Architecture of Trust

We believe privacy is an architectural decision, not a policy statement. Here is exactly how your data moves—and doesn't move.

1. Local-First & Encrypted

The core of Reflect is built on a "Local-First" architecture. This means your journal entries, weekly chronicles, and voice recordings live physically on your device (in specific secure storage known as IndexedDB).

When you open Reflect, you are reading from your own database, not ours. We do not have a "cloud" database where user journals are aggregated. If you lose your phone without a backup, your data is gone—because we never had it.

2. The AI Protocol: Stateless & Transient

To provide clarity and structure to your thoughts, we must send text to our AI processing providers. We have negotiated strict data policies for this interaction:

  • No Training: Your text is strictly excluded from any model training.
  • Stateless: The AI receives your text, processes it for structure/grammar, returns the result, and immediately discards the input.
  • Fragmented: We do not send your entire profile. We send only the specific snippet needed for that specific moment of reflection.

From the perspective of the server, your requests are anonymous streams of text without persistent identity.

3. No Identity Required

You can download and use Reflect fully without ever creating an account. There is no "Login Wall."

We do not require your email address, phone number, or social login. If you choose to provide an email in the future, it is reserved strictly for billing ownership (so you don't lose a subscription if you switch phones) and is never cross-referenced with your journal content.

4. Minimal Telemetry

We do not use invasive tracking pixels or session replay tools. We do not log your IP address.

To understand if the app is working, we maintain simple, anonymous counters. We know that "a user" opened the app, or "a user" transmuted a reflection. We do not know who.

Specifically, we track only these aggregate events: