Your privacy,
taken seriously.

We collect only what we need to provide you with a meaningful journaling experience. This includes:

• Account information — your email address and password (stored as a secure hash) when you create an account.
• Journal entries — the text, mood tags, and metadata (date/time) you create within the app.
• Device information — basic device type and OS version for crash reporting and compatibility purposes.
• Usage analytics — anonymised, aggregate data about feature usage to help us improve the app. This is never tied to your identity.

Your data is used solely to operate and improve Reflecto. Specifically:

• To sync your journal entries securely across your devices.
• To send you account-related emails (password resets, security notices).
• To diagnose bugs and improve app performance using anonymised crash reports.
• To understand which features are most useful so we can prioritise improvements.

We will never sell your data. We will never use your journal entries to train AI models. We will never serve you advertisements. Your reflections are private by design.

All data is stored on servers located in India, operated by reputable cloud infrastructure providers. We apply the following protections:

• Encryption in transit — all communication between your device and our servers uses TLS 1.3.
• Encryption at rest — your journal data is encrypted at the database level.
• Password hashing — passwords are hashed using bcrypt and never stored in plain text.
• Access control — only a minimal set of authorised personnel can access production systems, and only for operational purposes.

While no system is 100% impenetrable, we follow industry best practices and review our security posture regularly.

We use a small number of trusted third-party services to operate Reflecto:

• Cloud hosting — for secure server infrastructure and database storage.
• Transactional email — to send password reset and account notification emails.
• Crash reporting — anonymised error logs to help us fix bugs faster.

Each of these providers processes only the minimum data necessary for their function, and is bound by data processing agreements. We do not integrate with advertising networks, data brokers, or social media tracking pixels.

You have full control over your data. At any time, you can:

• Access your data — request a complete export of all your journal entries and account information.
• Correct your data — update your email address or other account details from within the app.
• Delete your data — permanently delete your account and all associated data. See our Data Deletion page.
• Withdraw consent — opt out of any optional analytics or communications at any time.

We retain your data for as long as your account is active. If you delete your account, we permanently delete all your personal data — including every journal entry — within 30 days.

Anonymised, aggregated analytics data (which cannot be linked back to you) may be retained indefinitely for product improvement purposes.

Backups containing your data are purged on a rolling 30-day cycle, so all traces are removed within 60 days of account deletion.

Reflecto is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@reflecto.co.in and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we'll notify you by email and display a prominent notice in the app at least 14 days before the changes take effect.

Your continued use of Reflecto after any changes constitutes your acceptance of the updated policy. The date at the top of this page always reflects when it was last revised.