Why are seats limited?

To maintain a high-quality experience for every user.

Is Reff coaching or therapy?

Reflo uses the same methodologies professional coaches use, but without the scheduled appointments or someone else's opinion shaping your decisions. It's not therapy. The focus is strategic clarity, not mental health. Think of it as structured coaching, available at 3am when you're stuck, without the wait.

Does Reff take actions for me?

No - and that's intentional. Reff helps you think clearly so every decision stays yours.

Access for Early Adopters is free. Paid plans will launch with General Availability.

How is Reff different from ChatGPT?

ChatGPT answers questions. Reff asks them - in a structured sequence, grounded in your specific context, using proven frameworks. The goal isn't to give you solutions. It's to ask the questions that help you find your own.

Does Reff remember my previous sessions?

Yes. The more context you build, the sharper each session becomes. Reff tracks your goals and past decisions so you never start from scratch.

Privacy Policy

Name: Reflective AI
Availability: LimitedAvailability
Author: Gracjan Orzechowski

Updated: April 14, 2026

Reflective AI (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it.

This Privacy Policy applies to the Reflective AI web application, mobile application, and website (collectively, the “Service”), accessible at https://getreflective.co. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, you must not use the Service.

This Privacy Policy should be read alongside our Terms of Service, available at https://getreflective.co/terms.

1. Definitions

Account: a registered account giving you access to the Service.
Company / we / us / our: Reflective AI, operated by Gracjan Orzechowski, based in Poland.
Device: any internet-connected device (phone, tablet, computer) used to access the Service.
Personal Data: any information that directly or indirectly identifies or allows the identification of a natural person.
Profile Data: goals, values, working styles, roles, and personality synthesis data you provide to personalise your sessions.
Service: the Reflective AI web application, mobile application, and website.
Session Data: thinking session transcripts, your inputs, questions generated during sessions, and context retained across sessions.
User Content: all materials you submit to the Service, including text inputs, uploaded documents, audio recordings, and video files.
You / User: a natural person registered to use the Service.

2. Information We Collect

2.1 Account Information

When you register, we collect:

Preferred name (how Reff addresses you)
Email address
Password (stored in hashed form — we never store your password in plaintext)
Roles you select during onboarding (e.g. Founder, Creator, Leader)

2.2 Profile Data

To personalise your experience, you may voluntarily provide:

Professional context (industry, domain)
Short-term and long-term goals
Core values (collected through guided in-session inquiry)
Results from personality frameworks you choose to share (e.g. DISC, Gallup StrengthsFinder, FRIS)

This data is used exclusively to improve the quality and relevance of your thinking sessions. It is not shared with third parties for commercial purposes.

2.3 Session Data and User Inputs

When you use the Service, we collect and retain:

Your text inputs during sessions
Questions and responses generated by Reff during sessions
Session context retained across multiple sessions (session memory)
Materials you upload via the “Reflect on This” feature (documents, audio, video)
Session metadata (timestamps, session stage, intent — reflection or action)

This is the most sensitive data we hold. See Section 5 (Artificial Intelligence and Data Processing) and Section 6 (Storage Modes) for how it is protected.

2.4 Usage and Analytics Data

We collect analytics data to understand how the Service is used and to improve it. This includes:

Pages and features accessed, interaction patterns, session duration
Device type, operating system, browser type
IP address (used to derive approximate geographic location)
Crash reports and error logs

This data is collected via Google Analytics and Firebase Analytics. See Section 7.2 and Section 10 for details.

2.5 Communications

If you contact us by email or through the Service, we retain the content of that communication and your contact details to respond to you and to maintain a record of your support history.

3. How We Use Your Information

3.1 To Provide and Personalise the Service

We use your Account Information, Profile Data, and Session Data to operate the Service — including facilitating thinking sessions, retaining context across sessions, and tailoring Reff’s approach to your goals, values, and professional context.

3.2 AI Processing

Your inputs and session context are processed by AI systems to generate Reff’s responses. See Section 5 for a full explanation of how AI processing works, what data leaves our infrastructure, and what protections apply.

3.3 Analytics and Service Improvement

We use aggregated, anonymised usage data to understand how the Service performs and to prioritise improvements. We do not use your Session Data or User Content for this purpose.

3.4 Communications

We use your email address to:

Send account-related notifications (account confirmation, password reset, access invitations)
Notify you of material changes to these Terms or this Privacy Policy
Send the Weekly Strategic Synthesis summary (if enabled)
Contact you regarding your Early Access status or subscription

You may opt out of non-essential communications at any time.

3.5 Security and Fraud Prevention

We use technical data and account activity to detect and prevent unauthorised access, abuse, and security threats.

3.6 Legal Compliance

We process and retain data where required to comply with applicable law, including tax and accounting obligations, and to respond to lawful requests from authorities.

If you are in the European Economic Area (EEA), we process your personal data on the following legal bases:

Processing Activity	Legal Basis
Operating your account and delivering the Service	Performance of a contract (Art. 6(1)(b))
Profile data and session personalisation	Your consent (Art. 6(1)(a)), withdrawable at any time
Analytics	Legitimate interests (Art. 6(1)(f)) — improving the Service
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))
Marketing communications	Your consent (Art. 6(1)(a))

5. Artificial Intelligence and Data Processing

This section explains how AI works within the Service and what that means for your data.

5.1 We Never Train on Your Data

We do not use your Session Data, User Content, Profile Data, or any other personal data to train, fine-tune, or otherwise develop any AI or machine learning model — now or in the future, without your explicit opt-in consent.

We contractually require the same of every AI provider we engage. See Section 5.3.

5.2 Transient Processing by AI Providers

The Service uses third-party large language model (LLM) providers to generate Reff’s responses. As an inherent constraint of how AI systems function, your session content — including your inputs and Reff’s questions — is sent to the AI provider’s infrastructure in plaintext during each active session in order to generate a response.

This applies regardless of your storage mode. Encrypted storage protects your data at rest; it does not prevent the AI provider from seeing your content during active processing.

Your data is not retained by the AI provider beyond what is strictly necessary to process your request, subject to our contractual requirements and the provider’s own data processing terms.

5.3 AI Sub-Processors

The Service operates on a vendor-agnostic architecture, meaning the specific LLM provider in use may change over time. All AI providers we engage are contractually required to:

Process your data solely to fulfill your session requests
Not use your data to train or improve their models
Comply with applicable data protection law, including GDPR where applicable
Implement appropriate security measures

Material changes to AI providers will be reflected in an updated version of this Privacy Policy.

5.4 Automated Decision-Making

The Service does not make automated decisions that produce legal effects or similarly significant effects on you (as defined under GDPR Art. 22). Reff asks questions and facilitates your thinking — all decisions remain entirely yours.

5.5 AI Accuracy

Reff uses generative AI. The questions and responses it generates are probabilistic outputs and may be inaccurate, incomplete, or contextually inappropriate. Nothing generated through the Service constitutes professional advice of any kind. You are solely responsible for evaluating and acting on any outputs.

6. Storage Modes and Encryption Architecture

6.1 Mode Selection is Permanent

During onboarding, you select a storage mode. This choice cannot be changed after account creation. Please review both options carefully before completing registration.

6.2 Standard Mode

Your encryption keys are managed by the platform. Your data is encrypted at rest, and we implement enterprise-grade security measures to protect it. This mode provides data recovery options and a more seamless account experience.

6.3 Private Mode (Default)

Your encryption keys are derived from a passphrase that you set. We do not store your passphrase or your derived key between sessions. This means:

A compromise of our database infrastructure, without an active session, yields no readable data — an attacker obtains only encrypted ciphertext.
There is no recovery mechanism. If you lose your passphrase, your Session Data and User Content cannot be recovered — by you, by us, or by any third party. This loss is permanent and irreversible.
You are solely responsible for safeguarding your passphrase.

Private mode is pre-selected during onboarding. Selecting Standard mode requires an explicit, informed choice.

6.4 Server-Side Transient Processing

Regardless of storage mode, the server transiently holds your derived encryption key during active requests in order to perform encryption and decryption operations. This is an architectural constraint. Your key is not persisted server-side between sessions.

6.5 Corporate Accounts

Corporate accounts are assigned Private mode by default. An additional organisational recovery mechanism is available to designated administrators, allowing recovery via a distributed key-splitting approach requiring multiple authorised parties. Individual users under a corporate account cannot opt out of Private mode.

We do not sell your personal data. We do not share your data with advertisers, ad networks, marketing partners, or data brokers. We share your data only in the following limited circumstances:

7.1 AI Providers

Your session content is processed by third-party LLM providers as described in Section 5. These providers act as data processors on our behalf under contractual data processing agreements.

7.2 Analytics Providers

We use Google Analytics and Firebase Analytics to collect aggregated usage data. These services may collect device identifiers, IP addresses, and interaction data. Google may process this data in the United States. Google’s data processing terms and privacy policy govern their handling of this data.

You may opt out of Google Analytics tracking by using the Google Analytics Opt-out Browser Add-on.

7.3 Infrastructure and Hosting

We use third-party providers for server infrastructure, database hosting, and content delivery. These providers process data on our behalf and are bound by appropriate data processing agreements.

7.4 Legal Requirements

We may disclose personal data to government authorities or law enforcement where required by applicable law, court order, or legal process, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7.5 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your personal data may be transferred to the successor entity. We will notify you of any such change and ensure your data remains subject to equivalent protections.

7.6 What We Do Not Do

To be explicit:

We do not sell your personal data to any third party.
We do not share your data with advertisers or ad networks.
We do not use your data to build profiles for third-party commercial purposes.
We do not share Session Data or User Content with any party other than AI providers, for the purpose of generating your session responses.

8. International Data Transfers

Reflective AI is operated from Poland within the European Union. Your data is primarily processed within the EEA.

AI providers and analytics services (including Google Analytics and Firebase) may process data outside the EEA, including in the United States. Where such transfers occur, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms, to ensure your data receives an equivalent level of protection.

9. Data Retention

Data Type	Retention Period
Account information	For the duration of your account, plus up to 60 days following deletion
Session Data and User Content	For the duration of your account; deleted upon verified deletion request or account closure
Profile Data	For the duration of your account; deleted upon verified deletion request or account closure
Analytics data	Aggregated; retained per Google Analytics and Firebase retention settings
Communications (support emails)	Up to 3 years from the date of last contact
Legal compliance records	As required by applicable law (typically up to 5 years)

If you request deletion of your account, all personal data stored in our active systems will be deleted within 30 days, except where retention is required by law. Residual copies in backup systems will be purged within 60 days.

Note on Private mode: If you use Private mode and lose your passphrase before requesting deletion, your session data is already cryptographically inaccessible to us and effectively irretrievable.

10. Cookies and Tracking Technologies

10.1 Cookies

The Service uses cookies to maintain your login session, remember your preferences, and support the functionality of the application. Without essential cookies, you will not be able to remain logged in or use core features of the Service.

We do not place personally identifiable information in cookies.

10.2 Local Storage

The Service uses browser local storage to retain certain client-side preferences and session state across visits.

10.3 Google Analytics and Firebase Analytics

We use Google Analytics and Firebase Analytics to collect anonymised usage data. These services use cookies and device identifiers to track interactions with the Service. The data collected includes pages visited, features used, session duration, device type, and approximate geographic location.

This data is used solely to understand and improve the Service. It is not used for advertising purposes and is not shared with ad networks.

You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. You can manage Firebase Analytics via your device’s advertising settings.

10.4 Managing Cookies

Most browsers allow you to control or disable cookies through their settings. Disabling essential cookies may prevent you from accessing the Service or using certain features. Non-essential tracking cookies (analytics) can be disabled without affecting core functionality.

11. Security

We implement technical and organisational measures to protect your personal data, including:

Client-side key derivation with encrypted storage at rest (see Section 6)
Encrypted data transmission (TLS)
Access controls limiting data access to authorised personnel
Automated security screening of uploaded files
Regular review of our security practices

No security system is infallible. We cannot guarantee the absolute security of your data. If you become aware of any security vulnerability or incident relating to the Service, please contact us immediately at support@getreflective.co.

12. Your Rights

If you are located in the EEA or the United Kingdom, you have the following rights in relation to your personal data:

Right of access — You may request a copy of the personal data we hold about you.
Right to rectification — You may request correction of inaccurate or incomplete data.
Right to erasure — You may request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
Right to data portability — You may request your data in a structured, machine-readable format.
Right to restriction — You may request that we limit processing of your data in certain circumstances.
Right to object — You may object to processing based on legitimate interests.
Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint — You have the right to lodge a complaint with the supervisory authority in your country of residence. In Poland, this is the Urząd Ochrony Danych Osobowych (UODO), available at https://uodo.gov.pl.

To exercise any of these rights, contact us at support@getreflective.co. We will respond within 30 days of receiving a verified request.

12.2 California Residents (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

Right to Know — You may request information about the categories and specific pieces of personal data we have collected about you, the purposes for which it is used, and the categories of third parties with whom it is shared.
Right to Delete — You may request deletion of personal data we have collected from you, subject to certain exceptions.
Right to Non-Discrimination — We will not discriminate against you for exercising your privacy rights.
Right to Opt-Out of Sale — We do not sell personal data. No opt-out action is required.

To exercise your rights, contact us at support@getreflective.co. We will respond within 45 days.

13. Children’s Privacy

The Service is intended exclusively for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe your child has registered for the Service, please contact us at support@getreflective.co and we will promptly delete the account and associated data.

14. Links to Third-Party Websites

The Service may contain links to external websites or services. This Privacy Policy applies only to the Service. We are not responsible for the privacy practices of any third-party site or service, and we encourage you to review their privacy policies before sharing any personal data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting the updated policy on the website and, where appropriate, by sending a notification to the email address associated with your account. The effective date at the top of this document will reflect the most recent revision.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not accept the changes, you must stop using the Service and may request deletion of your account.

16. Contact

For questions, requests, or concerns relating to this Privacy Policy or your personal data, please contact:

Gracjan Orzechowski

Reflective AI (Reff)

Email: support@getreflective.co

Website: https://getreflective.co

We aim to respond to all enquiries within 5 business days.