Privacy Policy

Last updated: March 2026

1Who We Are

Reflct operates reflct.io and is the data controller under GDPR. Contact: privacy@reflct.io

2What Data We Collect

  • Email address
  • Interview transcripts
  • Audio recordings (deleted immediately after transcription)
  • AI analysis scores and coaching feedback
  • Session history (Pro tier)
  • IP address, browser type, and usage logs

3Legal Basis for Processing

  • Consent (Art. 6(1)(a)) for transcript analysis — withdrawable at any time
  • Contract performance (Art. 6(1)(b)) for account and payment management
  • Legitimate interests (Art. 6(1)(f)) for security and fraud prevention
  • Legal obligation (Art. 6(1)(c)) for tax and accounting compliance

4How We Use Your Data

  • To provide AI analysis and coaching feedback
  • To manage your account and subscription
  • To process payments
  • To send analysis results by email
  • To track progress across sessions
  • To detect fraud and security incidents

We never use your content to train AI models.

5Data Retention

  • Audio files deleted immediately after transcription
  • Transcripts and results retained while account is active, deleted within 30 days of account closure
  • Free tier results deleted after 7 days
  • Payment records retained 10 years (German tax law §147 AO)
  • Technical logs retained 90 days

6Your GDPR Rights

  • Right of Access (Art. 15) — request a copy of all your data
  • Right to Erasure (Art. 17) — one-click account and data deletion within 30 days
  • Right to Rectification (Art. 16) — correct inaccurate data
  • Right to Data Portability (Art. 20) — download your data as JSON or CSV
  • Right to Withdraw Consent (Art. 7(3)) — withdraw at any time
  • Right to Object (Art. 21) — object to legitimate interest processing

Contact privacy@reflct.io to exercise any right. Response within 30 days. Supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit, www.datenschutz-berlin.de

7Data Sharing and Sub-processors

  • OpenAI Whisper API — transcription only, zero data retention configured, no model training
  • Anthropic Claude API — analysis only, API inputs not used for training
  • Supabase — database and storage, EU servers Frankfurt Germany
  • Vercel — application hosting, EU region
  • Stripe — payment processing, PCI DSS compliant

We do not sell your data.

We do not share with advertisers.

We do not transfer data outside the EEA.

8Security

All data transmitted over HTTPS with TLS. Data at rest encrypted. Audio deleted immediately after transcription. Access restricted to authorised personnel. Data breach notification within 72 hours as required by Art. 33-34 GDPR.

9Cookies

We use only essential session cookies required for authentication. No tracking or advertising cookies. No cookie consent banner required.

10Children

Service not directed at under-18s. Contact privacy@reflct.io if you believe a child has submitted data.

11Changes

Material changes communicated by email 14 days before taking effect.

12Contact

privacy@reflct.ioBerliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59–61, 10555 Berlin, www.datenschutz-berlin.de