Privacy Policy

1. Introduction

Reflecto is a notification mirroring application that lets you view, dismiss, and reply to your Android phone's notifications from a Chrome browser extension. This Privacy Policy explains what data we collect, why we collect it, how we process and protect it, and what rights you have over your data.

We built Reflecto with a privacy-first architecture: all notification content is end-to-end encrypted (E2E) using X25519 key exchange and XSalsa20-Poly1305 (NaCl secretbox) encryption. Our server functions as a relay and never has the ability to read your notification content.

This policy applies to the Reflecto Android application, the Reflecto Chrome browser extension, the Reflecto server infrastructure, and the Reflecto website and landing page at reflecto.dev.

2. Data We Collect — At a Glance

The table below provides a summary of all data Reflecto collects or processes. Detailed explanations follow in subsequent sections.

3. Data Collection in Detail

3.1 Data Stored on Our Server

Our server stores the minimum data necessary to route encrypted messages between your paired devices. Specifically:

• Device identifiers (UUIDs): Randomly generated identifiers assigned to your Android device and Chrome extension at install time. These are not linked to your personal identity, email, or phone number.
• User identifier (UUID): A randomly generated identifier created on your Android device at first install. This groups your devices together for message routing. It is not linked to any personal information.
• Public encryption keys: Your devices' X25519 public keys, exchanged during pairing. These are cryptographic values used to facilitate the key exchange. They cannot be used to decrypt your notification content.
• FCM registration tokens: Tokens issued by Google's Firebase Cloud Messaging service, used to deliver push messages to your Android device. These tokens are opaque identifiers managed by Google and rotate periodically.
• Encrypted notification blobs: When your Chrome extension is offline, encrypted messages are queued in Redis for up to 72 hours. These blobs are encrypted on your Android device before reaching our server. We cannot read, decrypt, or inspect their contents.
• Message timestamps: Server-assigned timestamps used for ordering and synchronizing messages between your devices. Retained for the same 72-hour window as encrypted blobs.

3.2 Data That Never Reaches Our Server

The following data is processed exclusively on your local devices and is never transmitted to our server in readable form:

• Notification content (app names, titles, message bodies, sender names)
• Your private encryption keys (stored in Android Keystore and chrome.storage.local respectively)
• The shared encryption secret computed by your devices
• Your app filtering preferences (which apps are mirrored)
• Your reply text (encrypted on-device before transmission)

3.3 Landing Page and Beta Waitlist

If you sign up for our beta waitlist on reflecto.dev, we collect your email address. This email is stored and processed by Buttondown, our third-party email service provider, for the sole purpose of sending you product updates and beta access invitations. We do not use your email for any other purpose.

Buttondown's privacy policy is available at https://buttondown.com/legal/privacy. You can unsubscribe at any time using the link in any email we send, or by contacting us at privacy@reflecto.dev.

3.4 Crash Reporting (Firebase Crashlytics)

We use Firebase Crashlytics, a service provided by Google LLC, to collect crash reports from the Reflecto Android application. When the app crashes, Crashlytics automatically collects technical diagnostic information including:

• Device model, operating system version, and device orientation
• Amount of free RAM and disk space at the time of crash
• A Crashlytics installation UUID (a random identifier, not linked to your personal identity)
• Stack trace of the crash (technical error information from the application code)

Crashlytics does not collect notification content, app names, message text, or any data from your notifications. Crash reports are retained by Google for 90 days.

Firebase Crashlytics' data processing terms are governed by Google's Data Processing Terms, available at https://firebase.google.com/terms/crashlytics.

4. How We Use Your Data

We use the data described in Section 3 for the following purposes and no others:

• Routing encrypted messages between your paired Android device and Chrome extension.
• Delivering push notifications to your Android device via Firebase Cloud Messaging.
• Queuing encrypted messages when your Chrome extension is offline, for delivery when it reconnects.
• Diagnosing and fixing application crashes and bugs (via Firebase Crashlytics).
• Communicating product updates and beta access to users who voluntarily signed up for our waitlist.

We do not use your data for advertising, profiling, behavioural tracking, or selling to third parties. We do not build user profiles. We do not serve ads.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Legitimate interest (Article 6(1)(f)): We process device identifiers, public keys, FCM tokens, and encrypted message blobs because it is necessary for the core functionality of the service (relaying encrypted notifications between your devices). You cannot use Reflecto without this processing, and we have assessed that this processing does not override your fundamental rights given that the data is either non-personal (random UUIDs, public keys) or encrypted and unreadable by us.
• Consent (Article 6(1)(a)): We process your email address for beta waitlist communications only with your explicit consent, given when you submit the signup form. You may withdraw consent at any time by unsubscribing.
• Legitimate interest (Article 6(1)(f)): We process crash reports via Firebase Crashlytics to maintain and improve the reliability of the application.

6. Third-Party Services

Reflecto uses the following third-party services that may process limited data:

6.1 Firebase Cloud Messaging (Google LLC)

Used to deliver push messages to your Android device. Google processes FCM registration tokens and delivery metadata. Google's privacy policy applies to this processing.

6.2 Firebase Crashlytics (Google LLC)

Used to collect and analyse crash reports from the Android application. Processes technical diagnostic data as described in Section 3.4. Data is processed and stored by Google in the United States.

6.3 Buttondown

Used to manage the beta waitlist email list. Processes only the email addresses of users who voluntarily sign up. Data is stored and processed by Buttondown in the United States.

6.4 Hosting Provider

Our server infrastructure is hosted in the United States by our hosting provider. The server processes only the data described in Section 3.1 (device identifiers, public keys, FCM tokens, encrypted blobs, and timestamps). Our hosting provider does not have access to your notification content, which is end-to-end encrypted.

7. International Data Transfers

Reflecto is operated from India, and our server infrastructure is located in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data transfer restrictions, please be aware that your data (as described in Section 3.1) will be transferred to and processed in the United States.

We rely on the following safeguards for these transfers:

• For data processed by Google (FCM, Crashlytics): Google's Data Processing Terms, which incorporate Standard Contractual Clauses (SCCs) approved by the European Commission.
• For data processed on our hosted server: We select hosting providers that offer Data Processing Agreements incorporating Standard Contractual Clauses. We will update this section with the specific provider name and DPA reference once our hosting is finalized.
• For data processed by Buttondown: Buttondown's Data Processing Agreement, which you can review in their legal documentation.

Importantly, the substantive content of your notifications is end-to-end encrypted before it leaves your device. Even though encrypted blobs transit through servers in the United States, the plaintext content is never accessible to us, our hosting provider, or any third party.

8. Data Retention

We retain data for the minimum period necessary to provide the service:

• Encrypted message blobs and timestamps: Automatically deleted after 72 hours, or upon acknowledgement by the receiving device, whichever comes first.
• Device identifiers, public keys, and FCM tokens: Retained for as long as your devices are paired. Deleted when you unpair or delete your data through the Android app.
• User identifier: Retained for as long as you have at least one paired device. Deleted when you unpair or delete your data.
• Crash reports (Crashlytics): Retained by Google for 90 days per their standard retention policy.
• Beta waitlist email: Retained by Buttondown until you unsubscribe or request deletion.

We do not maintain long-term archives or backups of your message data.

9. Your Rights and How to Exercise Them

9.1 Deleting Your Data (Self-Service)

You can delete all server-side data associated with your account by using the unpair/delete function in the Reflecto Android app. This will:

• Remove your device identifiers, public keys, and FCM tokens from our server.
• Delete any queued encrypted message blobs for your devices.
• Remove the association between your paired devices.

This action is immediate and irreversible. After deletion, you would need to complete the pairing process again to use Reflecto. For a full walkthrough, see our data deletion page.

9.2 Rights Under GDPR (EEA, UK, and Switzerland Residents)

If you are located in the EEA, UK, or Switzerland, you have the following rights under GDPR:

• Right of access (Article 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Article 16): You may request correction of inaccurate data.
• Right to erasure (Article 17): You may request deletion of your data. You can exercise this immediately through the self-service unpair/delete function, or by contacting us.
• Right to restriction of processing (Article 18): You may request that we restrict processing of your data in certain circumstances.
• Right to data portability (Article 20): You may request your data in a structured, machine-readable format.
• Right to object (Article 21): You may object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent (email waitlist), you may withdraw consent at any time.

To exercise any of these rights, contact us at privacy@reflecto.dev. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

9.3 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information. You can exercise this immediately through the self-service unpair/delete function, or by contacting us.
• Right to opt-out of sale or sharing: We do not sell or share your personal information as defined by CCPA/CPRA. There is nothing to opt out of.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not use or disclose sensitive personal information for purposes other than those permitted by CCPA/CPRA.

To exercise your rights, contact us at privacy@reflecto.dev. We will verify your identity before processing any request.

9.4 Rights Under India's Digital Personal Data Protection Act (DPDPA), 2023

If you are located in India, you have rights under the Digital Personal Data Protection Act, 2023, including the right to access, correction, and erasure of your personal data. To exercise these rights, contact us at privacy@reflecto.dev.

10. Security

We take the following measures to protect your data:

• End-to-end encryption: All notification content is encrypted on your device using X25519 key exchange and XSalsa20-Poly1305 (NaCl secretbox) before being transmitted. Our server cannot decrypt this content.
• Private keys never leave your device: Your encryption private key is stored in Android Keystore (hardware-backed where available) on Android, and in chrome.storage.local on the Chrome extension.
• Minimal data collection: Our server stores only what is needed for routing (device IDs, public keys, FCM tokens) and transient encrypted blobs.
• Short retention windows: Encrypted message blobs are automatically deleted after 72 hours.
• Rate limiting: Pairing code attempts are rate-limited (5 attempts per code, with a 15-minute lockout) to prevent brute-force attacks.
• Transport security: All communication between your devices and our server uses HTTPS/TLS encryption in transit, in addition to the E2E encryption of message content.

While we employ strong security measures, no system is completely immune to all threats. We encourage you to keep your devices secure and to unpair devices you no longer use.

11. Children's Privacy

Reflecto is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child under 13 has provided us with personal data, please contact us at privacy@reflecto.dev, and we will take steps to delete such data promptly.

In the European Economic Area, where GDPR sets the age of digital consent at 16 in certain member states, we do not knowingly collect personal data from individuals under the applicable age of digital consent without parental authorization.

12. Cookies and Tracking Technologies

The Reflecto Android app and Chrome extension do not use cookies or web tracking technologies.

The Reflecto website at reflecto.dev uses a plain HTML form provided by Buttondown for email signups. This form submits data directly to Buttondown's API and does not set cookies on your browser or load third-party tracking scripts on our website. We do not use analytics cookies, advertising cookies, or any other tracking technologies on our website.

13. Do Not Track Signals

Reflecto does not track users across third-party websites and does not engage in behavioural tracking. We honour Do Not Track browser signals, though our service does not engage in the type of tracking that such signals are designed to prevent.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this document.
• Notify users through the Reflecto Android app or Chrome extension for changes that materially affect how we process your data.
• Notify waitlist subscribers via email if the change affects how we handle email data.

We encourage you to review this policy periodically. Your continued use of Reflecto after a material change constitutes acceptance of the updated policy. If you do not agree with any changes, you may unpair your devices and delete your data at any time.

15. Open-Source Encryption Library

The encryption module used by Reflecto (X25519 + NaCl wrappers) is published as an open-source library under the MIT licence. This allows anyone to audit and verify our end-to-end encryption implementation independently. The remainder of the Reflecto codebase (Android app, Chrome extension, and server) is proprietary.

16. Future Features (AI Notification Digest)

We plan to introduce an optional AI-powered notification digest feature in a future version of Reflecto. This feature, if and when launched, would involve sending notification content in plaintext to our server for processing by a third-party large language model (LLM) provider. This processing would occur in server memory only, with no disk storage or logging of plaintext content.

This feature will be strictly opt-in. It will not be enabled by default. Before launching this feature, we will update this Privacy Policy to provide full details about the data processing involved, the LLM provider used, and any additional safeguards. We will notify users and obtain appropriate consent before any plaintext notification data is processed server-side.

Until this feature is launched, no notification content is ever processed in plaintext on our server.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, we aim to respond within 30 days. For CCPA/CPRA requests, we aim to respond within 45 days as required by law.

This Privacy Policy was last reviewed and updated on April 1, 2026.