Privacy Policy

1. Introduction and Scope

ReflexDB.cloud ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and your rights in relation to it when you use our website at reflexdb.cloud and our managed database service (together, the "Service").

This policy applies to all users of the Service, including visitors to our marketing site, registered account holders, and their team members. Please read it carefully. By using the Service, you acknowledge you have read and understood this policy.

2. Controller Identity and Contact

ReflexDB.cloud is the data controller for personal data processed in connection with the Service. If you have questions about this policy or wish to exercise your data rights, please contact our privacy team at:

We will respond to all legitimate privacy requests within 30 days.

3. Data We Collect

3.1 Account and Registration Data

When you register for an account, we collect: your name, email address, company name (optional), and password (stored as a one-way hash — we never store plain-text passwords). We also record the timestamp and version of the Terms of Service you accepted.

3.2 Usage and Telemetry Data

We collect data about how you use the Service, including: API requests made to the control plane, dashboard page views, feature interactions, and events emitted by your ReflexDB instances (e.g., sync cycles, pause/resume events). This data is used to measure unit consumption for billing and to improve the Service.

3.3 Payment Data

Payments are processed by Stripe. We do not store your card number, CVV, or full payment details. We retain only Stripe customer and subscription IDs, your billing email, and invoices for accounting purposes. Your payment data is governed by Stripe's Privacy Policy.

3.4 Source Database Metadata

To configure synchronisation, you provide connection credentials for your source database. We store these credentials encrypted at rest and in transit. During a sync cycle, we read schema information (table names, column definitions, row counts) to optimise the sync process. We do not read, store, or replicate the actual row-level data from your source database — only its structure and the resulting ReflexDB snapshot, which you control.

3.5 Log and Diagnostic Data

We collect server-side logs from the control plane API, application services, and infrastructure components. Logs may contain IP addresses, request timestamps, HTTP status codes, and error messages. Logs are retained for 30 days and are used for debugging and security monitoring only.

4. How We Use Your Data

We use your data to:

• Create and manage your account and authenticate your identity.
• Provision, operate, and monitor your ReflexDB instances.
• Calculate compute unit consumption and generate invoices.
• Send transactional emails (account events, billing receipts, SLA alerts, usage warnings).
• Respond to support requests and investigate issues.
• Detect and prevent fraud, abuse, and security incidents.
• Improve and develop the Service using aggregated, anonymised usage analytics.
• Comply with legal obligations.

We do not use your data for advertising or sell it to third parties.

5. Legal Basis for Processing (GDPR)

Where the GDPR applies, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you have signed up for, including billing, provisioning, and support.
• Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, product analytics, and service improvements — balanced against your rights.
• Legal obligation (Art. 6(1)(c)): retaining invoices and financial records as required by Irish and EU law.
• Consent (Art. 6(1)(a)): where we send optional marketing communications — you can withdraw consent at any time.

6. Data Retention

We retain your personal data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations. Specifically:

• Account data: retained while your account is active, then deleted within 30 days of account closure (subject to legal hold obligations).
• Invoices and billing records: retained for 7 years as required under Irish and EU tax law.
• Usage and telemetry events: retained for 90 days, then aggregated and anonymised.
• Server logs: retained for 30 days.
• Encrypted source DB credentials: deleted immediately upon deletion of the associated database configuration.

Upon account closure, we will deprovision all running instances, delete all database records, and purge associated credentials within 30 days, in compliance with GDPR Article 17 (right to erasure).

7. Data Sharing and Third Parties

We share personal data with the following third-party service providers, each engaged under appropriate data processing agreements:

• Amazon Web Services (AWS): infrastructure hosting in the EU (Ireland) and US (Virginia). AWS processes data on our behalf under the AWS Data Processing Addendum.
• Stripe: payment processing and invoicing. Stripe processes payment data as an independent controller under their own privacy policy.

We do not share your data with any other third parties unless required to do so by law (e.g., in response to a valid court order or regulatory request). We will notify you of any such disclosure to the extent permitted by law.

8. International Data Transfers

Your data is stored and processed in the region you select when creating an instance. Our default region is the EU (Ireland). We also offer a US region (Virginia) on all plans. Account data and billing records are always processed in the EU.

Where data is processed outside the EEA — including when you choose the US region, or via third-party processors such as Stripe — we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

9. Your Rights (GDPR / CCPA)

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to restriction: request that we restrict processing of your data in certain circumstances.
• Right to data portability: receive your data in a structured, commonly used, machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: withdraw consent at any time where processing is based on consent.
• Right not to be subject to automated decisions: we do not make solely automated decisions that significantly affect you.

To exercise any of these rights, contact us at legal@reflexdb.cloud. We may need to verify your identity before acting on your request. You also have the right to lodge a complaint with your local data protection authority (in Ireland: the Data Protection Commission at dataprotection.ie).

10. Cookies and Tracking

Our marketing site (reflexdb.cloud) currently uses no analytics or tracking cookies. If we add any analytics or advertising tools in the future, we will update this policy and present a GDPR/ePrivacy-compliant consent banner before setting any non-essential cookies.

The application dashboard (app.reflexdb.cloud) uses a session cookie strictly necessary for authentication. This cookie is exempt from consent requirements under the ePrivacy Directive.

11. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Encrypted storage of all database credentials in a dedicated secrets manager.
• Network isolation with private subnets for all compute resources.
• Access controls limiting employee access to customer data on a need-to-know basis.
• Regular security reviews and dependency updates.

No method of transmission over the internet is 100% secure. If you become aware of any security vulnerability in our Service, please report it responsibly to security@reflexdb.cloud.

12. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at legal@reflexdb.cloud and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law, or our data practices. We will notify you of material changes via email or a prominent in-app notice at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when it was most recently revised.

We encourage you to review this policy periodically. Continued use of the Service following notification of changes constitutes your acceptance of the updated policy.

14. Contact and Data Subject Requests

For all privacy-related inquiries, data subject access requests, or complaints, contact our privacy team:

For security-related disclosures, please use security@reflexdb.cloud.