage.
Date of birth (used once, not stored): on first launch you confirm you're 13 or older. We don't save the date.
Anonymous account ID: we sign you in anonymously. There's no email, password, or social login.
Recovery code: a code we generate so you can find your backup later. Stored as a lookup so the app can locate your backup when you reinstall. Treat it like a password.
Diary lock credentials: if you set a PIN, password, or biometric, the credentials are hashed and stored only in your device's secure keychain. Biometric data never leaves your device.
Device information: platform, OS version, app version, language, and timezone. Used for compatibility, sync metadata, and security alerts.
Location (optional): if you tag a moment with a location, your device's GPS is used to look up a human-readable label (city, neighborhood, country). The label is what we store. Raw GPS coordinates are not uploaded. Location is never collected in the background.
Weather (optional): when location permission is granted, we fetch current weather and humidity at the time of writing.
Together profile (optional): if you use the Together feature, your display name, avatar, and current streak are stored on our servers so matchmaking and connections work.
Shared Journal (optional): when you and your connected person write to a shared journal, those entries are stored in plain text on our servers, because both of you need to read them. This is separate from your private diary.
Subscription status: if you subscribe or buy Lifetime, we store your tier and status. We don't store payment details, card numbers, or receipts — Apple and Google handle that.
Anti-abuse counters: rate-limit counters used to prevent abuse. No journal content is in these.
Restore audit logs: when your encrypted backup is restored on a new device, we record device and network metadata so we can alert you ("your backup was restored on another device") and let support investigate. Auto-deleted after a short retention window.
What we do not collect: your real name, email address (we don't ask for one), phone number, contacts, calendar, or photo library at large.

How We Use Your Information

Run the app: store your moments locally, display them, search them, calculate streaks and goals.
Sync between your devices (optional): if you sign in on a second device with the same recovery code, your moments propagate in near real-time. Important: in-flight sync data is plain text on our servers while it moves between your devices, because the receiving device needs to read it. We don't read it, but the encryption guarantee that applies to backups does not apply to sync. If this matters to you, don't enable sync on a second device.
Encrypted backups (optional): when you back up, your moments are encrypted on your device first, then uploaded. The backup key is derived from your recovery code, so the same code unlocks the backup on any device. Photos and voice memos are encrypted before upload too. We cannot read backed-up content.
AI features (opt-in): if you use insights, MBTI, Lifestyle, Happiness, Ask AI, or Guided Moment, your content is sent to Google Gemini through our server proxy. We strip emails, phone numbers, URLs, and similar identifiers from prompt text before forwarding. We do not strip from voice transcription audio, photo OCR, or text-to-speech input — those features need the literal content, so what you record or scan is what is sent. Avoid recording or photographing things you'd rather not have processed.
Rate limits and abuse prevention: AI features are rate-limited per user and globally. Every backend request is verified with a device-integrity check so emulators, rooted devices, and repackaged builds are rejected.
Together (optional): your display name, avatar, and streak are visible to other users in the matchmaking pool, and to your connected person once you connect. No journal content moves through Together. The Shared Journal is a separate feature where you both deliberately write into a shared space.
Notifications: daily reminders, badge unlocks, streak milestones, AI insight readiness, and buddy cheers. Each can be toggled in Settings.
Analytics (opt-out): we capture anonymous, aggregate-only product events so we can see which features are used. We never send your account ID, journal text, AI prompts, or AI responses. Toggle off via Settings › Share anonymous usage data — events stop at the source.
Subscription gating: we read your subscription record on launch to decide which features to unlock, and to send reminders before your Lifetime AI window expires.

Storage & Security

Local storage: moments live in your device's local storage, encrypted with industry-standard symmetric encryption plus a tamper check. The key sits in the iOS Keychain or Android Keystore and never leaves your device.
Encrypted cloud backups: when you opt into backup, your moments — text, photos, voice memos, location, weather, reactions, mood, stickers — are encrypted on your device before upload.
Backup key derivation: the backup key is derived from your recovery code. The recovery code is the only thing that can unlock a backup. We do not have a master key, we do not escrow keys, and we cannot recover your backup if you lose the recovery code.
Recovery code lookup: we store your recovery code so the app can find your backup when you reinstall. This is the trust boundary — anyone who reads our database can find a backup belonging to a code, but they still cannot decrypt it without the code itself. Treat the code like a password.
Sync is not zero-knowledge: real-time sync between your devices needs the receiving device to read updates without your master key, so sync data is plain text on our servers. We don't read it, but the encryption guarantee that applies to backups doesn't apply here. Keep sync off if this matters to you.
Diary lock: PIN and password are hashed locally and stored only in the device's secure keychain. Plain credentials are never written to disk or uploaded. Biometric data never leaves the secure enclave.
Lose your device + recovery code = unrecoverable: we want to be blunt. Anonymous accounts mean there is no "reset by email." If you lose access to your device and don't have your recovery code saved somewhere, your backup is unrecoverable. Make a copy of your recovery code.
Decrypt failures fail closed: if the recovery code is wrong or data has been tampered with, the app surfaces a clear error and stops. We never substitute ciphertext for plain text.
Server-side AI proxy: all AI calls go through our server, where the API key lives. The proxy enforces device integrity, rate limits, and the personal-identifier strip on text prompts.
Restore audit log: when a new device restores your backup, we record device and network metadata so we can alert you. The log auto-deletes after a short retention window. Only support can read it; the client app cannot.
Server-side trial: your free-trial state is server-side, so reinstalling or clearing app data doesn't reset it. Paid subscribers bypass the trial.

Data Sharing

We don't sell your data. We don't trade it. We don't show ads, so there's nobody to share it with for advertising purposes.

The third parties we use to run the app, and what each sees:

Google (Firebase & Gemini): hosts our backend and runs the AI model. Google sees encrypted blobs we send for backup, plain-text sync data, and operational metadata like rate-limit counters. AI prompts (with personal identifiers stripped) are sent to Gemini. Per Google's API terms, prompts are not retained after the response and are not used to train Gemini.
RevenueCat: our subscription gateway. Sees your anonymous account ID and entitlement status. Never sees journal content.
PostHog: anonymous product analytics. Receives event names with non-identifying properties. We never send your account ID, journal text, AI prompts, or AI responses. Disable in Settings.
Weather APIs: when you tag a moment with location, the location is sent to a weather provider. No journal content goes there.
Apple App Store / Google Play: handle the actual payment when you buy a subscription or Lifetime. We never see your card number, billing address, or receipt details — Apple and Google share only the validation result with us.

Your Rights & Choices

Access: every moment, photo, voice memo, and setting is visible to you in the app — that is your data.
Export: Settings › Backup & Restore › Export saves a copy of your moments to your device.
Delete one moment: long-press the moment and choose Delete. Removed locally and from your encrypted backup on next sync.
Delete everything: Settings › Delete Account wipes your local data, encrypted backup, photos, voice memos, sync data, buddy connection and shared-journal entries, profile, avatar, subscription record, notification tokens, and recovery-code lookup. Your authentication account is removed at the end.
Server-side erasure on request: email [email protected]; we honor it within 30 days.
Opt out of AI: Settings › AI › toggle off.
Opt out of analytics: Settings › Share anonymous usage data › toggle off. No further events are sent.
Opt out of sync: don't sign in on a second device, or disconnect that device from Settings.

Data Controller & Legal Basis (GDPR / UK GDPR)

For users in the European Economic Area, the United Kingdom, and Switzerland, the data controller for Reflect is Reflect, operated from Tunisia, contactable at [email protected].

We process your personal data on the following legal bases:

Performance of a contract (Art. 6(1)(b)): storing your moments, syncing across your devices, processing subscriptions, and providing the core journaling experience.
Consent (Art. 6(1)(a)): optional features such as AI, location tagging, Together, Shared Journal, cloud backup, and notifications. You may withdraw consent at any time, with no effect on processing carried out before withdrawal.
Legitimate interests (Art. 6(1)(f)): anti-abuse measures (rate limiting, device-integrity checks, trial enforcement, restore audit logs) and minimal operational metadata strictly necessary to keep the service secure and reliable.

Your rights under GDPR / UK GDPR: access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection, and the right to lodge a complaint with your local supervisory authority. To exercise any of these rights, contact us at [email protected]. We respond within 30 days.

California Residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of "sale" or "sharing" of personal information.

We do not sell your personal information. We do not share it for cross-context behavioral advertising.
Categories collected are listed under "What We Collect" above.
Sources: directly from you (moments, photos, profile, recovery code) and from your device (anonymous account ID, device-integrity token, optional location).
Purposes: providing the journaling service, optional AI features, optional cloud backup, optional Together / Shared Journal, and security / anti-abuse.
To exercise your rights, contact [email protected]. We will not discriminate against you for exercising any right.

International Data Transfers

Reflect uses cloud services operated by Google LLC, primarily hosted in the United States. If you back up your data, use AI features, sync across devices, or use Together / Shared Journal, your data is transferred to and processed in the United States. For users in the EEA, UK, and Switzerland, these transfers rely on Google's Standard Contractual Clauses, the UK International Data Transfer Addendum, and Google's participation in the EU–US Data Privacy Framework.

If you'd rather your data not leave your device, you can use Reflect entirely offline: skip cloud backup, don't enable sync on a second device, disable AI features, don't connect a buddy, and don't enable the Shared Journal. The core journaling experience works fully offline.

Data Retention

Local moments: stay on your device until you delete them or uninstall.
Encrypted backups: kept until you delete them or wipe the account.
Sync data: kept while you have at least one device syncing.
Recovery code: until you regenerate it or delete the account.
Subscription records: kept while your entitlement is active so the app correctly unlocks features across reinstalls and devices, plus a limited additional period for tax, accounting, and dispute resolution.
Trial records: kept while needed to prevent reinstall-to-reset abuse.
Together connections: kept while you have a buddy connection. Removing the buddy hard-deletes the connection and any shared-journal entries between you.
Restore audit log: short retention; auto-deleted after the window.
Crash reports: standard retention. Reports include device model, OS version, and stack traces — never journal text or AI content.
AI requests: per Google's terms, prompts are not retained after the response and are not used to train Gemini.

Your right to deletion is absolute. You can:

Delete individual moments, photos, voice memos, goals, and reactions directly inside the app at any time.
Use Settings › Delete Account to wipe everything we hold in one action.
Email [email protected] to request server-side deletion of any remaining data tied to your anonymous account ID. We honor these within 30 days, as required by GDPR Art. 17 and equivalent local laws.

AI Model Training

Your moments are never used to train AI models. Our integration with Google Gemini uses the paid API, which per Google's terms does not retain prompts after responding and does not use prompts to improve Google's foundation models. We do not run our own AI training pipeline. We do not share moments with any third party for model training, fine-tuning, or evaluation.

Data Breach Notification

If we become aware of a data breach affecting your personal information, we will notify affected users without undue delay and, where feasible, within 72 hours of discovery, as required by GDPR Art. 33–34. Because we use anonymous accounts (no email on file by default), notification is delivered via in-app message and push notification.

Children's Privacy

Reflect is for users aged 13 and above. Onboarding shows a date-of-birth picker on first launch. If your date of birth makes you younger than 13, the app routes you to a restriction screen with no Continue button — there's no way to enter the rest of the app. We don't store the date of birth; it's used only for the gate. If you believe a child under 13 has somehow created an account and added data, email [email protected] and we'll remove it.

In-App Purchases & Subscriptions

Reflect offers optional premium features through auto-renewable subscriptions (monthly, yearly) and a one-time Lifetime purchase, managed entirely via the Apple App Store or Google Play Store. There is a free trial for new users.

Payment processing: all transactions are handled by Apple or Google. We do not collect, store, or have access to your payment information.
Subscription record: we store your subscription status (active/inactive, plan type, and for Lifetime buyers the activation and expiry dates of the AI window) so the app can correctly gate features across reinstalls and devices. No purchase receipts or financial data.
Lifetime AI window: if you purchase the one-time Lifetime tier, AI features are included for 3 years from the purchase date. After the window ends, all your moments and non-AI premium features remain unlocked forever; AI features alone require an active monthly or yearly subscription to reactivate. You'll receive in-app reminders well before the window ends.
For details on how Apple or Google handle your payment data, please refer to their respective privacy policies.

Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be notified within the app. Continued use of the app after changes means you accept the updated policy.

Contact Us

If you have any questions or concerns about this Privacy Policy or your data, please contact us at [email protected].