Your Privacy

How Reflect protects what you share.

Reflect is operated by The Simple Warrior LLC, a Colorado limited liability company, under the registered trade name “Reflect.” This policy describes how we (“Reflect,” “we,” “us”) handle your data.

Your story is safe here

Your entries are private. Other users can never see your journal, prayers, or personal details. This is enforced at the database level — not just in the app code.

Your data is never sold or shared. We don't have advertisers, data brokers, or third-party analytics that can see what you write.

Your data is never used to train AI. The AI that writes your reflections operates under commercial terms that prohibit using your content for model training.

The AI doesn't remember you between sessions. Each reflection is generated fresh. The AI reads your context to write that day's reflection, then the data is not retained beyond a short processing window.

Technical details

Encryption at rest. All data is encrypted on our database infrastructure. Your most personal content — journal entries, prayers, reflection responses, and life details — is additionally encrypted with AES-256-GCM before storage. Even in a database breach, this content would be unreadable ciphertext.

Row-level security. Every database table enforces row-level security policies. Your browser session can only query rows that belong to you. This is a PostgreSQL-level guarantee, not application logic that could have bugs.

Audit logging. When our system accesses your encrypted data for reflection generation, that access is logged. There is no "browse all users" interface — accessing personal content requires an explicit action that creates an audit record.

AI data handling. Reflections are generated via Anthropic's Claude API under commercial terms. Your data is not used for model training. API inputs are automatically deleted after 7 days. We do not have a zero-data-retention agreement at this time — that requires an enterprise contract we plan to pursue before public launch.

Subprocessors

Reflect runs on a small, deliberate stack. Each subprocessor below handles a specific slice of your data under their own terms and security practices.

Supabase — database and authentication. Stores your account, profile, and the encrypted columns described above. supabase.com/privacy

Vercel — application hosting and serverless runtime. Handles the requests your browser makes to Reflect. vercel.com/legal/privacy-policy

Anthropic (Claude API)— AI model that generates your reflections. Receives the context needed for that day's reflection; does not retain it for model training. anthropic.com/legal/privacy

Stripe — payment processing for the $7/month subscription. Receives your name, email, payment method, and subscription status. Stripe holds card data; Reflect never stores full card numbers — we only see a Stripe customer ID and the subscription state. stripe.com/privacy

Cloudflare — DNS and network tunnel for the forgedagents.io domain. Sees request metadata (IP, user agent) but not your account content. cloudflare.com/privacypolicy

Subscription data

When you start a $7/month subscription, Stripe collects your name, email, and payment method. Reflect stores only the resulting Stripe customer ID, subscription status, and billing period dates — never your card number, CVC, or full payment details.

Retention. Subscription and billing records (the customer ID and status fields on your account) are kept while your account is active and for a reasonable window after cancellation so we can resolve disputes, honor refund requests, and meet tax-record obligations. Stripe retains payment records under their own policies. When you delete your account via the button below, we remove your subscription record from our database; Stripe's own records remain governed by their terms.

You can manage or cancel your subscription anytime at /billing.

What we store

•

Email address and account ID— To sign you in and deliver your daily reflection

•

Your name, tradition, and tone preference— To personalize your reflections

•

Season of life and family details— Encrypted — shapes your scripture and reflection content

•

Journal entries and gratitude notes— Encrypted — feeds the AI context about your week

•

Prayer requests and answered prayers— Encrypted — so reflections can reference what you're praying for

•

Your reflection responses— Encrypted — so tomorrow's reflection can build on today's

•

Accumulated insights about your journey— Encrypted — patterns the AI has noticed over time

•

Device token (mobile app only)— So push notifications reach your phone — used for delivery only

•

Notification delivery logs— Whether your reflection email or push sent successfully — no content, no behavioral tracking

•

Subscription status— Your Stripe customer ID and billing period — no card numbers (Stripe holds those)

•

Last updated: May 3, 2026